Sistema de Administración de la Calidad en los Servicios

As set out in the section in this Chapter on ‘Measuring cybercrime’, characterization of a crime typically requires information on ‘who’ (and how many) are involved in ‘what’ (and how much).75

This section examines the perpetrator ‘who’ component, with a focus on typical offenders and likely levels of criminal organization. It does so, in particular, with reference to the crimes of computer- related fraud, and computer-related production, distribution or possession of child pornography.

The full depiction of a ‘cybercrime perpetrator’ may contain many elements. Age, sex, socio-economic background, nationality, and motivation are likely amongst the core characteristics.76

In addition, the level of criminal organization – or the degree to which individuals act in concert with others – represents a defining feature of the human association element behind criminal conduct.77 _{Understanding cybercrime as a ‘socio-technological’ phenomenon, based on an}

appreciation of the characteristics of persons who commit such crimes, represents a broader approach to prevention than that focused solely on technical cybersecurity concepts.78

75 _{European Institute for Crime Prevention and Control, affiliated with the United Nations (HEUNI), 2011. Data Collection on}

[New] Forms and Manifestations of Crime. In: Joutsen, M. (ed.) New Types of Crime, Proceedings of the International Seminar held in Connection with HEUNI’s Thirtieth Anniversary, 20 October 2011, Helsinki: EICPC. See also UNODC, 2010. The Globalization of Crime: A Transnational Organized Crime Threat Assessment.

76 _{United Nations Department of Economic and Social Affairs, Statistics Division, 2003. Manual for the Development of a System of}

Criminal Justice Statistics. ST/ESA/STATSER.F/89.

77 _{Levi, M., 1998. Perspectives on ‘Organised Crime’: An Overview. The Howard Journal, 37(4):335-345.}

78 _{Yip, M., Shadbolt, N., Tiropanis, T. and Webber, C., 2012. The Digital Underground Economy: A Social Network Approach to}

Understanding Cybercrime. Paper presented at the Digital Futures conference, 23-25 October 2012, Aberdeen.

Key results:

 Cybercrime perpetrators no longer require complex skills or techniques, due to the advent and ready availability of malware toolkits

 Upwards of 80 per cent of cybercrime acts are estimated to originate in some form of organized activity, with cybercrime black markets established on a cycle of malware creation, computer infection, botnet management, harvesting of personal and financial data, data sale, and ‘cashing out’ of financial information

 Cybercrime often requires a high degree of organization to implement, and may lend itself to small criminal groups, loose ad hoc networks, or organized crime on a larger scale. The typology of offenders and active criminal groups mostly reflect patterns in the conventional world

 In the developing country context in particular, sub-cultures of young men engaged in computer-related financial fraud have emerged, many of whom begin involvement in cybercrime in their late teenage years

 The demographic nature of offenders mirrors conventional crime in that young males are the majority, although the age profile is increasingly showing older (male) individuals, particularly concerning child pornography offences

 While some perpetrators may have completed advanced education, especially in the computer science field, many known offenders do not have specialized education

 There is a lack of systematic research about the nature of criminal organizations active in cyberspace; and more research is needed regarding the links between online and offline child pornography offenders

40

While individual characteristics are comparatively straightforward to define, it is well known that analysis of organized crime frequently presents both definitional and measurement challenges. This Study adopts the broad definition of the United Nations Organized Crime Convention of an organized criminal group.79 _{Within this definition, various approaches to typologies exist,}80 _{as well as}

approaches to classifying a particular criminal offence as ‘organized crime.’81 _{There is no reason to}

think that the development of such typologies and approaches cannot in some way be applied to the involvement of organized criminal groups in cybercrime – albeit with some fresh challenges, and determined on a case-by-case basis.82 Indeed, one key proposition of the EUROPOL Internet

Facilitated Organised Crime Threat Assessment (iOCTA) is that ‘the structure of cybercrime groups marks the cleanest break to date from the traditional concept of organized crime groups as hierarchical.’83 _{This section}

finds that while this may be true in many cases, it is necessary to consider a broad range of typologies, including taking into account online/offline criminal activity dynamics.

