The offer of Russian underground for phishing campaigns

By Pierluigi Paganini, Editor-in-Chief

Security experts consider the analysis and study of underground crucial to better understand the way cybercrime use to operate and which are the most prolific monetization processes.

The knowledge of underground black markets gives to security researchers precious information on the business model adopted by cyber criminals and on the evolution of principal cyber threats.

Russian underground is considered one of the most interesting and prolific black market, cyber criminals provide a wide range of illegal services to organize sophisticated scams and provide all necessary tools to arrange a cyber attack.

In the underground it is possible to acquire a malicious agent, rent hosting services to deploy compromised web site or to outsourcing a DDoS attack.

In the last months Trend Micro published an excellent study in Russian Black market demonstrating that it is possible to acquire every kind of tools and services to realize cyber-criminal activities and frauds.

The top 10 activities included software designing, spam and flooding services, hacking, server sales and hosting, denial-of-service attacks, pay-per-install services for downloads and traffic, file encryption, malware, and exploit writing.

1. Programming services and software sales
2. Hacking services
3. Dedicated server sales and bulletproof-hosting services
4. Spam and flooding services, including call and SMS flooding services
5. Download sales
6. DDoS services
7. Traffic sales
8. File encryption services
9. Trojan sales
10. Exploit writing services and sales

Recently I read many posts of famous security researcher Dancho Danchev, great experts of cybercrime that in various articles revealed the mechanism behind the process to arrange a spear phishing attack among Russian cybercrime.

Recently Danchev wrote on an underground market advertisement that offers access to data to sensibly increase click-through rate for a spear phishing campaign as illustrated in the following picture:

Very interesting is sales model implemented by cybercriminals and the way they composed the offer trying to respond to the “customer’s need”, the “spam leads” included in fact precious information such geographic data, market segment and company information, all the necessary to customize the attacks.

Security community is aware that crime is evaluating the possibility to provide data and tools to do illegal activities instead directly them, a change respect the past when cyber criminals directly used the information for personal instead to sell it.

Millions of harvested emails are offered for sale on the black market, what is concerning is that within the huge quantity of information it could be possible to find data related to government and intelligence agencies, military representatives an government contractors.

Professional hackers could benefit of the offer of entire database containing harvested/compromised data, the information are easily accessible and allow hackers to sensible reduce the phase of information gathering on the targets.

A dangerous phenomenon that is consolidating is the attitude to emerging DIY (do it yourself) trend within underground, novice cybercriminals try to make business with illegal activities outsourcing services (e.g. malware hosting) and acquiring tools and data. The number of this individuals is rapidly exploded and the motivation are various from cybercrime to hacktivism.

Cyber criminals have various options to collect data to resell later, let’s think to fraudulent offers that target receive to improve their visibility on line or within a specific business sector. Adopting these tactics criminals are able to build huge collection of data also indexable on various axis of analysis. Cyber criminals, but also state sponsored hackers, could targets specific sectors or individuals using this technique acquiring information to use for large-scale spear-phishing campaigns.

Of course cybercrime has a wide range of weapons in its arsenal to get the information for resale, among them the use of malware is certainly the most invasive and dangerous. It’s very easy to infect huge quantity of machines with malicious code able to steal any kind of information from victims. In the underground many serviced provide all necessary to spread malware to wide audience with very cheap costs.

Recently the activities of C2C (cybercrime to cybercrime)

Recent investigation demonstrated a mutual aid/commerce between groups of cyber criminals, in this way organized crime, but also novice ill-intentioned, could speed up the arrangement of illegal activities in which factor “time” is crucial. Thanks to C2C (cybercrime to cybercrime) services is very easy to rent a botnet or lease hosting services to spread malware.

Typically cyber criminals operate in the long term collecting huge quantity of data and addressing their research against specific sector of interests, most valuable information of course are related to Military and Government.

Cyber criminals Hacked databases – in terms of quality data nothing compares to the “value” of a hacked database. Users entrust sensitive and personal details to the service maintaining it, and it is therefore a gold mine for potential spear phishing campaigns if compromised.

Another method cited by Danchev is the “Harvest publicly obtainable data by outsourcing the CAPTCHA-solving process”, the expert already provided evidences that humans are recruited for solving security challenge-response test, an army of low-waged solvers  earning a mere $2 for solving a thousand CAPTCHA’s.

“Keeping this in mind, it shouldn’t be surprising that money mule recruiters actively harvest data from job/career web sites; and other cybercriminals are doing exactly the same while targeting legitimate Web properties that exclusively rely on CAPTCHA to prevent such types of automatic abuse.”

The cyber criminals as well as to sell the information obtained can use it to conduct further attacks and expand the collection of data to offer.

To avoid to be victims of phishing campaign be aware of risks related to trust emails from unknown recipients or emails that appear to have a legitimate origin but that offer you “something” not requested and demanding info on you.