Bullish On Cybercrime

As the U.S. economy takes investors on a wild ride, turning all the usual indicators topsy-turvy and sparking concern that the bear will usurp the bull, one market seems to be on a perpetual upswing

— cybercrime. Threat intelligence researchers agree that adversaries are well connected in the sophisticated virtual labyrinths of the dark web, providing a supportive yet disparate ecosystem cloaked in anonymity.

Despite law enforcement shutdowns of the popular illicit marketplaces AlphaBay and Hansa 18 months ago, new underground storefronts continue to spring up to help facilitate the sale of stolen PII that’s increasingly robust, even including voter records.

“The [hacker] ecosystem is alive and responds to setbacks,” says McAfee Chief Scientist Raj Samani, noting the emergence of Tor shops and Telegram groups after the AlphaBay and Hamsa takedowns.

Hidden wiki and deepdotweb sites provide insight into the emergence and types of marketplaces, platforms and discussion forums available for dark web-related content, Samini added.

“Not only will you find people selling and buying stolen data, but also threat actors advertising their services and looking for business partners,” promises David Shear, senior analyst for Flashpoint. “The problem for most threat actors is not finding a community, it is deciding which one they want to be part of.”

Flashpoint closely followed the July 2017 shuttering of AlphaBay and how its successor, Empire Market, copied its website design and user experience. Empire Market doubled its user base from approximately 3,000 listings in April 2018 to more than 6,000 listings in July 2018.

Tor indexing services feed search engines used to find what cybercriminals seek. Milligan notes he’s found a particular website to promote cybercriminals’ virtual storefronts. “This [hackers’] news website is accessible from Tor and the surface web, acting as somewhat of a dark web archive with lists of markets and forums with descriptions, ratings, and links.”

Much like archive.org’s “Wayback Machine,” the site keeps track of markets and forums that existed at one time, creating a kind of timeline or history of the dark web. In addition, the site features articles and other content on the home page that gives an indication of the topics dark-web denizens are interested in.

Before the successful takedowns of large marketplaces, such hotbeds weren’t as complicated to track, points out Ross Rustici, Cybereason’s senior director.

“Where as before you had a few large pools of nefarious activity, currently we are seeing an increased splintering of the community into smaller more protected communication modes,” Rustici says.

It’s also a marketplace that’s not hurting financially. Armor recently found the going prices of stolen credit cards, bank accounts and personal identities globally jumped between 10 percent to 83 percent in the past three years. For example, stolen U.S. Visa credit card credentials increased in value from $4.88 in 2015 to $9 in 2018, but when coupled with its CVV code and PII, it fetches $65 on the dark market for Visa, MasterCard and Amex in the U.S. (and $75 in the U.K.). The latest findings build on Armor’s Threat Resistance Unit (TRU) team report in March 2018 analyzing the underground cybercriminal markets in the fourth quarter of 2017.

“More unique, larger datasets, which have already been vetted for legitimacy, will be more expensive than smaller or partial datasets, like unvetted credit card numbers,” comments Dan Byrnes, Recorded Future’s threat intelligence researcher.

These complete datasets, called “Fullz” (full identity data), can encompass: first and last name; current/previous home and billing address, city, state, zip code; mobile and/or home phone number; SSN or national identity number; date of birth; mother’s maiden name; credit card number; bank name and location; date account was opened; average monthly balance; checking account and routing number; driver’s license; and even voting records, all of which is typically priced collectively or available a la carte.

Armor threat researcher Corey Milligan is impressed by the dark web’s level of organization and maturity.

“The dark websites that facilitate these markets are professionally built and hosted in the cloud using the latest technology,” Milligan notes. “They understand the products they are selling and the customers they are selling to.”

Not unlike the Amazon seller/product rating and review system, these 21st Century bazaars “provide ratings to help customers choose sellers they can trust and easy-to-navigate interfaces that give the vendors ample space to advertise and the customers the ability to sort through offerings to find precisely what they are looking for.”

The administrators of the markets are very connected, pointed out Milligan. “In many cases they not only run a market, they run a parallel dark web forum,” he says, adding that such forums allow them to get feedback on their market, as well as invaluable insight into topics being discussed between vendors, customers, and people that just need a place to discuss activities under the cloak of anonymity.

Armor found that the vendors, based on how they advertise themselves, are often also the threat actor that harvested whatever illicit digital product they are selling.