‘Typical offender’ profiles

Information on individual offender profiles is most commonly gained from retroactive studies of cohorts of prosecuted cybercrime cases. Undercover law enforcement operations on online underground forums, as well as perpetrator observation work by academic researchers in discussion forums and chat rooms also represent a valuable source of information. Additional approaches include the use of anonymous self-report questionnaires, observation at IT ‘underground security’ events, and the deployment of internet- connected ‘honey-pots.’84

79 _{Under Article 2 of the Organized Crime Convention; ‘an ‘Organized criminal group’ shall mean a structured group of three or more persons,}

existing for a period of time and acting in concert with the aim of committing one or more serious crimes or offences established in accordance with this Convention, in order to obtain, directly or indirectly, a financial or other material benefit.’ Article 2(c) clarifies that ‘a ‘Structured group’ shall mean a group that is not randomly formed for the immediate commission of an offence and that does not need to have formally defined roles for its members, continuity of its membership or a developed structure.’

80 _{One UNODC typology of organized criminal groups consists of: (i) ‘Standard hierarchy’ (single hierarchical group with strong} internal systems of discipline); (ii) ‘Regional hierarchy’ (hierarchically structured groups, with strong internal lines of control and discipline but relative autonomy for regional components); (iii) ‘Clustered hierarchy’ (a set of criminal groups which have established a system of coordination/control, ranging from weak to strong, over all their activities); (iv) ‘Core group’ (a relatively tightly organized but unstructured group, surrounded in some cases by a network of individuals engaged in criminal activities); and (v) ‘Criminal network’ (a loose and fluid network, often drawing on individuals with particular skills, who constitute themselves around an ongoing series of criminal projects. UNODC, 2002. Results of a Pilot Survey of Forty Selected Organized Criminal Groups in Sixteen Countries. September 2002.

81 _{Europol, for example, has specified that for any crime or criminal group to be classified as “organized crime” at least six of the} following characteristics must be present, four of which must be those numbered (1), (3), (5) and (11): (1) collaboration of more than two people; (2) each with his or her own appointed tasks; (3) for a prolonged or indefinite period of time; (4) using some form of discipline and control; (5) suspected of the commission of serious criminal offences; (6) operating on an international level; (7) using violence or other means suitable for intimidation; (8) using commercial or businesslike structures; (9) engaged in money laundering; (10) exerting influence on politics, the media, public administration, judicial authorities or the economy; and (11) determined by the pursuit of profit and/or power. Europol Doc. 6204/2/97. ENFOPOL 35 Rev 2.

82 _{Even though, for example, the individual and institutional custodians of compromised computers in a botnet may be unwitting} participants in a criminal enterprise, some commentators maintain that botnets should be considered a form of organized crime. (Chang, L. Y. C., 2012. Cybercrime in the Greater China Region. Cheltenham: Edward Elgar).

83 _{Europol, 2011. Internet Facilitated Organised Crime Threat Assessment (Abridged). iOCTA. File No. 2530-264.}

84 _{See, for example, Chiesa, R., Ducci, S. and Ciappi, S., 2009. Profiling Hackers. The Science of Criminal Profiling as Applied to the World of}

Hacking. Boca Raton, FL: Taylor & Francis Group.

Comparison of

Cybercrime suspects identified by police (A country in Southern Asia)

In one country in Southern Asia, published national police statistics contain details of recorded cybercrime offences and suspects. Suspects are classified in reported statistics through a number of categories, according to relationship with the victim and other characteristics. While a high proportion of suspects remain unclassified, national police statistics show that:

• Over 10 per cent of recorded cybercrime suspects are known to the victim as neighbours, friends, or relatives; • ‘Disgruntled employees’ and ‘crackers’ each constitute around 5 per cent of recorded cybercrime perpetrators; • A significant number of cybercrime suspects are enrolled in higher education and other learning programmes.

