That Was Then, This Is Now

a Concise Look Back on the Hacker Subculture

There is no argument that since the Internet’s widespread commercialization roughly twenty years ago, it has exponentially improved, automated and streamlined much of our lifestyle with every passing year. The advantages of living in a wired (or, wireless) world are apparent, but not without risks: the media is rife with speculation on hackers and every week a new phishing ring is busted or a massive data breach is reported. But who are these much-maligned hackers, and where do they come from?

The Hacker Profiling Project has successfully identified the generations of the hacker subculture, but we are going to focus here on the tentative links between criminal or “cybercriminal” links to this world. An understanding of what is unique or overlapping in each of them is crucial to understand where we are headed, and why criminal elements are going digital.

The first generation of hacking – comprising the 1960 all the way to the 1980s – was very much academic, with students at universities putting together various programs for the new mainframes being installed on campus, as well as early forays into the telephony system. The ethics of this era focused on shared ownership of data and information, as well as promoting the contribution of all those involved in the hacker culture.

The second “hacker era” characterizing the early ‘80s, was driven by curiosity, and the motivation to hack into external targets was often driven by the scarcity of technology: the mainframes and the unique operating systems running on them would cost vast sums of money and technology was not yet a common utility: even a PC was beyond reach for many, and dialling into modems half-way across the globe could result in exorbitant monthly phone bills.

The next wave of hacking covers a larger timeframe – from 1985 until the mid to late ‘90s – and was a very active period, especially with the commoditization of the Internet in the later half. This was an extremely prolific period for the culture and many “hacker periodicals,” such as 2600 (1984) and Phrack (1985), began their publication in these years. The motives of hackers from this era were as eclectic as their geographical distribution and background, but even in this period there were very few economically motivated black-hat-hackers. Interestingly, the diffusion of “crimeware” and increases in frauds both rose as the ‘90s progressed, leading us to the next era of hacking.

The current wave of hacking is just as convoluted as the previous, but it is marked by a worrying trend: the monetization of hacking. In the past couple of decades, there has been a shift from hobbyist hacking primarily driven by ego and “the thrill of the chase” to malicious and financially motivated crime conducted over the Internet. One only needs to research the stark contrast between the early hacker crew known as L0pht Heavy Industries (1992-2000) and the recent cases of the Russian Business Network (RBN), Innovative Marketing Ukraine, or the Shadowcrew fraudster forums (2002-2004) to see the devolution of ethics and ideals in the hacker subculture.

The “infiltration” or usurpation of hobbyist hacking by outright criminal elements is a relatively recent phenomenon, but one all too natural given the open-nature and naivety of the subculture, as well as the adoption en masse of the Internet for key sectors such as finance or the management of PII (Personally Identifiable Information). In fact, some early hackers were prophetic enough to predict a hijacking of their beloved lifestyle by organized crime or loosely affiliated criminal bands.

But when did we reach the threshold or boiling point, which led to the rise in financially motivated attacks launched over the Internet? It is difficult to say exactly when online criminals organized themselves for profit-driven attacks, but we began spotting large-scale attacks against financial institutions and gambling websites just before the turn of the Millennium. Not coincidentally, this is also the same period when so-called “crimeware” became marketable among the cybercriminal underground. These kits are sold to aspiring black-hats to automate and streamline their criminal operations, allowing them to work with corporate-like efficiency.

The purpose of distinguishing between the modes and motives of hackers throughout the years is not to whitewash the second and third abovementioned waves of hacking as purely innocent or without consequence: crimes were in fact being committed, and even as early as 1991 there were cases of individuals peripherally related to the then-booming hacker scene being investigated and arrested for toll fraud or “carding” (using stolen credit card information to purchase items or services). However, even a cursory glance at the literature and archived timelines of those days would show us that the majority of the players involved tended to be uniform in their disdain of the outright criminal elements in their midst, such as virus writers and carders.

However, even today the monetization of hacking is being pursued by small, flexible and tight-knit criminal bands which, despite their size, have a considerable impact on the online ecosphere: an Anti-Phishing Working Group report states that 66% of all phishing attacks in the second half of 2009 were perpetrated by a single group known as “Avalanche.” The only good news one could possibly extrapolate from this statistic would be that the skilled criminal groups operating online are perhaps less numerous than previously anticipated, but, as always, there is no lack of “script kiddies” and newcomers to the “underground economy” waiting for their turn at the table.

And where are the black-hat hackers going now? Wherever the money is. It is no secret that since the dawn of civilization criminals have sought out the “low-hanging fruit,” and we have already seen them shift away from targeted attacks on financial institutions or e-commerce with server-side attacks, to phishing scams and particularly virulent blended threats targeting end-users and consumers who don’t have the luxury of an annual security budget ranging in the millions of dollars.

We speculate that the prime target will remain the end-user for the near future, with an increase in sophisticated XSS (Cross-Site Scripting) attacks targeting social networking sites and a constant focus on subverting the web browser. An example of this, offering a glimpse of the next generation of phishing attacks, would be the devious tabnabbing exploit: it subverts an open, idle and otherwise innocent browser tab to redirect itself to a hostile page of the attacker’s choice once the user’s attention is elsewhere, fooling the user into providing sensitive data in the fraudulent page (i.e. a spoof page of Gmail or Facebook asking for log-in and password).

As always, there is no technological or legislative “silver-bullet” solution to tackling the increase in cybercrime: these criminals conducting online abuses and frauds have already shown their capacity to defeat IT security measures, and an indifference to national or international laws focusing on them. As long as their activities remain profitable the miscreants will continue, and as long as technology advances they will keep on adapting.

L0pht Heavy Industries (1992-2000)

L0pht Heavy Industries was the original “hacker think tank.” They initially supported themselves by selling used hardware at local flea markets, offering UNIX shell accounts and archives of files and texts. They eventually created the famous password recovery suite “L0phtCrack,” and they offered their skills as developers of secure code to the corporate sector. The origin of the name, pronounced “loft,” most likely relates to the fact that many members shared a common apartment in Boston. After years of unique contributions to the hacker subculture (and years of barely breaking even), L0pht merged with security firm @stake in 2000, which was subsequently purchased by Symantec in 2004.

Russian Business Network (2006 – ?)

The RBN is, or was, based in Saint Petersburg (Russia) and operated as a host or Internet Service Provider for illicit services such as child pornography, malware distribution, etc. Their 2006-2007 revenue is estimated at $150 million. Their main areas of criminal activities include spam (estimated to have been actively involved with up to 50% of worldwide spam distribution at their height), malware, phishing scams (estimated to have been behind up to 50% of phishing spams throughout 2007), all the while providing hosting services for other criminal activities, such as the dissemination of child pornography, identity theft, credit card fraud, etc. The RBN is alleged to have dispersed (but not suspended) its activities as of 2008, due to increasing attention from international security vendors, media, and law enforcement.

* Ioan Landry is a UNICRI consultant on cybercrimes