In late July 2020, Digital Shadows had the fantastic opportunity to speak with Geoff White on ShadowTalk, Digital Shadows’ threat intelligence podcast. Geoff is an investigative journalist and the author of Crime Dot Com: From Viruses to Vote Rigging, How Hacking Went Global, an exciting book covering the evolution and trends of cybercrime as a whole, which was released on 10 Aug 2020.
At the beginning of the episode, Geoff commented on the oddness of the “investigative journalist” title – shouldn’t all journalism involve investigative methods? He also mentioned that he couldn’t leave things alone; he’s slightly obsessive over things and always wants to continue digging into his research.
Well, Geoff, researchers at Digital Shadows couldn’t agree more!
In Crime Dot Com, Geoff reaches back to the hippie-hacking ecosystem in the 1970s in California and pulls the thread to the most recent election rigging incidents in the United States. Since the book covers such an extensive history of cybercrime, it opens the doors to a broader audience, helps connect the dots in the evolution of cybercrime, and underlines trends in the cybercriminal landscape.
Before we dive into the episode, if you’re only here for a quick read, here are the main topics we covered:
- Biases are a slippery slope. Recognizing biases are imperative, and creating systems to gather information, independent of a hypothesis, is instrumental.
- Is attribution really that important? It’s safe to say that attribution does help and does have value, but confidently assigning attribution to an attack is hard.
- Trust makes the cybercriminal world go ‘round. Marketplaces can be vulnerable to attacks, law enforcement can take down the site, and technological problems can disrupt the marketplace’s flow. Trust is weaved into all of this.
- Trust severely impacts our society. Trust is such an integral part of our society, and as soon as you’ve eroded that trust, it can be devastating.
- The digitized society has affected criminal behavior. We have digitized crime without realizing it; criminals follow the money.
- The term “dark web” is often generalized. As cyber-specific topics continue to be commonly addressed, the difference between online criminality and the “dark web” will become more apparent to the general population.
Let’s get to it.
Biases are a slippery slope.
As humans, we make biases. Recognizing biases are imperative, and creating systems to gather information, independent of a hypothesis, is instrumental. As researchers, I think it’s fair to say that we’ve all found ourselves wrapped up by a particular bias throughout our investigation – even if you’re convinced that you’re on the right path, you can be completely wrong. Geoff gave us a fun example of one of his experiences:
When WannaCry crippled several systems worldwide in 2017, Geoff started digging to find out who was responsible. He started tracing BTC transactions to a specific wallet, figured out who owned the wallet, and chased the owner down the street. Turns out, it was the wrong guy.
On the flipside, Geoff has plenty of investigative wins as well – he successfully tracked down the person responsible for the Love Bug virus in the Philippines.
While there are many ways of structuring your thinking to remove or reduce the problems that biases create, James Chappell, Digital Shadows’ Co-Founder and Chief Innovation Officer (CIO), suggests an investigative method coined, “Analysis of Competing Hypotheses.” With this method, you set out as many hypotheses as possible, find the data that supports each theory, and build your conclusion from there. Digital Shadows has published a few blogs that use Analysis of Competing Hypotheses, specifically regarding the Tesco Bank incident in 2016 and WannaCry in 2017.
Is attribution really that important?
It’s essential to speak on the weight that attribution carries throughout our investigations. For example (this is a scary one), your company was breached, and your data was stolen – would you care that it was North Korean nation-state threat actors, or do you care that it was a criminal act and your data is now exposed?
Geoff commented that, as a journalist, he’s massively interested in who is performing these attacks. Yes, there’s an obsession with the how, but learning who did it leads to the why. He added that “if you’re telling a story, you can’t just tell the technical bits of the hack; you want to know about who’s behind it.”
All in all, it’s safe to say that attribution does help and does have value, but confidently assigning attribution to an attack is hard. This brings on the central question of where do you focus your resources? It’s an interesting debate.
Trust makes the cybercriminal world go ‘round.
Throughout our research, we’ve touched on the volatility of criminal marketplaces and forums, and a crucial part of this ecosystem is trust. Marketplaces can be vulnerable to attacks, law enforcement can take down the site, and technological problems can disrupt the marketplace’s flow. Trust is weaved into all of this; buyers wonder, “can I get the drugs, will I get the cards?” while vendors are curious if they’ll get their money. In turn, forums are trying to find ways to boost or build out different levels of trust: One strategy is to increase a forum user’s trust based on the number of posts they have contributed.
Geoff mentioned that the most innovation from these criminal networks come from trust. They’re created, disrupted, then built up again – it’s a constant evolution, and we have so much to learn. He went on to say that we cannot overestimate the impact on trust and trust networks that criminal marketplace takedowns have. Law enforcement can take something down; there’s a ripple of destruction on trust, then another marketplace comes up.
Trust severely impacts our society.
Just as the cybercriminal ecosystem relies on trust, so do we as a society, and the frightening “trust no one” mindset has affected people throughout the globe. Disinformation and fake news are where significant concerns reside. On the one hand, it’s good that people are becoming more critical of where the news is coming from; they identify the manipulation and filter through what’s happening. Geoff described that if people say, “you can’t trust anyone,” or, “you don’t know who to trust these days,” the disinformation campaigns have won. He added that “people are so skeptical these days that they’ve given up on information, and that’s terrifying; we have to fight against that with every fiber of our being.” Trust is such an integral part of our society, and as soon as you’ve eroded that trust, it can be devastating.
James Chappell commented that it takes eons to build trust. He also gave us a fitting example:
“Trust is like air in a balloon. It takes a long time to pump trust into a balloon, and the more full your balloon is, the more likely it is to burst, and the more explosive the collapse may be.”
The digitized society has affected criminal behavior.
As more and more consumers rely on digital services to carry out their daily doings, we have a beneficially digitized society. We also digitized crime without realizing it; the criminals follow the money.
Tracking the rise in cybercrime in conjunction with monitoring the increase of payment cards on the internet has been an exciting study for Geoff; as soon as the money hit the web, the cybercriminals followed.
This conversation introduced an interesting question – is cybercrime a tax on living? The answer to this question can be perceived in many ways; over time, organized cybercrime increased, and it’s inevitable. However, fighting the good fight keeps the “cybercrime tax” on society from growing even more.
The term “dark web” is often generalized.
At Digital Shadows, we define a distinct difference between the clear, deep, and dark web. That’s expected, right? We’re in the information security business. However, as a journalist looking from the outside, distinguishing the dark web from the deep web from online criminality can be challenging.
As James Chappell put it, the usage of “dark web” can be willy nilly. When it comes to Geoff, it’s refreshing to see a journalist speak on the specifics on what online criminality is rather than bounding them around the term “dark web.”
According to Geoff, you’re inevitably going to get journalists that use “dark web” as shorthand, but it’s getting better. There’s a fine line between getting everything right while explaining the details to the general public, which often involves using shorthand.
Over time, cybercriminal topics have become more mainstream – people are getting more interested in this, especially after the US’s election fraud incident. I think it’s fair to say that as cyber-specific topics continue to be commonly addressed, the difference between online criminality and the “dark web” will become more apparent to the general population.
If you’re interested in reading Geoff White’s book, Crime Dot Com is available on Amazon. We thoroughly enjoyed our conversation with Geoff, and if you haven’t listened to the podcast, feel free to check it out here.