“These threat actors are connected in a way that is very similar to how the security community is connected,” Milligan says, adding they participate in forums and discuss everything from the reputation of others in the forum to the new vulnerabilities, exploits, and techniques they are trying to perfect for their next attack.

The vendors also use side channels, such as encrypted chat services, to have detailed discussions about their operations, meaning their communications and connectedness extend beyond the dark web.

It’s a unique subculture and ecosystem with different tiers of participants connected mostly by motivation. “Language is still somewhat of a barrier that separates people into groups, but it’s not hard to overcome for those that want to move between groups,” Milligan says.

Using the adage it takes money to make money, the underground ecosystem borrows Wall Street’s speculative nature when a credit-card thief can simply go online, use a Tor service to hide his IP address, then purchase high-end items worth thousands of dollars using the stolen card data. “The criminal can then turn around and sell those items, making an outstanding profit from their nominal investment of $9 to $75 [for the card data],” Armor’s report explains. Other schemes involve utilizing the services of a well-established money mule with a solid reputation and multiple accounts in various top financial institutions; the mule gets 10 percent of the take.

Essentially, the increasingly sophisticated criminals replicate the legitimate list marketing industry, only the latter’s data presumably wasn’t procured through a hack, notwithstanding privacy policy transgressions (e.g., Cambridge Analytica).

Most stolen data prices follow the principles of supply and demand.

“The rise and commoditization of underground marketplaces for selling and buying access to compromised corporate machines introduces a new reality for security professionals,” explains Cybereason CISO Israel Barak, “one in which corporate machines, infected with malware can very quickly, sometimes within hours from the initial infection, become launch pads into the organizational network for targeted APT actors, that acquire access to those compromised machines via black market trading.”

For example, xDedic, one of the largest black markets, sells access via a gated, invite-only forum to compromised machines in online gambling, online dating, ecommerce and instant messaging services. “Traditionally, most of the machines offered on those marketplaces were internet-facing servers, compromised by hackers that took advantage of poor server security hardening, exploits or just password guessing, and subsequently offered them for sale,” Barak explains.

Platforms like Tor and Telegram help cybercriminals remain anonymous, and their transactions are often paid with hard-to-trace cryptocurrencies.

“Ransomware existed long before the likes of Bitcoin or Monero,” notes Peter Mackenzie, global malware escalations manager at SophosLabs, which this year studied the SamSam ransomware attacks, resulting in the revelation that $6 million had been paid by 240 victims since late 2015 after examining Bitcoin addresses supplied on ransom notes and sample files.


Peter Mackenzie, global malware escalations
manager at SophosLabs.

Some SamSam attacks originated from the aforementioned xDedic marketplace, where criminals advertise stolen credentials and access to networks via hacked RDP (remote desktop protocol) accounts.

Such assaults are getting less successful. SamSam had been taking in an average of $300,000 each month in 2018, but in September only three victims paid ransoms, reports Mackenzie, resulting in the total that month being roughly $115,000, the attackers’ lowest for a long time.

Similarly, some ransom seekers are less talented than others, as Sophos detected many “amateur mistakes” ranging from simple typos to coding errors, preventing an attack from working correctly.

“It paints a picture of people who were new to the world of ransomware when they started,” Mackenzie says.

In an effort to better understand these adversaries, Cybereason recently erected a honeypot that quickly was purchased on a dark web forum.

“The most surprising thing was the speed and specificity with which our asset was sold,” pointed out Rustici. “The actor who compromised the network originally flipped [the honeypot] in a very short amount of time and the buyers were specifically looking for a network they could ransom,” he adds.

Most likely the honeypot purchaser surmised it was being set up and decided to scrap its nefarious plot.

Any time law enforcement may have caught the “bad guys” with their pants down this time, it will be that much harder to do in the future, points out Milligan.

“From the cybercriminals’ perspective, it was two steps back and one step forward, meaning they had gotten complacent thinking law enforcement wasn’t smart enough to catch them and there would never be enough international cooperation to bring them to justice,” he said, summing up cybersecurity’s whackamole nature in the wake of recent takedowns.

“[The opposition] took a significant hit, but now their eyes are open, and they are adjusting. They might have gotten exposed a bit, but they are now back on the alert and being extra careful, discussing the juiciest details of their activities in private, encrypted chat sessions and perhaps other mechanisms we haven’t even discovered yet.”