As the COVID-19 pandemic pushes the above-ground economy to the brink of a major recession, the cybercrime economy appears to still be hard-charging ahead. And yet, the virus has rapidly reshaped the way business is being done on the dark web, as buyers and sellers jump on the opportunity to capitalize on global fears, as well as dramatic shifts in supply and demand.
In January, before the true scope of the COVID-19 pandemic was known, the World Economic Forum’s 2020 Global Risks Report warned that by 2021, cybercrime damages might reach U.S. $6 trillion, a sum that would equal the GDP of the world’s third largest economy. Whether the coronavirus will drive that figure up or down remains to be seen but things are changing in the dark web economy.
Even some dark web actors traditionally known for taking a steady approach have seemingly changed their behavior to seize this once-in-a-lifetime chance. With that in mind, SC Media spoke to several analysts and firms specializing in dark web reconnaissance and learned of five intriguing ways that COVID-19 is uprooting the cybercrime status quo.
Laying low a no-go, as merchants seek more exposure.
Some cybercriminal merchants are going all in, trying to reach as broad an audience as possible.
“We have seen actors selling to a larger addressable market by advertising their goods – fraud schemes, counterfeit treasury checks, phishing kits, etc. – on larger underground marketplaces. Typically, these actors are selling in more discrete and/or exclusive marketplaces,” says Kurtis Minder, CEO and co-founder of GroupSense. “Some actors are selling in multiple languages, typically English and Russian, trying to reach a larger audience.”
Steph Shample, vice president of intelligence at Terbium Labs, agrees, noting that actors typically relegated to one corner of the dark web are now popping up in multiple destinations.
“Previously, actors might have stayed and offered their services only on Raid or Exploit – some of the top-tier, lockdown forums where they have to earn trust and vie for credibility and peer ratings,” says Shample. “Now, they are cross-posting their offerings on many marketplaces, both closed and open.”
That can be risky, though, Shample says, “as the more places actors copy/paste, the more their audience could consider them a potential spammer, rate them poorly, and not trust the products they’re selling,” adding that “it seems actors are willing to take a reputational risk in order to reach a wider audience over multiple platforms.”
The English-language dark web internet forum Torum, with its large user base, has in particular become a popular hotspot for COVID-19 cybercriminal transactions, notes Minder. Meanwhile, Shample says actors are even looking at non-traditional mediums to sell their wares, offering up contact information on apps like Telegram and even leveraging gaming platforms like Steam and Discord.
Demand for ransomware is up, but can victims even pay?
Researchers at Sixgill have noted that the number of dark web forum/marketplace references to ransomware in March – the month COVID-19 forced massive lockdowns across the U.S. – increased 50 percent compared to the average number of ransomware mentions compiled over the previous three months.
Charity Wright, cyber threat intelligence analyst at IntSights, confirms that “RaaS has been in high demand” while Minder notes an “increase in ransomware leveraging false COVID-19 sites – infecting devices, both mobile and desktop.”
Where there seems to be less agreement is whether the strategy is paying off.
Emsisoft reported this month that a total of 89 U.S.-based organizations were known to be impacted by ransomware in Q1 of 2020. But “as the COVID-19 crisis worsened, the number of successful attacks reduced considerably and is now at a level not seen in several years,” the company said in a blog post.
Emsisoft threat analyst Brett Callow tells SC Media this downtrend could be attributed to a reduction of potential targets’ attack surfaces once their non-essential services were scaled back. Companies’ work-from-home conditions, despite introducing new vulnerabilities, may have also posed unforeseen challenges to adversaries, Callow reports.
Even successful ransomware infections during this time may not be worth it, because the victims cannot pay. “In a recent note posted to its website, the Maze group stated, ‘We are living in the same economic reality as you are. That’s why we prefer to work under the arrangements and we are ready for compromise,’ Emsisoft has reported. “That economic reality is likely that companies are now less able to pay than they were prior to the COVID-19 outbreak.”
For that reason, must ransomware attackers set lower expectations? Minder says ransomware recent payment demands “appear to be on the low side, usually indicating a volume-based strategy by the threat actors.”
In rare cases, perhaps cybercriminals have grown a conscience. Earlier this year, the operators behind the Maze and DoppelPaymer ransomware programs said they would not attack health care organizations during the pandemic, although experts have cast doubt their sincerity.
And Digital Shadows recently reported that a commenter on Torum received negative responses from his or her fellow community members after inquiring how to best to exploit COVID-19. “ The gravity of the “pandemic has shown some benevolent reasoning has emerged on some platforms that are typically used for crime: Users urging others to avoid taking advantage of an already dire situation,” wrote Alex Guirakhoo, Digital Shadows strategy and research analyst, in a company blog post.
On the other hand, Shample believes health care absolutely remains a prime target. “Criminals are noting which industries don’t have appropriate protections and infrastructure for protection,” she says. “These are discussed in the underground mainly as healthcare and academia, which top the list of targets for ransomware. Considering the chaos the healthcare industry is currently facing, actors are putting extra effort into attacking this sector.”
