Automated tools fuel rise in less savvy hackers. How much do they really profit?
The New York Times managed to track down and interview a China-based hacker, offering a glimpse into what it says is a thriving hacking community there. The headline says “Hacking for Fun and Profit in China’s Underworld.” But there’s no real evidence of profit.
David Barboza’s description of the hacker, who goes by the name Majia, lives up to the old-school hacker stereotype: He’s young. He seems to be in it for the fame and he lives in a dingy apartment. He has a government job by day and at night spends long hours checking the statistics on his automated tools and time seeking out website vulnerabilities to crack into business websites in China and other countries to steal sensitive data or to install a malicious script to expand the scope of his automated attack tool’s reach. He claims to be making a lot of money. But then Barboza tells us this:
Majia lives with his parents, and his bedroom has little more than a desktop computer, a high-speed Internet connection and a large closet. The walls are bare.
Barboza found a very active community of hackers, willing to share and trade information. But the hacker Majia admits that today most hackers aren’t very skilled at all. We’ve been reporting on SearchSecurity about the rising level of automated attack tools making it relatively easy for non-technical people to become cybercriminals.
Last summer new research emerged painting a picture of the economics driving many underground black hat hacker communities. Security researchers Cormac Herley and Dinei Florencio found that there are far too many people attempting to make money phishing for passwords, account numbers and other sensitive data. While the picture isn’t exactly crystal clear and their work centered around automated phishing tools, it appears that a majority of the money being made in cybercriminal activity are by a handful of individuals. It’s like a pyramid scheme. The most skilled hackers are at the top. They create and sell (also rent) the automated tools to the minions below them. Those in the lower levels of the pyramid are often exposed to data stealing malware themselves. There’s a lot of infighting. There’s a lot of grandstanding. Most hackers need to prove themselves as legitimate.
“Some people probably try it for a while, don’t make much, and then wander off to try something else,” Herley told me at the time. “Breathless stories about ‘easy money’ probably ensures enough new entrants to keep the phenomenon going.”
More research needs to be done to get a clearer picture. Security researchers Billy Rios and Nitesh Dhanjani, who infiltrated the underground phishing market in 2008, agreed with the main points of Herley and Florencio’s assessment: The total annual losses associated with phishing at $61 million. Much less than the $3.2 billion estimated by Gartner Inc.
Unless he’s investing his earnings in a retirement fund, the hacker Majia is far from the top of the hacking pyramid. That’s why he’s living with his parents in a dingy apartment in one of China’s poorest neighborhoods.