Profiling Hackers The Psychology of Cybercrime
Transcriber: Mariolina Sanfilippo
Reviewer: Eunice Tan
My name is Mark T. Hofmann,
and I’m a crime and intelligence analyst
or what most of you would
most likely call “a criminal profiler.”
If you think of cybercrime,
you may have something like this in mind.
On television, it always makes
these fancy sounds,
(Computer beeps)
and you see the kid with a hoodie
in front of a laptop,
with green text on the screen.
Well, reality is different.
And on television, you never
really get to see the face.
Hackers are always presented
like this or from behind,
but you never really see the face.
Today, I would like to unmask
the face of hackers, so to say.
I would like to talk about
the profiles and motives of hackers.
I would like to talk about
psychological manipulation,
about social engineering techniques
they are using to attack us,
and what we can do
to become a human firewall.
As a profiler,
I am interested in behavior.
I analyze behavior,
and I try to identify the motives
and the psychology behind that behavior.
Because with everything we do,
we show something of who we are;
with every decision we make,
we show something of who we are.
And also, hackers make
a series of decisions:
They are choosing targets,
they are choosing methods,
pretty often they make phone calls,
they write text messages,
they write phishing mails.
And with everything they do,
or fail to do,
they not only leave digital traces
but also traces of their personality.
And very often, the analysis of language
is a key element in profiling hackers.
Let me give you an example
with the word “behavior” itself.
A person from the United States,
an American, would most likely write
the word “behavior” like this,
a person from the UK would more likely
spell the word “behavior” like this,
[BEHAVIOUR]
and an idiot might spell
the word “behavior” like this.
So based on the word someone is using,
based on the analysis of language,
I can try to make a probability statement
about an unknown offender.
Yes, cybercriminals are hard to catch,
but in many cases, they are not
as invisible as they might think.
[BEHAVIAR]
[>90%]
So what can a profiler tell you
about cybercrime?
Well, quite a lot.
More than 90 percent of all cyberattacks
or cybersecurity breaches
are caused by human error.
So humans, people, are the weakest link
in the cybersecurity chain.
Let me be very clear about this:
Cybercrime is not
just a technical problem.
It’s a psychological problem,
it’s a people’s problem,
it’s clearly a management problem.
Computers are the weapons,
but the perpetrators
and also the victims are humans.
Any door is only as secure
as the person who is holding
the key or the passwords.
So you can have the best fancy
high-security door in the world.
If I manipulate you
to give me the key, it’s useless.
You can have the best fancy high-security
firewall system in the world.
If I manipulate you to give me
the passwords, it’s useless.
“Amateurs hack systems,
professionals hack people.”
This is a quote by security expert
Bruce Schneier, and he is damn right.
So what can we say
about the profiles of hackers?
Who are the people behind the attacks?
Well, pretty often,
cybercrime doesn’t look like this.
It looks more like this.
Law enforcement professionals
and intelligence professionals
and security professionals
like to use the term “crime as a service.”
So pretty often, cybercriminals work
in company-like structures.
They have something like a supply chain,
they have something
like quality management,
and sometimes they even have
customer support.
So if you or your company gets attacked,
it may not come from a kid
in front of a laptop, with a hoodie.
It may come from
a call center-like structure
anywhere in the world, like this.
But of course, there are some
individual hackers -
we call them “black hat hackers.”
So the ones with the black hats,
these are of course the bad guys.
According to the current state of science,
what can we say about
the profiles of black hat hackers?
We can say this:
Most of them - some studies say
more than 90 percent - are male.
Around about 80 percent
are under 30 years old.
[Male
Under 30]
The majority of them,
around about 60 percent,
started at a very young age -
between 10 and 15 years old.
They have above average intelligence,
they are pretty often well educated,
and 90 percent do not have
a low socioeconomical status.
So they are young, they are intelligent,
and they are pretty often well educated.
Why the hell do they do what they do?
The main motives in descending order
are money - financial gain -
espionage,
and fun - ideology or simply trolling.
[Motives]
Well, so they do it mostly for money.
If I look at this list of motives,
I’m a little bit skeptical.
Because as we just learned,
they are young, they are intelligent,
they are well educated,
and they do not necessarily come from
difficult or broken home environments.
