Cyber criminals today are more likely to be 11-year-old boys or corporate drones than the stereotypical faceless figures wearing hoodies, delegates heard at the opening of the ITWeb SecuritySummit 2023 in Sandton today.
Mark T Hofmann, international crime and intelligence analyst, or ‘profiler’, outlined the psychology of cyber security, highlighting the human factor in vulnerabilities and the motivation behind cyber crime.
Hofmann, whose work entails engaging with cyber criminals on the Dark Web and cyber crime forums to understand criminal motivation and methods, said: “Over 90% of attackers are male, and around 80% are under the age of 30.
“They typically begin as young as 10 or 11 years of age. As kids, they are intelligent and skilled at IT. They learn how to hack on YouTube and the Dark Web, and they do it simply because they want to be meaningful and respected. Few people take an 11-year-old seriously, but if they hack you, suddenly you’re listening.”
Hofmann said older hackers are typically intelligent, well-educated and often do not need the money. “There are elements of thrill-seeking, and taking on the challenge to beat the system. In many cases, they do it because they can.”
Organised cyber crime operates more professionally than many businesses, he noted. “They have customer service desks, quality assurance and marketing teams. If you’re hacked, a customer support team will guide you through the steps of what to do next, how to buy Bitcoin and how to pay the ransom. Cyber criminals are the only criminals in the world withcustomer support.”
In addition, quality management is important to organised cyber crime. “Trust is very important in their business model, because victims need to be able to trust that if they pay a ransom, they will get their data back. Organised cyber criminals make sure you do get your data back once you’ve paid, because it protects their business model.”
Hofmann also commented on the emergence of marketing in cyber crime, pointing to the statement issued by the perpetrators after the Colonial Pipeline hack in 2022. DarkSide apologised and issued a statement to the effect that it would not attack certain targets. “Now criminals issue press releases explaining their corporate ethics.”
The human weakest link
Hofmann said cyber criminals he had spoken to sought easy targets, and found social engineering to be faster and easier than hacking systems. “Over 90% of attacks are caused by human error,” he warned. "You can have the best, most advanced security door in the world, but it’s only as secure as the person who has the key and the password.”
Hackers feel no regret and some see their social engineering victims as ‘stupid’ and ‘primitive’. “They play on human emotions like a piano. They use illusions within illusions, take advantage of authority symbols, and use time pressure and exceptions to manipulate victims.”
For example, attackers might call an employee mid-morning, and ask if they had opened an attachment recently – knowing this would be likely. They might then claim to be from the IT department, saying the attachment was a virus, and instruct the employee to give them their user name and password urgently, so that they can remediate the attack.
“It often starts with a claim that you have been hacked – so they hack us while explaining that we have been hacked.”
Another successful approach used by attackers is impersonating top executives. “Deepfake technology has become so good that now, you would believe a caller was your own family. Just a few months ago, you needed five to 10 hours of audio and video to make a high-quality Deepfake video. Now, you need just minutes of content. Only one minute of content is enough to make a convincing Deepvoice audio.”
He highlighted a 2020 attack in which a Japanese bank executive’s voice was cloned to instruct an employee to authorise $35 million in transfers.
Bolstering defence
Hofmann said while advanced cyber security technology remains crucial, it is equally important to address human error. Best practice security, complex passwords and two-factor authentication are a deterrent to some hackers, but caution and awareness must also be a focus.
Awareness programmes have to go beyond just phishing awareness, to include training on the risks of careless acts like leaving important documents on printers, or leaving a laptop unlocked when going to get coffee.
“Cyber security responsibility has to start with management, and employees must be made aware of the risks, and when to be suspicious.
“Any organisation that thinks it is not big enough or important enough to be attacked is naïve.”
Share