Introduction: Few studies have examined the sales of stolen account credentials on darkweb markets. In this study, we tested how advertisement characteristics affect the popularity of illicit online advertisements offering account credentials. Unlike previous criminological research, we take a novel approach by assessing the applicability of knowledge on regular consumer behaviours instead of theories explaining offender behaviour.Methods: We scraped 1,565 unique advertisements offering credentials on a darkweb market. We used this panel data set to predict the simultaneous effects of the asking price, endorsement cues and title elements on advertisement popularity by estimating several hybrid panel data models.Results: Most of our findings disconfirm our hypotheses. Asking price did not affect advertisement popularity. Endorsement cues, including vendor reputation and cumulative sales and views, had mixed and negative relationships, respectively, with advertisement popularity.Discussion: Our results might suggest that account credentials are not simply regular products, but high-risk commodities that, paradoxically, become less attractive as they gain popularity. This study highlights the necessity of a deeper understanding of illicit online market dynamics to improve theories on illicit consumer behaviours and assist cybersecurity experts in disrupting criminal business models more effectively. We propose several avenues for future experimental research to gain further insights into these illicit processes.
DOCUMENT
Prior research on network attacks is predominantly technical, yet little is known about behavioral patterns of attackers inside computer systems. This study adopts a criminological perspective to examine these patterns, with a particular focus on data thieves targeting organizational networks. By conducting interviews with cybersecurity experts and applying crime script analysis, we developed a comprehensive script that describes the typical progression of attackers through organizational systems and networks in order to eventually steal data. This script integrates phases identified in previous academic literature and expert-defined phases that resemble phases from industry threat models. However, in contrast to prior cybercrime scripts and industry threat models, we did not only identify sequential phases, but also illustrate the circular nature of network attacks. This finding challenges traditional perceptions of crime as a linear process. In addition, our findings underscore the importance of considering both successful and failed attacks in cybercrime research to develop more effective cybersecurity strategies.
MULTIFILE
Criminologists have frequently debated whether offenders are specialists, in that they consistently perform either one offense or similar offenses, or versatile by performing any crime based on opportunities and situational provocations. Such foundational research has yet to be developed regarding cybercrimes, or offenses enabled by computer technology and the Internet. This study address this issue using a sample of 37 offender networks. The results show variations in the offending behaviors of those involved in cybercrime. Almost half of the offender networks in this sample appeared to be cybercrime specialists, in that they only performed certain forms of cybercrime. The other half performed various types of crimes on and offline. The relative equity in specialization relative to versatility, particularly in both on and offline activities, suggests that there may be limited value in treating cybercriminals as a distinct offender group. Furthermore, this study calls to question what factors influence an offender's pathway into cybercrime, whether as a specialized or versatile offender. The actors involved in cybercrime networks, whether as specialists or generalists, were enmeshed into broader online offender networks who may have helped recognize and act on opportunities to engage in phishing, malware, and other economic offenses.
DOCUMENT
Previous quantitative studies applying Routine Activity Theory (RAT) to cybercrime victimization produced mixed results. Through semi-structured interviews with cybersecurity experts, the current study aims to qualitatively reevaluate the applicability of RAT to cyber-dependent crime, specifically data theft from organizations. An in-depth assessment of environmental factors appearing to affect data thieves’ actions resulted in concrete operationalizations of theoretical concepts. Importantly, we highlight the distinction between target selection and strategic choices made during the attack. Furthermore, RAT appeared to be as relevant, if not more, for explaining offender actions during an attack as for the initial convergence of offenders and digital targets.
