We’re Hiring: Hacking Groups Recruit Teens While Feds Want to Ground Them
It’s not your father’s part-time job, that’s for sure. Teenagers are being recruited, often through seemingly innocuous online job postings, to become hackers in a profitable business that has racked up $1 trillion from Fortune 500 companies in the last three years or so.
But the Feds are, well, fed up and have stepped up their efforts to find and disrupt teenage hacking groups. And their targets increasingly are members of “The Community,” or “The Com” as it is called among hackers and law enforcement, a pipeline that includes ransomware gangs like Scattered Spider and ShinyHunters, and which has trained and sicced teenage hackers on companies like Nike, Louis Vuitton and Chick-fil-A. Teen hacking groups are equal opportunity employers, too, more recently ramping up recruitment of young females.
Back in the ‘50s, leather-clad street gangs with slicked back hair (at least according to the movies) roamed the streets, committing crimes and wreaking havoc in their communities. Today’s hacking groups make those gangs look like a Sunday School class—and their bounties peanuts compared to the millions young hackers can pull into today.
But the MO is still the same—gangs have nearly always heavily recruited young teens to do their bidding. Their skills (in hacking circles, digital natives have desirable tech prowess) and their recklessness (teens often aren’t mature enough to be risk-averse) make them prime targets for recruitment to the underground.
“Unfortunately, this has always been the way, and it’s not unique to hacking,” says Bugcrowd Founder Casey Ellis, who notes that “drug distribution, organized petty theft, automotive theft, and other organized criminal enterprises have long followed the pattern of identifying talented young people, and taking advantage of the fact that less life experience often makes them easier to recruit and manipulate.”
And, says Nivedita Murthy, senior staff consultant at Black Duck, “Malicious actors of all ages feel no fear in stealing and selling stolen data as they don’t see any consequences.”
While the stereotype of the teen not listening has been perpetuated over the ages, apparently, teen hackers do listen…to each other, quickly picking up tips and tricks and knowledge that help them sharpen their social engineering and hacking skills.
They are also often expendable—taking the risks and bearing the consequences if caught, while the masterminds of the hacking groups skate. And the law, at least in some cases, is catching up. Just look at Thalha Jubair, who was recruited to Scattered Spider at 15. The now 19-year-old faces 95 years in prison for his role in targeting large U.S. companies, including financial services firms and airlines, in a ransomware scheme.
Murthy says that “recent arrests are a step in the right direction, highlighting the need for laws and initiatives that lead to severe penalties, thereby deterring them from engaging in such activities in the future.”
The dark side of hacking, says Ellis, “is that teenagers can end up in a position where their power and capabilities overtake the development of their own moral compass, and they don’t necessarily ‘decide to become a bad guy.’”
Instead, he explains, “they often find themselves in a place where they are on the wrong side of the law.” And that can set them up for next-level crime.
“If they are caught, they’ll often end up on the radar of organized criminals who step in, recruit them, and set them on the path of a life of crime,” Ellis says.
Andy Bennett, CISO at Apollo Information Systems, warns, “it would be very naive to think that even a thousand arrests would make a material difference in the overall volume of cyber-attacks anytime soon.”
Until the industry finds “ways to limit attackers’ ability to monetize cyber-crime, the incentive will remain for attackers to keep up the pressure,” he says.
“We shouldn’t stop pursuing them, and we should be ramping up arrests and prosecutions; however, there is a lot of work to be done and a lot more arrests to be made before we see an appreciable impact in lowering cyber-criminal activity,” Bennett says.
Perhaps a two-prong strategy is best—organizations must shore up defenses against such hackers and as an industry, it’s important to bolster efforts to sway young people away from recruitment by bad actors and organizations.
“Identity security, surveillance countermeasures, and community awareness programs need to consider physical security and electronic security as equal in defense,” says Morey Haber, chief security advisor at BeyondTrust. “This is especially true when they merge and Wi-Fi signals may extend outside of physical walls and can be susceptible to surveillance.”
Companies like Bugcrowd can help dissuade young people from going to the dark side. “Providing a white-hat outlet for young people with these skills—and in the process helping to accelerate their understanding of legal and ethical boundaries—is one of the most rewarding things about getting to work on something like Bugcrowd,” says Ellis.
And just maybe with that kind of knowledge—and maturity—would-be teen hackers will start to understand how they are being used by hacking groups.
“That moment where we’d naturally expect to catch someone, such as using a stolen credit or gift card, walking around a carefully monitored embassy, etc… is the exact moment the criminal or threat actor will avoid being themselves,” says Trey Ford, chief strategy and trust officer at Bugcrowd. “Easy money should have us asking ‘what risk is this payout seeking to avoid?’
