Just one more hour behind the hot grill flipping burgers, and Derek* could call it a day. Under his musty hat, his hair was matted down with sweat, and his work uniform was spattered with grease. He knew he’d smell the processed meat and smoke for the next three days, even after he’d showered. But it was money, he supposed.
“Derek!” His manager slapped him on the shoulder. “A little bird told me you were good with computers. I’ve got a job for you, if you’ll take it.”
The next day, with routers and cables bought and paid for by his manager, Derek networked his boss’ entire home. After one hour of work, he was handed a crisp $100 bill. Derek made a quick calculation: He’d have to put in three full shifts at the burger joint to take home the equivalent.
Unfortunately, not all of Derek’s clients had his manager’s money. Like him, his classmates came from a modest middle-class background, and they often couldn’t afford the latest video games, DVDs, and albums. But Derek had something not even his boss had: the ability to hack.
Mostly, his classmates looked for video game hacks, like unlimited life, or access to boatloads of free music. Sometimes they needed expensive cables to set up LAN parties, and Derek could McGyver a cat-5 so that his friends only had to pay him $10, instead of the $50 they cost at Best Buy.
Sometimes, Derek took on work that was a little more dangerous or challenging―like scamming other scammers to get onto their networks and drop malware or redirecting browser traffic to personal eBay storefronts―and he proved himself adept at this type of problem solving. Everyone knew Derek was the man to go to for these things―and he liked that. What’s not to like? Money, popularity, and a quiet “screw you” to the man.He was proud of his ability to hack into and modify programs built by professionals.
“There was ego involved, of course. It was like, ‘Ha! Look what I did that I wasn’t supposed to be able to do,’” said Derek, who today works as an engineer at a security company, but sometimes still participates in less-than-legal activities online. “Some 13-year-old kid just beat a 30-year-old programmer.”Derek’s hacking hobby soon became more than a pastime. The stars had aligned for him to step into the world of cybercrime.
What makes a cybercriminal?Some of Derek’s actions might sound familiar to those who tapped into the early, Wild West-esque days of the Internet. Pirating and counterfeiting music, video games, and DVDs was par for the course in the mid and late 1990’s, until the Napster lawsuit and subsequent shutdown opened the nation’s collective eyes to the fact that these actions were, in fact, unlawful.
Today, we know better. Those who can game the system are called hackers , and the term is often used interchangeably with cybercriminals. However, hackers are merely people who know how to use computers to gain access to systems or data. Many hackers do so with altruistic purpose, and they are called white hats.
White hats are considered the good guys. They’re experts in compromising computer systems, and they use their skills to help protect users and networks from a criminal breach. White hats often work as security researchers, network admins, or malware analysts, creating systems to capture and analyze malware, testing programs for vulnerabilities, and identifying weaknesses in companies’ infrastructures that could be exploited and/or infected. Their work is legal, sanctioned, and compensated (sometimes handsomely). But sometimes, even white hats can find themselves in compromising positions.
Good guys (and girl): The Malwarebytes intel team
Jared* got his start in IT as a technician, working at a mom-and-pop shop that he had frequented often when putting together his own machine. “I was a computer hobbyist,” he said. “I bought and built my first one, and I kept going to the same store for parts. Eventually, I ended up working there.”
Jared built up his skills working in the shop, eventually moving up to enterprise work at a larger chain store. It was there that he was introduced to a software developer that was making an anti-malware product designed to rip spyware out of people’s machines. He was hired on to add definitions (the code that helps antivirus programs detect malicious software).
But soon, Jared started to sense that something was off. Despite the fact that the company owners kept departments siloed―the user interface (UI) people didn’t know what the product development people were doing, and none of them knew what the marketing people were up to―Jared started asking uncomfortable, ethical questions in meetings that made him rather unpopular.
“I had the horse blinders on. I knew that there was stuff taking place that I was not comfortable with, and I chose to ignore it because it wasn’t the product I was working on,” he said. “But, that mental gymnastics got harder and harder and harder, until I finally realized that some aspects of the company I was working for were super scummy.”What Jared came to realize after moving into a Q/A position was that he was, in fact, working for a potentially unwanted program (PUP) maker―a product created mostly to rip people off. He might not have been trying to participate in cybercrime, but he was complicit.
Despite trying to fight the corruption from the inside, Jared was stuck. He needed this job to stay financially afloat. Finally, after six years at the company, he was actively looking for a new job in IT when he was approached by a legitimate security company―and that’s where he is today. His bosses at the PUP maker, however, knew exactly what they were doing. And that’s why they’re considered black hats.
Black hats are the bad guys; the cybercriminals. They use a similar skill set as white hats, but their intentions are not to protect systems. Instead, they look to cause damage to their targets, whether that’s stealing personal data for monetary gain or coordinating attacks on businesses for revenge. Black hats’ criminal activity ranges from targeting individuals for state-sponsored espionage to widespread corporate breaches, and their efforts may be conducted from outside an organization or embedded within as an insider threat.
But the world is not black and white. A third set of hackers exists between opposite ends of the moral spectrum, and they are known as gray hats. They may not be trying to cause intentional harm, but they’re often operating outside the law. Gray hats might identify as cybervandals or rogue researchers, publicly announcing vulnerabilities to bring attention to a problem. For example, a gray hat could compromise a system without an organization’s permission, but then inform the organization after the fact in order to help them fix the problem. You might consider Jared a gray hat during his tenure at the PUP maker, even though he entered and left the establishment with the best of intentions.
What sets a cybercriminal apart from a security researcher, then, comes down to motive. Ethical hackers look to improve the security of software programs to protect users and their online experiences, whereas cybercriminals seek to undermine the integrity of those systems and programs for their own gain. It’s why people hack that shapes the nature of their being.
Putting together the profileWithout knowing the identity of cybercriminals (as most do a good job of covering their tracks), criminal profiling becomes a useful tool to begin drawing more accurate pictures of the people behind the proverbial hoodies.
Criminal profiling is a psychological assessment that includes persona