So if they want to make money,
why don’t they just work for Google
or any other Silicon Valley company?
They could make
a ton of money in a legal way.
So why are they committing crimes?
Why do they make money that way?
Another psychological motive
comes into play
which is called thrill-seeking,
or in psychology
we sometimes like to call this
“challenge to beat the system.”
So they like the feeling
of being cleverer than the FBI.
Never underestimate the role
of ego, challenge and thrill-seeking
in cybercrime,
and I’m not just talking theory.
I met hackers myself,
I did my own research,
and one of my subjects told me this:
“I analyze people.
In the end, human hacking works
the same way that computer hacking works.
You always look for vulnerabilities
and try to exploit them.”
So they are social engineers analyzing us.
They are analyzing
our psychological weak points,
and they try to attack,
they try to exploit
our psychological weak points.
But what are our
psychological weak points?
What are the psychological
manipulation techniques?
What are some of the social
engineering techniques?
I want to show you a little illusion.
For this illusion, I just need a silk,
and I put this silk in my hand.
Then I can show my hand empty,
and the silk magically turns into an egg.
As I can see, you’re not that amazed.
And you’re right, it’s not that clever -
it’s just a plastic egg
with a hole inside it.
But I want to use this to teach you
a lesson about the art of misdirection.
So the fake egg goes in my left pocket,
and the hankie goes in my right pocket.
And then I was fiddling around
with my right pocket,
and I tried to direct
your attention to the silk
while I secretly got out
the fake egg with my other hand.
Then I told you I put the silk in my hand,
but in fact I carefully put the silk
inside the fake egg.
Then, of course, I can show my hand empty,
and then it magically turns into an egg.
Well, not that spectacular,
but as I just told you,
I’m going to teach you a lesson
about the art of misdirection.
Explain this.
(Egg cracks and drops)
As I just told you, this will be a lesson
about the art of misdirection.
Well, what did just happen?
I created an illusion inside an illusion.
So basically, I fooled you
while explaining how you have been fooled,
and this way, I totally eliminated
your critical thinking.
In the first round,
you all watched closely,
and you tried to see the secret behind it.
But in the second round, you relaxed.
I told you, “Relax -
now I show you how it’s done,”
and this way, I eliminated
your critical thinking.
Again, I fooled you while explaining
how you have been fooled,
and this is what hackers do all the time.
They hack you while telling you
that you have been hacked,
and this way, they totally eliminate
your critical thinking.
Pretty often, phishing mails
and short messages start like this:
“We have detected some
unusual activity on your account.”
And of course, now you need to click here
to verify your credit card information.
Or “Your Amazon account has been locked.
There is some suspicious
or criminal activity.
You need to click here
to regain access to your account.”
Or “Your account was used
to buy a $250 gift card.
If you want to cancel the order
and confirm your credit card information,
click here.”
So they tell you
that you have been hacked.
In fact, you haven’t been hacked.
But when you click on these links,
you will be hacked.
Now, you might say, “Well, I’m smart.
I won’t click on these links.”
Well, I’m not sure.
If you’re distracted or if you just made
an Amazon order the day before,
I’m not sure if you wouldn’t
click on these links.
But even if just two people out of 100,
just two percent, click on these links,
well, it’s enough.
If I send 100 mails, two people
are going to click on these links.
And this is a very low estimate;
it will be way more.
And of course, it’s always urgent -
you need to do it right now.
Hackers never say, “Take your time.”
You always need to do something now;
otherwise, there will be a huge damage
and it will have a huge negative impact.
You need to do something now
without thinking about it.
Let me give you another example
of how social engineers and how hackers
try to exploit our
psychological weak points.
They are using the so-called
“sympathy principle.”
They exploit our tendency
to trust and to like people.
Imagine you are in the subway on your way
to work and it’s a rainy Monday morning.
It’s going to be a very,
very long and boring day.
But suddenly, she gets on the train,
and you are getting nervous.
You would love to approach her,
you would love to talk to her,
but you don’t really have
the guts to do so.
But then suddenly,
she stands right next to you.
This would be your chance to talk to her,
but still you don’t really do it.
You pretend to read something
on your smartphone, but you don’t do it.
She stands so close to you
that she is almost touching you,
which is almost a little bit weird.
And then suddenly, she gets off the train.
What did just happen?
