Profiling Hackers - The Psychology of Cybercrime | Mark T. Hoffmann | TEDxHHL

00:00

Transcriber: Mariolina Sanfilippo Reviewer: Eunice Tan

00:12

My name is Mark T. Hofmann, and I’m a crime and intelligence analyst

00:16

or what most of you would most likely call “a criminal profiler.”

00:22

If you think of cybercrime, you may have something like this in mind.

00:28

On television, it always makes these fancy sounds,

00:32

(Computer beeps)

00:33

and you see the kid with a hoodie in front of a laptop,

00:36

with green text on the screen.

00:40

Well, reality is different.

00:42

And on television, you never really get to see the face.

00:45

Hackers are always presented like this or from behind,

00:49

but you never really see the face.

00:52

Today, I would like to unmask the face of hackers, so to say.

00:56

I would like to talk about the profiles and motives of hackers.

01:01

I would like to talk about psychological manipulation,

01:05

about social engineering techniques they are using to attack us,

01:10

and what we can do to become a human firewall.

01:16

As a profiler, I am interested in behavior.

01:19

I analyze behavior,

01:20

and I try to identify the motives and the psychology behind that behavior.

01:26

Because with everything we do, we show something of who we are;

01:32

with every decision we make, we show something of who we are.

01:36

And also, hackers make a series of decisions:

01:42

They are choosing targets, they are choosing methods,

01:45

pretty often they make phone calls,

01:48

they write text messages, they write phishing mails.

01:52

And with everything they do, or fail to do,

01:55

they not only leave digital traces but also traces of their personality.

02:02

And very often, the analysis of language is a key element in profiling hackers.

02:08

Let me give you an example with the word “behavior” itself.

02:12

A person from the United States,

02:14

an American, would most likely write the word “behavior” like this,

02:18

a person from the UK would more likely spell the word “behavior” like this,

02:23

[BEHAVIOUR]

02:24

and an idiot might spell the word “behavior” like this.

02:29

So based on the word someone is using, based on the analysis of language,

02:34

I can try to make a probability statement about an unknown offender.

02:40

Yes, cybercriminals are hard to catch,

02:42

but in many cases, they are not as invisible as they might think.

02:47

[BEHAVIAR]

02:48

[>90%]

02:49

So what can a profiler tell you about cybercrime?

02:52

Well, quite a lot.

02:55

More than 90 percent of all cyberattacks or cybersecurity breaches

03:01

are caused by human error.

03:04

So humans, people, are the weakest link in the cybersecurity chain.

03:11

Let me be very clear about this:

03:13

Cybercrime is not just a technical problem.

03:16

It’s a psychological problem, it’s a people’s problem,

03:20

it’s clearly a management problem.

03:24

Computers are the weapons,

03:26

but the perpetrators and also the victims are humans.

03:31

Any door is only as secure

03:35

as the person who is holding the key or the passwords.

03:39

So you can have the best fancy high-security door in the world.

03:43

If I manipulate you to give me the key, it’s useless.

03:48

You can have the best fancy high-security firewall system in the world.

03:53

If I manipulate you to give me the passwords, it’s useless.

04:00

“Amateurs hack systems, professionals hack people.”

04:05

This is a quote by security expert Bruce Schneier, and he is damn right.

04:10

So what can we say about the profiles of hackers?

04:14

Who are the people behind the attacks?

04:17

Well, pretty often, cybercrime doesn’t look like this.

04:21

It looks more like this.

04:24

Law enforcement professionals and intelligence professionals

04:27

and security professionals like to use the term “crime as a service.”

04:33

So pretty often, cybercriminals work in company-like structures.

04:38

They have something like a supply chain,

04:41

they have something like quality management,

04:43

and sometimes they even have customer support.

04:47

So if you or your company gets attacked,

04:50

it may not come from a kid in front of a laptop, with a hoodie.

04:53

It may come from a call center-like structure

04:57

anywhere in the world, like this.

05:01

But of course, there are some individual hackers -

05:04

we call them “black hat hackers.”

05:06

So the ones with the black hats, these are of course the bad guys.

05:12

According to the current state of science,

05:14

what can we say about the profiles of black hat hackers?

05:19

We can say this:

05:21

Most of them - some studies say more than 90 percent - are male.

05:25

Around about 80 percent are under 30 years old.

05:29

[Male Under 30]

05:31

The majority of them, around about 60 percent,

05:33

started at a very young age - between 10 and 15 years old.

05:38

They have above average intelligence, they are pretty often well educated,

05:43

and 90 percent do not have a low socioeconomical status.

05:49

So they are young, they are intelligent, and they are pretty often well educated.

05:53

Why the hell do they do what they do?

05:56

The main motives in descending order are money - financial gain -

06:01

espionage,

06:03

and fun - ideology or simply trolling.

06:07

[Motives]

06:08

Well, so they do it mostly for money.

06:10

If I look at this list of motives, I’m a little bit skeptical.

06:14

Because as we just learned,

06:16

they are young, they are intelligent, they are well educated,

06:19

and they do not necessarily come from difficult or broken home environments.