CHAPTER TWO:THE GLOBAL PICTURE

studies is complicated by differences in methodology; cybercrime acts included; sample selection, geographic coverage; and approaches to analysis and presentation of perpetrator characteristics – such as the use of different perpetrator age intervals. This section presents data both on studies that profile cybercrime perpetrators across a broad range of offences, and those that focus on particular acts – such as illegal access to computer systems or data, and computer- related production, distribution or possession of child pornography.

The analysis below is derived from three key studies85 _{that cover a range of cybercrime acts,}

as well as from a self-report questionnaire study focusing on hackers.86 _{The ‘Li’ cohort corresponds}

to 151 offenders in ‘typical’ cybercrime cases prosecuted by a country in North America between 1998 and 2006.87 _{The ‘Lu’ cohort consists of over 18,000 cybercrime suspects recorded in the police}

database of a territory in Eastern Asia between 1999 and 2004.88 _{The ‘BAE Detica’ study examined}

two samples of 250 distinct reported organized ‘digital’ crime group activities from a global literature review. In contrast, the ‘HPP’

hacking study relies on data from around 1,400 self-report questionnaires completed by ‘hackers’ – who may, or may not, have been involved in any crime.89

Age – Figure 2.14

shows perpetrator age groups from the four studies.90

85 _{Li, X., 2008. The Criminal Phenomenon on the Internet: Hallmarks of Criminals and Victims Revisited through Typical Cases} Prosecuted. University of Ottawa Law & Technology Journal, 5(1-2):125-140, (‘Li’); Lu, C.C., Jen, W.Y., Chang, W. and Chou, S., 2006.

Cybercrime & Cybercriminals. Journal of Computers, 1(6):1-10, (‘Lu’); and BAE Systems Detica and London Metropolitan University,

2012. Organised Crime in the Digital Age (‘BAE Detica’).

86 _{UNICRI and Chiesa, R., 2009. Profiling Hackers. Available at:}

http://www.unicri.it/emerging_crimes/cybercrime/cyber_crimes/docs/profiling-hackers_add-info.pdf (‘HPP’).

87 _{The Li cohort included hacking/illegal access, attack, sabotage, viruses, data theft/espionage, and computer-related identity theft,} fraud, embezzlement and corruption.

88 _{The Lu cohort included internet fraud, cyber piracy, computer misuse, and computer-related money laundering, pornography, sex} trading, gambling, and larceny.

89 _{Commentators note that popular culture conceptions of ‘hackers’ that are not well defined or established have been used to fill} cybercrime perpetrator ‘information gaps.’ See Wall, D. 2012. The Social Construction of Hackers as Cybercriminals. In: Gregoriou,

C. (ed), Constructing Crime: Discourse and Cultural Representations of Crime and ‘Deviance’. Houndsmills, UK: Palgrave Macmillan, p.4-18.

90 _{As the studies report perpetrator ages using different intervals, results are graphed by assuming equal distribution across the} reported age intervals. Underlying data for each study likely show variation within each age interval.

All studies suggest that cybercrime perpetrators are most commonly aged between 18 and 30 years. Li, for example, finds 37 per cent of perpetrators between the

age of 17 and 25 years. Lu finds 53 per cent of perpetrators between the age of 18 and 29 years.

Use of a legal business as a cybercrime front Two principal organizers of a group of about 30 people based in Eastern Europe supplied legal computer server and hosting services. Through this licit activity they concealed hundreds of ‘smswarez’ (illegal trade in content protected by copyright in return for payment by SMS), ‘smswebs’ (webpages where copyright-protected content can be downloaded in return for payment by SMS) and ‘torrents.’ The organizers used spam to advertise these illicit services, which ultimately led to the seizure of 48 illegal servers with a capacity of 200-250 terabytes. After this group was arrested national internet data turnover was reduced by about 10 per cent.

