Something occurred to me after stumbling across a satisfying takedown of a hacker operation by a YouTube scam investigator. Now, while these kinds of vigilante scambusters are popular on the vid sharing platform, what stood out about this particular operation was the fact that the scammers are working out of an office in Johannesburg, South Africa. In a well-heeled area, and a flash office suite.
Why’s that shocking?
Well, for starters, it’s no secret that there are a ton of South Africans here in New Zealand – go ahead and make your own jokes about Yarpies and braais, we’re on board with it! (as most of you know, I hail from Joburg). Then, of course, there’s the fact that several local businesses including telecoms operator 2degrees use contact centre services out of South Africa.
We know the accent, even if not all of us love it.
Add to that we often tend to think of hackers as basing themselves in an obscure East European country, perhaps out of Russia, maybe China, Indonesia, or India. The general tendency, fuelled by those endless ‘The Matrix’ styled visuals of hooded hackers accompanying almost every ‘beware the scammers’ stories on news websites, is that scammers aren’t like us. They’re mysterious and threatening.
They are distant and anonymous, veiled by the internet, carrying out attacks separated by the distance of oceans, using the refuge of foreign jurisdictions, and having little in common with us beyond an interest in our money.
Watching Agent G9 go about hacking into the scammers’ CCTV and phone systems and exposing the miscreants for who they really are – including accessing their webcams, so one can literally see who they are – brought home the fact that scammers can be and probably are operating right next door. They are people, just like us. They go to the office, sign in and sign on, and work their way through a list of leads looking to hit gold.
Now, yes, I am well aware of the distance between New Zealand and South Africa at around 12,000 kilometres, but there is something jarring about the comforting familiarity of the accent, the sheer normalcy of what looks like an entirely legitimate business, and even operating out of an office park I happen to have visited in the past. Not quite a neighbour physically, by any stretch of the imagination, but culturally? Round the corner.
This confirms a lot of what’s been said in the past about hacking operations looking like any other business. There are cubicles, workers, systems, management even.
Agent G9 even got into the office Teams chats, recorded how the ‘consultants’ are incentivised and rewarded, and – sickeningly, really – how they celebrate when they get a victim on the hook. In this case, made even more sickening because the scammers get into their victims by offering scam resolution services, effectively revictimising victims. Nasty stuff.
What’s also been said is that hackers will tend to operate out of jurisdictions where law enforcement is lax, corrupt, or incompetent. Understanding why isn’t hard; it reduces the possibility of interruption, arrest or prosecution. But they still need a local connection.
Which brings us to the fact that it isn’t just dodgy Safas getting up to no good on the internet. Whether directly or indirectly yes, they are operating right here, potentially in the office park across the way.
So far as I’m aware, there’s only been evidence of indirect operations to date. Scammers must establish some sort of mechanism for conveying their ill-gotten gains from their victims and into their pockets. With the ‘term deposit’ and other investment scams going around at present – including one this week invoking the Prime Minister’s name – the hackers need bank accounts, payment mechanisms, and people on their side.
And so they do. A recent NZ Police press release confirms the presence of these people who help with money laundering.
There’s emerging evidence for direct operations, too, as demonstrated in a recent (paywalled) story on the Sydney Morning Herald, where an Australian was arrested internationally for involvement in a scam separating tens of millions of dollars from victims.
Bear in mind, too, that while the idea of hackers being far away and impersonal has been perhaps somewhat disarming, miscreants sometimes have a far better chance of taking advantage when they are nearby. Physical hacking using card access systems, and social engineering tactics for gaining passwords in person, for example, rely on proximity.
Now, this doesn’t mean there are hackers under every bed, or thieves lurking next door. What it does imply is that the principles of zero trust should perhaps extend into the physical world. Never trust, always verify.
Because the hackers may very well be right next door.