This article originally appeared on Forbes via O’Reilly Radar
From Crowdsourcing to Crime-sourcing: The Rise of Distributed Criminality
Crowdsourcing began as a legitimate tool to leverage the wisdom of the crowds to solve complex business and scientific challenges. Unfortunately, these very same techniques are increasingly being adopted by the criminal underground for nefarious purposes.
The concept of crowdsourcing first gained widespread attention in an article written in 2006 by Jeff Howe for Wired Magazine. Howe defined crowdsourcing as the act of outsourcing a task to a large, undefined group of people through an open call.
The increasing application of crowdsourcing is changing “business as usual” in a wide variety of industries. In a noted example, Don Tapscott, in his book Wikinomics, described how one Canadian gold mining company facing a looming shutdown desperately turned to the general public to help solve a critical business problem. The company, Goldcorp, was so frustrated with the inability of its own geologists to locate any gold that it did something unheard of at the time: it offered $500,000 to anyone who could find and map the location of the company’s own gold in its own mines. To facilitate the effort, Goldcorp posted their full datasets online. After receiving submissions from more than a thousand people in 50 different countries, Goldcorp achieved the success that had so eluded the firm previously. A member of the public used Goldcorp’s data to make an incredible discovery and to locate more than $3 billion worth of gold using techniques never previously employed in the mining industry.
While numerous productive examples of crowdsourcing such as the Goldcorp case have been documented over time, these very same techniques increasingly are being exploited for criminal purposes as well.
Crime and the crowd
The growing popularity of crowdsourcing has not gone unnoticed, either, by international organized crime groups and local neighborhood thugs, each of which is quickly updating its tactics to drive operational efficiencies. Welcome to the world of “crime-sourcing.” Borrowing from Howe’s concept, crime-sourcing can be defined as the act of taking the whole or part of a criminal act and outsourcing it to a crowd of either witting or unwitting individuals.
The growth in crime-sourcing is shaking up long-standing business models and traditions within the criminal underground and is leading to innovations in crime. For example, all organized crime groups have historically looked upon outsiders with great suspicion: don’t trust somebody you don’t know and who has not been vetted. Elaborate processes were established, such as the Mafia’s Omertà, to ensure newcomers to the criminal enterprise were neither rats nor cops. It would often take years of robberies, loan sharking and murder to gain the trust and confidence of the “boss.”
The distributed crime network
As the world turned to globalization, so too did organized crime. Their initial attempts were limited, but generally effective. Drug cartels in Latin American began to work with organized crime groups in Eastern Europe. TheJapanese Yakuza and Chinese Triads developed ties and turned to one another for very specific tasks, such as carrying out a particular “hit” or laundering a large sum of money in a different jurisdiction. Though these disparate crime groups were located in different parts of the world, they found ways to build trust and work together in their joint illicit pursuits.
Eventually, specialties emerged and criminal enterprises learned to outsource all tasks not within their specific areas of expertise. For example, in a standard phishing operation, an organized crime group might commission the creation of a scam web page and contact a secondary broker to get a list of thousands of email addresses. Using another intermediary, the crime group would get access to a compromised computer and rent a botnet to distribute the spam emails for a period of agreed upon time, such as 12 or 24 hours.
As hapless victims readily provided their banking and credit card information, the data would be culled and forwarded to the contracting criminals. The crime group would likely rent a distributed proxy network to obfuscate their true locations and to run transactions against the compromised accounts.
Of course, all this money needs to be received, processed and laundered in a way that protects the criminal enterprise, and there are numerous illicit techniques for hiring unsuspecting participants to take on the task. The most common is to place an ad in a print newspaper or an online publication offering opportunities to “work from home” and make “quick money” as an “importer/exporter.”
Using this ruse, organized crime groups have duped thousands into receiving stolen property at their homes and opening shell bank accounts in their own names. After the funds are received in the account of the unwary pawn, he is instructed to immediately send them overseas via Western Union exchange for a small fee or commission. In doing so, the crime groups have crowdsourced the most dangerous part of their business, leaving behind a trail of false leads for law enforcement to find.
One of the more interesting developments in crowdsourced offenses has been the birth of the crime “flash mob.” The practice of crime flash mobs has become so common that the media have now coined a term “flash robs” to describe the ensuing theft and violence. In these cases groups of individual criminals, who may or may not even know each other, are organizing themselves online and suddenly descending into unsuspecting stores to steal all that they can in a flash. The unsuspecting merchant has little he can do when 40 unruly strangers suddenly run into his shop and run off with all his merchandise. Dozens of these cases have occurred, including one in which co-conspirators planned an attack via Facebook and Twitter that lead to the pillaging of a Victoria’s Secret store in London.