UNODC Digest of Organized Crime Cases

0 1 2 3 4 5 6 7 1 6 11 16 21 26 31 36 41 46 % o f c oho rt Age

Figure 2.14: Age groups of cybercrime perpetrators

HPP Li Lu BAE Detica

42   

The more recent BAE Detica study differs somewhat, in that it indicates possible higher levels of continued offending amongst persons in their 30s and 40s – with 32 per cent of perpetrators reported to be between the age of 36 and 50 years. In contrast to studies that include a range of cybercrime acts, the HPP hacking study shows a sharper decline in older perpetrator age groups – with only 21 per cent of all perpetrators above the age of 30 years. This may fit with the identification of sub-profiles of hackers that start at a young age – such as ‘script kiddies.’ The HPP finds, for example, that 61 per cent of hackers reported starting between the ages of 10 and 15 years. Cybercrime perpetrators overall may, in turn, be younger than criminal offenders in general. In the East Asian territory examined by Lu, the peak age group for total crime perpetrators was found to be 30 to 39 years, compared with 18 to 23 years for cybercrime perpetrators.

Gender – Cybercrime perpetrators are overwhelmingly male – the HPP, Li and Lu studies

found 94, 98 and 81 per cent male perpetrators, respectively. Findings of more than 90 per cent correspond to a higher proportion of male involvement in cybercrime than for crime in general. Globally, the proportion of males prosecuted for any crime is typically between 85 and 90 per cent, with a median of around 89 per cent.91 _{This pattern fits with data provided by countries during}

information gathering for the Study. One country in Northern Europe, for example, commented that ‘perpetrators are young and male.’92

Few studies have been carried out in developing countries that provide a clear picture covering all ages. Nonetheless, sub-profiles of

cybercrime perpetrators such as ‘yahooboys’93

confirm at least the particular engagement of young men in cybercrime activities. One such study finds that 50 per cent of such perpetrators in one country in Western Africa are aged 22 to 25 years – with more than half claiming to have already spent five to seven years in cybercrime.94

Technical skill – With respect to the level

of technical skill and knowledge of cybercrime perpetrators, the majority of the cases analysed by Li did not involve complex skills or techniques unavailable to common computer users. Overall, 65 per cent of all acts were relatively simple to achieve, 13 per cent required medium level skills and 22 per cent were complicated. The most complex attacks were those involving viruses, worms, and spyware – of which 73 per cent were classified as complicated. As commonly highlighted by cybersecurity organizations, it is likely that the possibility of purchasing computer tools able to       

91 _{HEUNI and UNODC, 2010. International Statistics on Crime and Justice. Helsinki: HEUNI.} 92 _{Study cybercrime questionnaire. Q85.}

93 _{The sub-culture of ‘yahooboys’ describes youths, especially those living in cities, who make use of the internet for acts of computer-}

related fraud, phishing and scamming. Adeniran, A.I., 2011. Café Culture and Heresy of Yahooboyism. In: Jaishankar, K. (ed.) Cyber Criminology: Exploring Internet Crimes and Criminal Behaviour. Boca Raton, FL: CRC Press, Taylor & Francis Group.

94 _{Aransiola, J.O., and Asindemade, S.O., 2011. Understanding Cybercrime Perpetrators and the Strategies they employ.}

Cyberpsychology, Behaviour and Social Networking, 14(12):759.

Profile of student ‘yahooboys’ in a country in Western Africa

Age

<22 years 5 per cent 22-25 years 50 per cent 26-29 years 40 per cent >29 years 5 per cent Sex

Male 95 per cent

Female 5 per cent

Number of years spent in cybercrime <2 years 2.5 per cent 2-4 years 35 per cent 5-7 years 55 per cent >7 years 7.5 per cent Parents’ level of education None 2.5 per cent Primary 5 per cent Secondary 12.5 per cent Tertiary 80 per cent

Aransiola, J.O. and Asindemade, S.O. 2011. Understanding Cybercrime Perpetrators and the Strategies they employ. Cyberpsychology, Behaviour and Social Networking. 14(12), 759-763.