DOCUMENT
In order to find out whether victims adequately recover from cybercrime incidents, it is important to gain insight into its effects and impact on users. However, as it stands now, there is not much literature on the impact of cybercrime. We address this gap by qualitatively examining the impact of two types of cybercrime, namely phishing and malware attacks targeting online banking customers. We used the coping approach as a framework to study how victims deal with the negative events they have experienced. In order to study the impact of cybercrime and how victims cope with it, 30 cybercrime victims were interviewed. We observed that, next to financial damage, victims described different forms of psychological and emotional effects. Victims also reported various kinds of secondary impacts, such as time loss and not being treated properly when handling the incident. In addition, the interview data provided insight into cognitive and behavioral change, which potentially offers opportunities for cybercrime prevention. Our study demonstrates that the level of impact varies among cybercrime victims, ranging from little or no impact to severe impact. In addition, while some victims were only affected for a few days, some were still feeling the effects. The effects and impact of these fraudulent schemes on victims should therefore not be underestimated. We conclude that the coping approach provides a useful framework to study the effects and impact of cybercrime victimization and how victims recover from it. The results of our study provide a steppingstone for future studies on this topic. https://www.linkedin.com/in/rutgerleukfeldt/
DOCUMENT
Crime script analysis as a methodology to analyse criminal processes is underdeveloped. This is apparent from the various approaches in which scholars apply crime scripting and present their cybercrime scripts. The plethora of scripting methods raise significant concerns about the reliability and validity of these scripting studies. In this methodological paper, we demonstrate how object-oriented modelling (OOM) could address some of the currently identified methodological issues, thereby refining crime script analysis. More specifically, we suggest to visualise crime scripts using static and dynamic modelling with the Unified Modelling Language (UML) to harmonise cybercrime scripts without compromising their depth. Static models visualise objects in a system or process, their attributes and their relationships. Dynamic models visualise actions and interactions during a process. Creating these models in addition to the typical textual narrative could aid analysts to more systematically consider, organise and relate key aspects of crime scripts. In turn, this approach might, amongst others, facilitate alternative ways of identifying intervention measures, theorising about offender decision-making, and an improved shared understanding of the crime phenomenon analysed. We illustrate the application of these models with a phishing script.
MULTIFILE
Based on the results of two research projects from the Netherlands, this paper explores how street oriented persons adapt and use digital technologies by focusing on the changing commission of instrumental, economically motivated, street crime. Our findings show how social media are used by street offenders to facilitate or improve parts of the crime script of already existing criminal activities but also how street offenders are engaging in criminal activities not typically associated with the street, like phishing and fraud. Taken together, this paper documents how technology has permeated street life and contributed to the ‘hybridization’ of street offending in the Netherlands—i.e. offending that takes place in person and online, often at the same time.
DOCUMENT
This article examines the network structure, criminal cooperation, and external interactions of cybercriminal networks. Its contribution is empirical and inductive. The core of this study involved carrying out 10 case analyses on closed cybercrime investigations – all with financial motivations on the part of the offenders - in the UK and beyond. Each analysis involved investigator interview and access to unpublished law enforcement files. The comparison of these cases resulted in a wide range of findings on these cybercriminal networks, including: a common division between the scam/attack components and the money components; the presence of offline/local elements; a broad, and sometimes blurred, spectrum of cybercriminal behaviour and organisation. An overarching theme across the cases that we observe is that cybercriminal business models are relatively stable.
DOCUMENT
While criminality is digitizing, a theory-based understanding of the impact of cybercrime on victims is lacking. Therefore, this study addresses the psychological and financial impact of cybercrime on victims, applying the shattered assumptions theory (SAT) to predict that impact. A secondary analysis was performed on a representative data set of Dutch citizens (N = 33,702), exploring the psychological and financial impact for different groups of cybercrime victims. The results showed a higher negative impact on emotional well-being for victims of person-centered cybercrime, victims for whom the offender was an acquaintance, and victims whose financial loss was not compensated and a lower negative impact on emotional well-being for victims with a higher income. The study led to novel scientific insights and showed the applicability of the SAT for developing hypotheses about cybercrime victimization impact. In this study, most hypotheses had to be rejected, leading to the conclusion that more work has to be done to test the applicability of the SAT in the field of cybercrime. Furthermore, policy implications were identified considering the prioritization of and approach to specific cybercrimes, treatment of victims, and financial loss compensation.
MULTIFILE
The growing sophistication, frequency and severity of cyberattacks targeting all sectors highlight their inevitability and the impossibility of completely protecting the integrity of critical computer systems. In this context, cyber-resilience offers an attractive alternative to the existing cybersecurity paradigm. We define cyber-resilience as the capacity to withstand, recover from and adapt to the external shocks caused by cyber-risks. This article seeks to provide a broader organizational understanding of cyber-resilience and the tensions associated with its implementation. We apply Weick's (1995) sensemaking framework to examine four foundational tensions of cyber-resilience: a definitional tension, an environmental tension, an internal tension, and a regulatory tension. We then document how these tensions are embedded in cyber-resilience practices at the preparatory, response and adaptive stages. We rely on qualitative data from a sample of 58 cybersecurity professionals to uncover these tensions and how they reverberate across cyber-resilience practices.
DOCUMENT
