Examine our research from the last year in the ReliaQuest 2024 Annual Cyber-Threat Report
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Beyond MDR
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Operational Technology
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Threat Hunting
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Threat Intelligence
Find cyber threats that have evaded your defenses.
Model Index
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
Phishing Analyzer
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
Integration Partners
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Blog
Company Blog
Case Studies
Brands of the world trust ReliaQuest to achieve their security goals.
Data Sheets
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
eBooks
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Podcasts
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
Solution Briefs
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
White Papers
The latest white papers focused on security operations strategy, technology & insight.
Videos
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
ReliaQuest ResourceCenter
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Threat Research
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
Shadow Talk
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
March 26, 2024
About ReliaQuest
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Leadership
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Careers
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
Contact Us
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
More results...
Have you ever wondered how cybercriminals explain their mysterious means of income to others? While not all threat actors’ illicit activity is so lucrative that they have to account for an eight-bedroom mansion in the hills and a Porsche collection, many cybercriminals’ friends and families may question their means of income if they have no apparent gainful employment. Following discussions on cybercriminal forums on the dark web, we dived into this topic.
An interesting thread on the high-profile Russian-language cybercriminal forum Exploit posed this very question, asking the site’s members, “what do you say when people ask you about your work?”
The thread starter mused: “A new acquaintance, [or] an old one whom you haven’t seen [for a while], asks ‘Vasya, how do you earn money?’” They added “Goodness knows why everyone wants to ask us that, but it’s a fact that they do.”
Many participants in the thread agreed that they are asked this sort of question all the time, although opinions were split on what the best response is. We explore some of their answers below.
Rather than providing a direct answer, some responders to the thread disputed whether you would be asked the question in the first place. One user claimed you’re only likely to get asked about your job if you “drive a lambo and have luxury real estate,” implying cybercriminals who do not engage in conspicuous displays of wealth can fly under the radar. This divide in cybercriminal personality and ethics was echoed in another forum member’s response, who prosthelytized: “It’s best not to show anyone your salary, live alone, and surround yourself with ordinary people.”
Another common response was “my finances don’t concern you,” although this suggestion was frequently shot down by users who said that this approach usually backfires, leading to more aggressive, curious questioning or dangerous assumptions. Another avoidance response was that cybercriminals should just smile and keep quiet, allowing the questioner to use their imagination to come up with their own answers. As one user commented: “Silence and a smile will always […] be cooler than any invention.”
At times, the thread debated the trustworthiness of forum members’ partners, with opinions split on whether cybercriminals come clean about their “job” to casual girlfriends, long-term partners, or even their wives.
The refrain of “the only woman you can trust is your mother” was frequently repeated, with many advising against revealing all to “your girl.” A more charitable interpretation of this suggestion is that keeping the truth from loved ones is, in essence, keeping them out of harm’s way by allowing them to plead ignorance.
Even more critical than having an explanation for a significant other is having an explanation for your significant other’s parents. Commenters lamented that even if you’re able to dodge most people’s questions, a new partner’s family is dead set on learning everything about whom their beloved daughter has started dating.
Finally, the need for a concrete explanation was emphasized by one forum user who highlighted that you must provide details about your income and employment status when dealing with some form of authority (i.e. realtors, landlords, tax authorities).
In the case of dealing with taxes, all sorts of convoluted methods for front companies and fictitious salaries were proposed to help keep up the pretense. Still others brought up interest from the police or security services, with one grimly remarking: “those who are especially interested and want to introduce themselves […] usually introduce themselves in three holding your armpits.”
Several forum members provided wickedly facetious answers to the thread starter’s question. Some more creative contributions included:
One user said that they always replied that they were unable to find any work after being released from prison, adding that this usually caused the topic to be dropped. Still others advocated replying that work is so tiring you can’t talk about it in your free time. In a novel approach to the dilemma, one member suggested point-blank telling the truth, because “no one will believe you.”
Lastly, another user suggested the “don’t worry” approach, saying that when talking to children or old people you can merely reply, “if I tell you, they’ll fire me.” Others disagreed, saying that you can’t joke with everyone and pointing out that even taxi drivers are prone to interrogating their passengers about what they do for a living, leading to an uncomfortable interview.
Most participants in the thread, however, took the issue seriously and engaged in earnest discussion about the pros and cons of various answers. By far the most common suggestion in response to “what do you do for a living?” was to reply with some form of IT-related employment (indeed, many cybercriminals began their careers with a natural curiosity in the technology sector). Ideas included search engine optimization, online advertising, information security, website design, software development, IT journalism, programming, or server administration.
There are downsides to this approach though: As the thread’s original author noted, “I used to answer that I’m a programmer, an IT specialist, but now every taxi driver out there is interested in what field of IT you’re in or what type of programmer you are.”
Others agreed, saying that many people out there fancy themselves an IT specialist, and that admitting you’re in the IT industry opens you up to lots of follow-up questions or, worse, requests to complete bespoke IT projects.
One frequently-suggested solution to ending further conversation quickly was to make your answer as obscure as possible. For instance, if you’re pretending to be a programmer, discussing Python scripts is a no-go, as everyone has dabbled in Python these days. Instead, discussing more unusual programming languages or systems apparently reduces the opportunity for follow-up questions. Summed up by one cybercriminal forum user: “the more succinctly you describe your field of activity, the less likely people are to ask questions.”
Another tactic was to say that you can’t answer detailed questions because you’re subject to a non-disclosure agreement (NDA) with your employer. The thread also said that if your interviewer wants to commission you to complete a type of project you are claiming to carry out on a daily basis (e.g. creating a website or installing software), you can merely shut down the proposal by inflating your hourly rate to an extortionate amount.
This sort of neighborly IT work is not always considered a bad thing however—as one forum user put it: “As long as I can fix my friends’ computers, everyone is happy!”
Other users suggested avoiding IT-related lines of questioning entirely. One user advised that “a ‘business analyst’ or ‘financial analyst’ works” because this explains the hours you spend in front of a computer. More significantly, with this answer, “You will not be digging deep, and no one will ask you to reinstall Windows.” Another cybercriminal forum user chimed in, “if they ask you for advice on where to invest, you can vaguely bring up different tools and throw in incomprehensible words until they lag behind…” Another user used the response, “I trade cryptocurrency,” commenting that when people ask what that is you can obscure your job’s function and “say a few abstruse words about blockchains and this is where the questions end.”
Lying and deception are integral parts of cybercriminals’ daily operations, yet threat actors still struggle with the decision of whether to lie or not to lie in response to questions about their employment status.
While this Russian-language thread was initiated on Exploit back in 2019, it’s still very popular and alive one year later, attracting new discussions and answers. This indicates the importance of this issue to threat actors and their interest in discovering how others go about addressing this dilemma.
While there was no one true best answer from all the suggestions, general rules of thumb to follow did emerge. As the world becomes more comfortable with technology and the IT sector, posing as an IT specialist may not cut the mustard with particularly inquisitive questioners, whether that’s a tech-savvy Uber driver or a well-read father-in-law.
Threat actors on Exploit and other cybercriminal forums will likely continue the conversation into 2021 as the cybercriminal community tries to adapt to the reality and aggressive authorities they are confronted with on a daily basis.
If you’re curious about dark web monitoring for your company’s assets, read more on our blog here.