CHAPTER TWO:THE GLOBAL PICTURE

exploit computer vulnerabilities and hijack large numbers of computers means that cybercrime perpetrators no longer require high levels of technical skill.95 _{Skill levels are therefore likely to be}

highly variable96 _{and – as discussed below – this may itself play some role in cybercrime group}

structure. Overall, however, education levels amongst cybercrime perpetrators may still be higher than for conventional, or all, crime. The Lu study found 28 per cent of cybercrime suspects in the territory had undertaken tertiary education, compared with eight per cent for all crime. Similarly, the HPP study found that more than half of hackers had undertaken tertiary education. Nonetheless, as noted by the BAE Detica study, it is likely that the ‘artificial’ acquisition of technical skills (such as through malware toolkits including ZeuS or the Butterfly Bot) has resulted in a shift away from the traditional profile of a highly-skilled digital criminal, towards a much wider pool of individuals.

Child pornography perpetrators

The profile of persons engaged in the computer-related production, distribution or possession of child pornography may be different to that of cybercrime perpetrators in general. Recent information on this perpetrator group has been gathered by the ‘Virtual Global Taskforce’ (VGT)97 _{in the form of a small non-random sample of 103 persons arrested for downloading and}

exchanging child pornography through online P2P services.98

Age and social status – All suspects in the VGT cohort were male and ranged in age from 15

to 73 years, with an average age of 41 years. One in five suspects was not working but was retired, unemployed, or receiving health-related welfare benefits. The others were working or studying. 42 per cent were living with a partner and/or children. These perpetrators were significantly older (average of 50 years) than single offenders (average of 35 years). All suspects were concerned with hiding their activities from others, but 60 per cent succeeded in separating it completely from their daily life. For the rest of the group, their offending activities tended to become obsessive, were more or less enmeshed with their daily life, and possibly not well hidden from others. This latter group tended to be of low socio-economic status and to be highly computer literate and around 4 per cent of offenders reported a mental health problem.

Offending patterns – Suspects tended to have been involved in child pornography offending

for a comparatively long period – an average of five years, ranging from six months to 30 years. Over 60 per cent of suspects not only collected child pornography but also traded/distributed it through a P2P network, and 35 per cent were involved in network(s) other than P2P. Of those, half participated in ‘offline’ networks – suggesting that individuals who go beyond accessing child pornography to trading it do so not only online, but also offline.

Links with ‘offline’ offending – As between ‘online’ and ‘offline’ offenders, online offenders are

more likely to be Caucasian, unemployed and marginally younger than offline offenders.99 _Links

nonetheless may exist.100 _{One recent meta-study found that in a sample of over 3,500 online child}

95 _{See, for example, Symantec, 2011. Report on Attack Kits and Malicious Websites; Fortinet, 2013. Fortinet 2013 Cybercrime Report –}

Cybercriminals Today Mirror Legitimate Business Processes; and Trend Micro, 2012. The Crimeware Evolution.

96 _{The HPP, for example, found that hacker technical skills were distributed as follows: low (21 per cent); medium (32 per cent); high}

(22 per cent); expert (24 per cent).

97 _{The Virtual Global Taskforce For Combating Online Child Sexual Abuse is an international partnership between nine law}

enforcement agencies established in 2003. See www.virtualglobaltaskforce.com

98 _{Because of the small size of the sample and its non-random case selection process, findings are not generalizable to the population}

of online offenders. Nonetheless, some insights into the characteristics of these individuals and their offending can be gained. See Bouhours, B. and Broadhurst, R., 2011. Statistical Report: Virtual Global Taskforce P2P Online Offender Sample July 2010–June 2011. Canberra: Australian National University. Available at: SSRN: http://ssrn.com/abstract=2174815 or

http://dx.doi.org/10.2139/ssrn.2174815

99 _{Babchishin, K., Hanson, R. and Herrmann, C., 2011. The Characteristics of Online Sex Offenders: A Meta-Analysis. Sex Abuse: A}

Journal of Research and Treatment, 23(1):92-123.

100 _{See for example, Broadhurst, R. and Jayawardena, K., 2007. Online Social Networking and Paedophilia: An Experimental Research}

44   

pornography offenders, one in six were also involved in ‘offline’ abuse of children.101 _{In the VGT}