LAS VEGAS – Contrary to the pop-culture image of the hoodie-clad lone hacker with mad keyboard “skillz” siphoning off funds and making people’s lives miserable with a few lines of brilliant code, increasingly cybercrime “takes a village”. The true face of cybercrime today is a more democratic one.
Modern financial crime rings are made up of a wide range of people with complementary toolsets—from coders to willing corporate insiders wanting to be paid for installing malware on a network and more.
According to Maya Horowitz, director of threat intelligence and research at Check Point Software, speaking reporters at the CPX 360 event in Las Vegas, gone are the days when cybercrime activities were the sole domain of highly technical individuals.
“You have to understand that there are many different people involved in each attack – you have a technical person that writes the code, sure; but different people distribute the malware, especially with the spread of as-a-service offerings,” she explained. “Someone else is responsible for taking stolen money out of an account; and there’s a person that writes the infection vector; and someone who crafts phishing messages.”
Horowitz was commenting on the second part of Check Point’s 2019 Under the Hood report, released Wednesday at the event, which lays out an underground ecosystem populated by a number of job descriptions, which mirrors the legitimate business world in many ways.
For instance, cybercrime collaborative environment includes programmers, who develop malware to extort or steal data from potential victims; merchants who trade and sell the victim’s stolen data; IT technicians who build and maintain the IT infrastructure (servers, databases, etc.) for criminals; hackers that search and find vulnerabilities in systems, applications and networks; fraudsters, who create and carry out new ways to scam and manipulate potential victims; hosting services, which provide hosting services for criminals’ fraudulent content and sites; and management types, who hire and form their cybercrime teams and manage the operation.
Horowitz added, “In all, you have five to seven people involved, minimum, in a campaign. And because there are more roles, and non-technical roles, it means there are more actors out there than ever before.”
There are even ads for jobs – a sort of Dark Web classifieds section.
“You will see adds for people to write malware or a phishing campaign, or someone who’s an insider in a bank who can install it,” Horowitz said. “There are ads looking for someone who can sell identities – passports and photos, you name it … all of these things are commonly offered or requested.”
As-a-Service Models: The New Normal
As a result of a confluence of these factors, there is now what Check Point calls a “continuous rise” of the underground malware-as-a-service industry.
The report explained that this has completely changed the ecology of cybercrime: “In today’s cyber-underworld, anyone who is willing to pay can easily obtain the suitable tools and services needed to launch any kind of cyber-attack,” according to the report, shared with Threatpost prior to publication.
“While this may not be a completely new phenomenon, over the past year we have witnessed a significant growth in attacks orchestrated with cyber weapons or products acquired via these underground services,” according to the report. “When cybercrime is democratized, the number of cyberattacks increases … never does a day go by when organizations are not under constant attack from the ever-growing number of malware, infiltrating IT networks from an increasing number of entry points.”
The services offered online include malware kits, stolen data, and turn-key packages that contain malware ready for distribution along with a comprehensive management panel which allows unskilled hackers to easily track and control their infection rates and revenues. Check Point analysis shows that malware-as-a-service options available run the gamut, with infamous names like AZORult, File-Locker and Kraken all on offer.
“The authors of GandCrab ransomware even offer technical support and tutorial videos for their product,” according to the report.
Moving to New Channels
Unsurprisingly, in an effort to curb the cybercrime scourge, authorities have made a concerted effort to take down Dark Web marketplaces, including the Hansa Market and Alpha Bay shutdowns in 2017, and more recent actions like the credentials market taken out by the Feds recently.
And that, in turn, has pushed the bad guys to get creative and shift to new channels to evade authorities.
One notable trend is a transition to the increasingly popular and highly secure mobile messaging app, Telegram, to pursue their trade.
“There are dozens of telegram groups that communicate and share tools with each other,” Horowitz explained. “We’re aware of one group that’s likely Iranian, speaking Persian – there are 100,000 participants in this group, called ‘AmirHack.'”