06:24

So if they want to make money,

06:27

why don’t they just work for Google or any other Silicon Valley company?

06:32

They could make a ton of money in a legal way.

06:35

So why are they committing crimes? Why do they make money that way?

06:41

Another psychological motive comes into play

06:43

which is called thrill-seeking,

06:45

or in psychology we sometimes like to call this

06:48

“challenge to beat the system.”

06:51

So they like the feeling of being cleverer than the FBI.

06:55

Never underestimate the role of ego, challenge and thrill-seeking

07:01

in cybercrime,

07:03

and I’m not just talking theory.

07:05

I met hackers myself, I did my own research,

07:09

and one of my subjects told me this:

07:12

“I analyze people.

07:15

In the end, human hacking works the same way that computer hacking works.

07:20

You always look for vulnerabilities and try to exploit them.”

07:26

So they are social engineers analyzing us.

07:32

They are analyzing our psychological weak points,

07:35

and they try to attack,

07:37

they try to exploit our psychological weak points.

07:41

But what are our psychological weak points?

07:44

What are the psychological manipulation techniques?

07:47

What are some of the social engineering techniques?

07:51

I want to show you a little illusion.

07:53

For this illusion, I just need a silk, and I put this silk in my hand.

08:01

Then I can show my hand empty, and the silk magically turns into an egg.

08:08

As I can see, you’re not that amazed.

08:11

And you’re right, it’s not that clever -

08:13

it’s just a plastic egg with a hole inside it.

08:16

But I want to use this to teach you a lesson about the art of misdirection.

08:23

So the fake egg goes in my left pocket, and the hankie goes in my right pocket.

08:29

And then I was fiddling around with my right pocket,

08:31

and I tried to direct your attention to the silk

08:35

while I secretly got out the fake egg with my other hand.

08:40

Then I told you I put the silk in my hand,

08:43

but in fact I carefully put the silk inside the fake egg.

08:48

Then, of course, I can show my hand empty, and then it magically turns into an egg.

08:56

Well, not that spectacular, but as I just told you,

09:02

I’m going to teach you a lesson about the art of misdirection.

09:06

Explain this.

09:08

(Egg cracks and drops)

09:12

As I just told you, this will be a lesson about the art of misdirection.

09:18

Well, what did just happen?

09:20

I created an illusion inside an illusion.

09:23

So basically, I fooled you while explaining how you have been fooled,

09:30

and this way, I totally eliminated your critical thinking.

09:35

In the first round, you all watched closely,

09:38

and you tried to see the secret behind it.

09:41

But in the second round, you relaxed.

09:43

I told you, “Relax - now I show you how it’s done,”

09:47

and this way, I eliminated your critical thinking.

09:50

Again, I fooled you while explaining how you have been fooled,

09:53

and this is what hackers do all the time.

09:56

They hack you while telling you that you have been hacked,

09:59

and this way, they totally eliminate your critical thinking.

10:05

Pretty often, phishing mails and short messages start like this:

10:09

“We have detected some unusual activity on your account.”

10:13

And of course, now you need to click here to verify your credit card information.

10:18

Or “Your Amazon account has been locked.

10:20

There is some suspicious or criminal activity.

10:23

You need to click here to regain access to your account.”

10:27

Or “Your account was used to buy a $250 gift card.

10:32

If you want to cancel the order and confirm your credit card information,

10:37

click here.”

10:38

So they tell you that you have been hacked.

10:41

In fact, you haven’t been hacked.

10:42

But when you click on these links, you will be hacked.

10:45

Now, you might say, “Well, I’m smart. I won’t click on these links.”

10:49

Well, I’m not sure.

10:50

If you’re distracted or if you just made an Amazon order the day before,

10:55

I’m not sure if you wouldn’t click on these links.

10:58

But even if just two people out of 100, just two percent, click on these links,

11:03

well, it’s enough.

11:05

If I send 100 mails, two people are going to click on these links.

11:09

And this is a very low estimate; it will be way more.

11:15

And of course, it’s always urgent - you need to do it right now.

11:19

Hackers never say, “Take your time.”

11:21

You always need to do something now;

11:23

otherwise, there will be a huge damage and it will have a huge negative impact.

11:28

You need to do something now without thinking about it.

11:33

Let me give you another example of how social engineers and how hackers

11:37

try to exploit our psychological weak points.

11:42

They are using the so-called “sympathy principle.”

11:46

They exploit our tendency to trust and to like people.

11:53

Imagine you are in the subway on your way to work and it’s a rainy Monday morning.

11:59

It’s going to be a very, very long and boring day.

12:04

But suddenly, she gets on the train, and you are getting nervous.

12:09

You would love to approach her, you would love to talk to her,

12:13

but you don’t really have the guts to do so.

12:15

But then suddenly, she stands right next to you.

12:18

This would be your chance to talk to her, but still you don’t really do it.

12:23

You pretend to read something on your smartphone, but you don’t do it.

12:28

She stands so close to you that she is almost touching you,

12:32

which is almost a little bit weird.

12:34

And then suddenly, she gets off the train.

12:37

What did just happen? Is she a pickpocket or something?

