Those "in the know" in law enforcement will tell you that criminal profiling is both an art and a science. It's all about generalizations, but knowing what types of people generally commit specific types of criminal offenses can be very helpful in catching and prosecuting the perpetrator of a specific crime. That information can also be useful in protecting your digital assets from cybercriminals.
As I noted in my book, Scene of the Cybercrime, a criminal profile is a psychological assessment made without knowing the identity of the criminal. It includes personality characteristics and can even include physical characteristics. "Fitting the profile" doesn't mean a person committed the crime, but profiling helps narrow the field of suspects and may help exclude some persons from suspicion. Profilers use both statistical data (inductive profiling) and "common sense" testing of hypotheses (deductive profiling) to formulate profiles. Profiling is only one of many tools that can be used in an investigation.
The typical cybercriminal
What does profiling tell us about the "typical" cybercriminal - the person who uses computers and networks to commit crimes? There are always exceptions, but most cybercriminals display some or most of the following characteristics:
- Some measure of technical knowledge (ranging from "script kiddies" who use others' malicious code to very talented hackers).
- Disregard for the law or rationalizations about why particular laws are invalid or should not apply to them.
- High tolerance for risk or need for "thrill factor."
- "Control freak" nature, enjoyment in manipulating or "outsmarting" others.
- A motive for committing the crime - monetary gain, strong emotions, political or religious beliefs, sexual impulses, or even just boredom or the desire for "a little fun."
That still leaves us with a very broad description, but we can use that last characteristic to narrow it down further. This is especially important since motive is generally considered to be an important element in building a criminal case (along with means and opportunity).
Motives for cybercrime
Let's look at some common motivating factors:
- Money: This includes anyone who makes a financial profit from the crime, whether it's a bank employee who uses his computer access to divert funds from someone else's account to his own, an outsider who hacks into a company database to steal identities that he can sell to other criminals, or a professional "hacker for hire" who's paid by one company to steal the trade secrets of another. Almost anyone can be motivated by money - the young, old, male, female, those from all socio-economic classes - so in order to have meaningful data, we have to break this category down further. The white collar criminal tends to be very different from the seasoned scam artist or the professional "digital hit man."
- Emotion: The most destructive cybercriminals often act out of emotion, whether anger/rage, revenge, "love" or despair. This category includes spurned lovers or spouses/ex-spouses (cyber-stalking, terroristic threats, email harassment, unauthorized access), disgruntled or fired employees (defacement of company web sites, denial of service attacks, stealing or destroying company data, exposure of confidential company information), dissatisfied customers, feuding neighbors, students angry about a bad grade, and so forth. This can even be someone who gets mad over a heated discussion on a web board or in a social networking group.
- Sexual impulses: Although related to emotion, this category is slightly different and includes some of the most violent of cybercriminals: serial rapists, sexual sadists (even serial killers) and pedophiles. Child pornographers can fit into this category or they may be merely exploiting the sexual impulses of others for profit, in which case they belong in the "money" category.
- Politics/religion: Closely related to the "emotions" category because people get very emotional about their political and religious beliefs and are willing to commit heinous crimes in the name of those beliefs. This is the most commonly motivator for cyberterrorists, but also motivates many lesser crimes, as well.
- "Just for fun": This motivation applies to teenagers (or even younger) and others who may hack into networks, share copyrighted music/movies, deface web sites and so forth - not out of malicious intent or any financial benefit, but simply "because they can." They may do it to prove their skills to their peers or to themselves, they may simply be curious, or they may see it as a game. Although they don't intentionally do harm, their actions can cost companies money, cause individuals grief and tie up valuable law enforcement resources.
How cybercriminals use the network
Cybercriminals can use computers and networks as a tool of the crime or incidentally to the crime. Many of the crimes committed by cybercriminals could be committed without using computers and networks. For example, terroristic threats could be made over the telephone or via snail mail; embezzlers could steal company money out of the safe; con artists can come to the door and talk elderly individuals out of their savings in person.
Even those crimes that seem unique to the computer age usually have counterparts in the pre-Internet era. Unauthorized access to a computer is technically different but not so different in mindset, motives and intent from unauthorized access to a vehicle, home or business office (a.k.a. burglary) and defacing a company's web site is very similar in many ways to painting graffiti on that company's front door.
Computer networks have done for criminals the same thing they've done for legitimate computers users: they've made the job easier and more convenient.
Some cybercriminals use the Internet to find their victims. This includes scam artists, serial killers and everything in between. Police can often thwart these types of crimes and trap the criminals by setting up sting operations in which they masquerade as the type of victim that appeals to the criminal. We think of this in relation to crimes such as child pornography and pedophilia, but it's the same basic premise as setting up a honeypot on a network to attract the bad guys.
In other cases, criminals use the networks for keeping records related to their crimes (such a drug dealer's or prostitute's list of clients) or they use the technology to communicate with potential customers or their own colleagues-in-crime.
Amazingly, a significant number of criminals use their own corporate laptops or email accounts to do this. This is a situation whereby IT professionals may stumble across evidence of a crime inadvertently - including crimes that are not, themselves, related to computers and networks.
The cybercriminal mindset: white collar crime
All cybercriminals are most definitely not created equal. They can range from the pre-adolescent who downloads illegal songs without really realizing it's a crime to the desperate white collar worker in dire financial straits who downloads company secrets to sell to a competitor to pay her family's medical bills, knowing full well that what she's doing is wrong, to the cold hearted sociopath who uses the network to get whatever he wants, whenever he wants it and believes there's no such thing as right or wrong.
White collar crime is such a large category that some police agencies have entire investigative divisions devoted exclusively to it. White collar criminals often use computers to commit offenses because it's easy to manipulate electronic databases to misappropriate money or other things of value. Some white collar criminals are highly organized and meticulous about details, stealing only limited amounts from any one source and may go on for years or decades without being caught. Others do it on impulse; for instance, they may be angry about a bad evaluation or being passed over for promotion and "strike" back at the company by taking money they believe they deserve.
Signs of a possible white collar criminal include:
- Refusal to take time off from work or let anyone else help with his/her job, lest they uncover what's been going on.
- Attempts to avoid formal audits.
- A lifestyle far above what would be expected on the person's salary with no good explanation for the extra income.
- Large cash transactions.
- Multiple bank accounts in different banks, especially banks in different cities or counties.
There may be other reasons for any of these "symptoms." Some older workers (and in today's unstable banking climate, some younger ones, too) don't trust banks, may be afraid of the collapse of the economic system and thus deal in cash as much as possible. Many folks with legitimate large incomes are afraid to invest in the stock market or other non-insured investments and split their money among different banks to keep it covered by FDIC.
A dilemma for IT personnel is that white collar criminals are often in upper management positions in the company. If you discover evidence that the boss is stealing from the company, blowing the whistle could put your own job in jeopardy.
In a future installment of this column, we'll discuss what you can do if you uncover indications of criminal activity during the course of doing your IT job, who to report it to and how, how to preserve the evidence, and what to expect in the aftermath.
Debra Littlejohn Shinder, MCSE, MVP is a technology consultant, trainer, and writer who has authored a number of books on computer operating systems, networking, and security. Deb is a tech editor, developmental editor, and contributor to over 20 additional books on subjects such as the Windows 2000 and Windows 2003 MCSE exams, CompTIA Security+ exam, and TruSecure's ICSA certification.