Is she a pickpocket or something?
Then you reach inside your pocket,
and inside your pocket,
you find a little USB flash drive
with a heart on it.
What might be on there?
A phone number? Pictures?
Now, be honest:
Could you stand the curiosity
of not plugging this
into your company’s computer
to see what’s on there?
Well, probably not.
And this may be the beginning
of a negative butterfly effect unfolding
and a very serious cyberattack.
I’ll tell you a little secret
from the intelligence world:
Female spies are bloody good,
and it’s partly because of sexism.
Spying, crime and hacking -
this is seen as a man’s job.
And this is why women are by far the best,
because they are unsuspicious.
If someone looks nice or sympathetic,
it’s really hard to see this person
as a potential threat.
So you don’t see the evil
if someone has a face like an angel.
But yes, female agents are,
without any doubt,
the best in the world.
There’s a good friend of mine,
a German ex-intelligence official,
and he also confirms
that more and more women
are used in industrial espionage.
So not just hackers try to spy on you,
but also secret agents
from intelligence agencies
from foreign countries.
So some of these
best-trained agents in the world
may wait for you at the hotel bar,
with the face of an angel.
This is Silk Road.
For a very long time,
this has been the largest online
drug-dealing marketplace on the darknet.
And this is the man behind Silk Road.
Excuse me, but he looks like a character
from High School Musical.
I just want to make a point here:
Many criminals and spies
are very successful
because they don’t look like criminals
or they don’t look like spies.
He looks pretty sympathetic -
he’s not a hacker, but anyway -
many criminals and many spies
look pretty unsuspicious
and pretty sympathetic.
So they are using their appearance.
They are using our tendency
to like and to trust them against us.
[AUTHORITY]
The time is running and ticktocking away,
but I want to give you one last example
of how hackers try to exploit
our psychological vulnerabilities:
the authority principle.
We are much more influenceable
when we consider someone an authority.
And many companies
use this principle all the time.
This is the Doctor’s Best TV commercial.
They just combined
all the authorities’ stereotypes
in one TV spot.
As you can see, it’s an elderly man
with glasses, and he wears a tie,
and he looks like a medical doctor,
and he does some kind of experiment,
and it plays in a scientific lab,
and everything in this picture,
and also the brand -
it’s called “Doctor’s Best.”
So they just combined
all the authority symbols
to convince us to pay much more
for toothbrushes.
And people do it.
And cybercriminals do the same principle,
the same persuasion technique,
all the time.
So they are using
authority symbols, logos, brands
and names of institutions
or government agencies
to convince us
that they are the authorities
and that this is a real mail.
So they send emails from the FBI
or the Bank of America or the IRS,
and they exploit,
they use our tendency
to trust experts and to trust authorities.
So what did you learn, hopefully?
[SYMPATHY MISDIRECTION AUTHORITY]
Cybercrime is a psychological problem:
More than 90 percent of cyberattacks
are caused by human error.
Cybercriminals, hackers, social engineers
play with human emotions.
They play them like a piano.
They know what buttons to push
to get a certain reaction.
So what can we do?
What can we do to become a human firewall?
Well, the cyberdefense strategy
of many companies
could be described like this:
“Team I Don’t Care,”
“I hope it won’t hit us,”
and “I think we are too small”
or “We are not interesting enough.”
Well, guess what? You’re wrong.
There are two types of companies:
Companies that have been attacked,
and companies that will be attacked.
This is not a cyberdefense strategy;
this is naive.
The key is awareness.
A talk like this,
a speech like this, a workshop
can definitely help
to prevent crimes from happening.
Awareness alone can be a key element
in the prevention of cybercrime.
If someone calls you and asks you
for your password on the phone,
I’m not sure if you are going
to give it at this point.
If you get an email from Amazon
that your account has been hacked
and you need to click on this link,
I’m not sure if you are going
to click on this link.
If you find a USB flash drive
on the ground,
I’m not sure if you are going to plug it
into your computer out of curiosity.
And if you get an email
by the FBI or the IRS,
I’m not sure if you will transfer
the money or click on these links.
So awareness alone
can help to prevent cybercrime.
My name is Mark T. Hofmann,
I’m a profiler and speaker,
and I thank you.
Stay safe, and thank you
for your undivided attention.
(Applause)