12:40

Then you reach inside your pocket, and inside your pocket,

12:45

you find a little USB flash drive with a heart on it.

12:50

What might be on there? A phone number? Pictures?

12:53

Now, be honest:

12:55

Could you stand the curiosity

12:57

of not plugging this into your company’s computer

13:00

to see what’s on there?

13:01

Well, probably not.

13:03

And this may be the beginning of a negative butterfly effect unfolding

13:07

and a very serious cyberattack.

13:10

I’ll tell you a little secret from the intelligence world:

13:14

Female spies are bloody good, and it’s partly because of sexism.

13:20

Spying, crime and hacking - this is seen as a man’s job.

13:25

And this is why women are by far the best, because they are unsuspicious.

13:32

If someone looks nice or sympathetic,

13:34

it’s really hard to see this person as a potential threat.

13:39

So you don’t see the evil if someone has a face like an angel.

13:45

But yes, female agents are, without any doubt,

13:49

the best in the world.

13:52

There’s a good friend of mine, a German ex-intelligence official,

13:55

and he also confirms

13:57

that more and more women are used in industrial espionage.

14:01

So not just hackers try to spy on you,

14:05

but also secret agents from intelligence agencies

14:08

from foreign countries.

14:10

So some of these best-trained agents in the world

14:14

may wait for you at the hotel bar, with the face of an angel.

14:20

This is Silk Road.

14:22

For a very long time,

14:23

this has been the largest online drug-dealing marketplace on the darknet.

14:28

And this is the man behind Silk Road.

14:31

Excuse me, but he looks like a character from High School Musical.

14:36

I just want to make a point here:

14:38

Many criminals and spies are very successful

14:42

because they don't look like criminals or they don't look like spies.

14:46

He looks pretty sympathetic -

14:48

he’s not a hacker, but anyway -

14:49

many criminals and many spies

14:52

look pretty unsuspicious and pretty sympathetic.

14:55

So they are using their appearance.

14:58

They are using our tendency to like and to trust them against us.

15:04

[AUTHORITY]

15:05

The time is running and ticktocking away, but I want to give you one last example

15:09

of how hackers try to exploit our psychological vulnerabilities:

15:13

the authority principle.

15:17

We are much more influenceable when we consider someone an authority.

15:23

And many companies use this principle all the time.

15:27

This is the Doctor’s Best TV commercial.

15:30

They just combined all the authorities’ stereotypes

15:35

in one TV spot.

15:36

As you can see, it’s an elderly man with glasses, and he wears a tie,

15:40

and he looks like a medical doctor, and he does some kind of experiment,

15:44

and it plays in a scientific lab,

15:47

and everything in this picture,

15:48

and also the brand - it’s called “Doctor’s Best.”

15:52

So they just combined all the authority symbols

15:55

to convince us to pay much more for toothbrushes.

15:59

And people do it.

16:00

And cybercriminals do the same principle, the same persuasion technique,

16:05

all the time.

16:06

So they are using authority symbols, logos, brands

16:11

and names of institutions or government agencies

16:15

to convince us

16:16

that they are the authorities and that this is a real mail.

16:20

So they send emails from the FBI or the Bank of America or the IRS,

16:25

and they exploit,

16:26

they use our tendency to trust experts and to trust authorities.

16:34

So what did you learn, hopefully?

16:37

[SYMPATHY MISDIRECTION AUTHORITY]

16:39

Cybercrime is a psychological problem:

16:42

More than 90 percent of cyberattacks are caused by human error.

16:47

Cybercriminals, hackers, social engineers play with human emotions.

16:52

They play them like a piano.

16:54

They know what buttons to push to get a certain reaction.

16:58

So what can we do?

17:00

What can we do to become a human firewall?

17:04

Well, the cyberdefense strategy of many companies

17:07

could be described like this:

17:09

“Team I Don’t Care,” “I hope it won’t hit us,”

17:13

and “I think we are too small” or “We are not interesting enough.”

17:18

Well, guess what? You’re wrong.

17:21

There are two types of companies:

17:23

Companies that have been attacked, and companies that will be attacked.

17:27

This is not a cyberdefense strategy;

17:30

this is naive.

17:33

The key is awareness.

17:35

A talk like this, a speech like this, a workshop

17:38

can definitely help to prevent crimes from happening.

17:42

Awareness alone can be a key element in the prevention of cybercrime.

17:49

If someone calls you and asks you for your password on the phone,

17:54

I’m not sure if you are going to give it at this point.

17:59

If you get an email from Amazon

18:02

that your account has been hacked and you need to click on this link,

18:05

I’m not sure if you are going to click on this link.

18:09

If you find a USB flash drive on the ground,

18:13

I’m not sure if you are going to plug it into your computer out of curiosity.

18:18

And if you get an email by the FBI or the IRS,

18:22

I’m not sure if you will transfer the money or click on these links.

18:26

So awareness alone can help to prevent cybercrime.

18:32

My name is Mark T. Hofmann, I’m a profiler and speaker,

18:36

and I thank you.

18:39

Stay safe, and thank you for your undivided attention.

18:47

(Applause)