Just today, Microsoft reported in a blog post that ransomware delivering a “motley crew” of payloads is straining security operations amid the pandemic, especially in the health care sector.
Credentials market makes room for Zoom… and more.
Stolen usernames and passwords have long been a popular commodity sold on the dark web. But with large swaths of the population stuck inside their homes, maintaining social distance, experts say interest has grown for credentials for video conferencing apps, media streaming services and virtual private networks.
According to data from Sixgill, references to video conferencing applications like Zoom on the online black market held steady from December 2019 through February 2020. But from February to March, references to such apps jumped by 63 percent.
Why? “The massive rise in popularity of video-conferencing apps, which include users not as familiar with the nuances of the technology, has created an opening for hackers and internet trolls alike. Simply put, cyber criminals know there is a wider target audience to attack,” Sixgill tells SC Media. “In general, employees not used to working from home acclimate to their new settings, operational security at home is not as scrutinized as it is in the business or office setting; many personal computers have not been set up with the same levels of security, and there are more endpoints attempting to reach company networks. Hackers know and recognize the opportunity.
Meanwhile, Cyble reported in April that it was able to purchase roughly 530,000 Zoom accounts off the dark web – each one costing a miniscule $0.0020. On the other side of the pricing scale, software vulnerability brokers recently offered to sell clients a Windows-based Zoom remote code execution bug exploit for $500,000, it was reported earlier this month.
Credentials for streaming services are a staple of hacking forums, but with services like Netflix and Disney+ doubling their subscriber bases amid the COVID-19 crisis, there are all the more accounts out there available to compromise.
“Attackers have recognized that there’s a huge demand for access to streaming content without having to pay full price. At this point there is a very mature, operationalized market for stolen streaming credentials,” reported the Proofpoint Threat Research Team in a blog post published during the outbreak. “When attackers get your streaming credentials, they sell them to others who will use them to log on and piggyback off of your streaming services, likely without you even knowing it.”
Shample says she’s seeing VPN technologies targeted as well. “I am seeing offers for user accounts that have been compromised, as well as ‘How-To’s’ for infiltrating or penetrating a VPN provider,” she explains. “The ‘why’ is that malicious cyber actors know that with increased work-from-home (WFH) practices during COVID-19, most companies and corporations use VPN technology as an extra step of protection before their internal networks can be accessed, and that VPNs are literally the gateway to important, sensitive information. Defeating the VPN also allows for RDP activity, which is a very easy way to laterally comb a network. Offers for NordVPN, VyprVPN, and others are on the rise.”
Feeding frenzy for phish & fraud kits.
Capitalizing on health and economic fears surrounding the epidemic, cybercriminals have been suckering victims with false promises of cures, up-to-date infection statistics, stimulus checks and more. So it only makes sense that dark web sellers flood the marketplace with phish kits, fraud kits and malware delivery mechanisms that help scammers rack up their victim counts.
“We have seen an increase in fraud and phishing kits,” says Minder. “Threat actors compile and sell the necessary tools to carry out a fraud campaign related to COVID-19 or similar, likely taking advantage of the volume of loan applications related to the stimulus.”
“We are seeing more of these being sold and purchased on the more prominent dark net marketplaces,” Minder adds, noting that the price of fraud, phish kits and other largely commoditized items typically range from $3 to $25.
Indeed, Sixgill tells SC Media that dark net mentions of phishing kits, services, templates, tutorials and scam pages increased 45 percent from December to January, 75 percent from January to February, and 20 percent from February to March. “Right now, cybercriminals appear to be trying to get money and sensitive data. Based on forum and market chatter, these are the goals,” says Shample.
“Also in greater demand are methods to embed malware into any maps, trackers or applications that provide information related to the spread of the virus,” Shample continues. “Kits that enable a quick build for these range from the low hundreds of U.S. dollars to thousands. The kits offer a build-on to extant maps, like the WHO or Johns Hopkins ones, or the ability to create a completely new offering. Users entering zip codes, phone numbers, or any personal information to assess the number of covid-19 cases in their areas are subject to having their information stolen or malware installed on their device, even mobile devices. The offerings for these kits have exploded on the underground.”
Crypto gains credence as cash is trashed.
Cryptocurrency, often untraceable, has long been a popular method of conducting transactions on the dark web, but the spread of COVID-19 may have lent further credence to the concept of digital coins.
“Our team has seen an increase in cryptocurrency-related discussions and operations, as well as malware and scams related to crypto. A big ‘theory’ on the underground is that COVID-19 is going to be the death of cash, as cash could potentially spread the virus,” says Shample. “This kind of discussion also brings out the government conspiracy theorists.”
According to Shample, as this anti-cash sentiment spreads, malicious actors are expanding their offerings beyond ransomware and other malware programs to include various crypto tools and services. This includes training on crypto – “mixing and tumbling it to stay on anonymous, and for future use,” as well as cryptomining/cryptojacking malware that silently siphons away devices’ processing power for the purpose of stealing digital coin.