Sadly, flash mobs are increasingly turning violent as innocent bystanders are being attacked and assaulted in broad daylight. In Chicago in June 2011, dozens descended on a neighborhood street and began assaulting and robbing law-abiding citizens. In the Chicago incident, 15-20 youths dragged a man off his motor scooter and severely beat him. A mere two months later in Philadelphia, a similar incident occurred.
Flash mobs are an advantageous way of crowdsourcing a robbery for the criminals involved. Using the power of the Internet, they are able to assemble an overwhelming force of unrelated strangers. Thus, if any of the participants involved are arrested, they are unlikely to be able to “rat” on their co-conspirators, whom they met for the first time at the scene of the crime.
The crime request hotline
Crime-sourcing reached new heights earlier this year when noted hacking group LulzSec opened up a hacking request hotline for the general public. The group advertised the 614 area code phone number on its Twitter feed and allowed the crowd to select LulzSec’s next hacking victim. This new modus operandi in crime-sourcing allows the public to vote, “American Idol”-style, on who shall be the next victim of a crime. The group later released a statement noting that it had successfully launched distributed denial of service attacks (DDoS) against eight sites suggested by callers.
Crime-sourcing’s unwitting accomplices
Not all of those who participate in a crowdsourced crime do so knowingly. In fact, employing crowdsourcing techniques, it is increasingly possible for organized crime groups to get hapless innocents to carry out key elements of a crime on their behalf. In one example, the unsuspecting (and the lustful) were enticed to solve a CAPTCHA word puzzle in order to get access to free online pornography.
It seemed like a good deal for the end-user: for each CAPTCHA they solved, a person using the name Melissawould provide access to more and more pornographic images. What the end-user did not know is that, in fact, the CAPTCHAs being solved were being used to break into Yahoo email accounts and steal information. By tapping the public appetite for pornography, organized crime groups were able to create a useful crowdsourced method of automating CAPTCHA solving in order to give them unauthorized access to email accounts.
Crowdsourcing a criminal casting call
In perhaps one of the most ingenious uses of crime-sourcing seen to date, a bank robber in Seattle utilized Craigslist to recruit a crowd of unwitting participants to facilitate his escape. In the days leading up to the robbery, the perpetrator placed an ad on Craigslist seeking workers for a purported road-maintenance project paying $28.50 an hour. He instructed his “contractors” to show up at a street location at the exact place and time an armored car was to be delivering cash to a local Bank of America.
The robber instructed all those showing up for the promise of work to wear their own yellow vest, safety goggles, respirator mask and blue shirt — the criminal’s exact outfit the day of the robbery. After overpowering the armored car driver with pepper spray, the suspect grabbed a duffel bag filled with cash, ran past a dozen or so similarly dressed innocents and made his escape 100 yards away to a local creek where he floated away in a pre-positioned inner tube. 911 calls reporting the robbery described the suspect as being a construction worker in a yellow vest. When police arrived on seen, they had numerous robbery suspects from which to choose.
Crime-sourcing meets “investigation-sourcing”
While crime-sourcing has allowed organized crime groups to commit more crimes with less risk, law enforcement officials are now leveraging the power of crowdsourcing to fight crime as well.
The NYPD has already launched a social media unit to track criminals on Facebook and Twitter. More recently, as the streets of the UK burned in the aftermath of violent protests, citizens of London banded together online to identify looters.
In one of the most impressive uses of “investigation-sourcing” to date, the Canadian public came together to identify the thousands of protesters who caused millions of dollars of damage as a result of the Vancouver Canucks losing the NHL championship in June 2011. Using a variety of image processing techniques, the firm Gigapixel was able to assemble 216 publicly submitted photographs and assemble them into one seamless high-resolution image. The phenomenal resolution of the resultant picture allowed the faces of tens of thousands of riot participants to be viewed in high resolution. The identification of more than 10,000 participants by name was completed by tagging individuals in Facebook, breaking a record for the number of tags in a given image to date. Many of those identified in the photos have now been successfully arrested and prosecuted by Canadian authorities.
The future of crime-sourcing
The technology involved in various crowdsourcing techniques is, of course, neither good nor bad. What started as a legitimate methodology to tap the wisdom of crowds for the betterment of business and science has unfortunately been adopted by the criminal underground. As demonstrated in the numerous examples listed above, organized crime groups clearly understand how to employ these techniques to commit more crime with less risk.
Undoubtedly, criminals will continue to innovate and develop new tactics to grow their profits from crime-sourcing. Whether this crime trend continues unabated depends on the ability of the police and the law-abiding members of our society to organize themselves as an effective countermeasure. In the looming clash between cops and robbers to crowdsource good versus evil, victory will belong to whichever group proves itself capable of mobilizing the larger crowd.