Among the mistakes journalists sometimes make when covering cyber-security stories is calling an attack “sophisticated” when it’s anything but. And it tends to irritate security professionals.
There’s no real definition of what a sophisticated attack is, but a more elaborate hacking incident might involve gathering intelligence on a specific, complex network before it could be successfully and subtly exploited.
Attacks like that do happen. But more often than not, the hackers and cyber-criminals hitting the headlines aren’t doing anything magical. In fact, they’re often just wily opportunists – like all criminals.
The head of Europol says that the growth of cyber-crime is “relentless”. The agency has identified a range of increasingly common methods used by 21st Century offenders – and these are not sophisticated. These include digital payment attacks, ransomware, selling illicit material on the dark web and stealing people’s personal data to commit fraud or identity theft.
Much of the time, established criminals seek to enlist the services of unethical hackers and younger “script kiddies”, who use programs developed by others to infiltrate computer systems.
“The organised crime gangs are saying, ‘Show us how good you are’, and drawing them into the dark side,” says Alan Woodward at the University of Surrey, who is an adviser to Europol.
“They don’t have the technical capability [themselves], they’re switching from drug trafficking and all the rest of it to cyber-crime because basically there’s a much better return on it.”
The ways in which young people become involved in this sort of activity were recently detailed in a report by the UK’s National Crime Agency (NCA). The average age of those arrested for malicious hacking activities was just 17 – the offences included vandalising websites, stealing data and breaking in to private computers.
Because our world is so much more connected than ever before, and those connections are often woefully insecure, it’s relatively easy to find ways of exploiting computer systems illegally. And ransomware in general is increasingly successful. In 2016, criminals made an average of $1,077 with every attack. For the BBC’s Cyber-hacks series, Click’s Spencer Kelly discovered how cyber-criminals can acquire off-the-shelf ransomware using only a search engine.
As Woodward points out, the easiest thing to do is “just cast it out there” – whether it’s ransomware, spyware or spam – and see what comes back. Many people are often surprised by the amount of spam they receive, especially because so many of the scams are so obviously illegitimate. But the reason you still get emails from a Nigerian prince offering cash out of the blue is because people continue to fall for such stories. Not huge numbers, but a few. And that’s all it takes to make a profit.
And when cyber-criminals employ social engineering techniques, they tend to be pretty cheap and dirty. They might try to get us to click on a dangerous link by associating it with something likely to attract our attention, for example. After Osama Bin Laden’s death in 2011, for instance, links on Facebook directing readers to a video of the terrorist leader’s execution were found to be booby-traps. They actually led to malicious code.
What all of this paints, though, is not the oft-imagined image of a shadowy hacker with pseudo-magical powers. Instead, a lot of this activity is carried out by people with a few technical skills but who are ultimately quite lazy. Representations of hackers in popular culture – figures who flip open a laptop and break into the Pentagon – haven’t helped.
Thankfully, the old adage about the long arm of the law remains relevant – many cyber-criminals are failing to get away scot-free. In the UK, successful convictions of computer-related crimes are on the rise. There were 45 in 2014, but 61 in 2015.
Are there frighteningly powerful hackers out there? I’m sure there are a few – and they most likely work for governments. As for criminals, the goal is always the same. That same lure – a quick buck – is what pulls them in online, just like it used to in the offline world.
“Criminals are lazy as well as clever,” says Woodward. “That’s why they don’t walk into banks with shotguns anymore. It’s easier to go and steal stuff online.”