Cloud
2/1/2017
02:30 PM
Ian W. Gray
Ian W. Gray
Commentary
50%
50%

The Interconnected Nature Of International Cybercrime

How burgeoning hackers are honing their craft across language barriers from top tier cybercriminal ecosystems and forums of the Deep and Dark Web.

Flashpoint analysts monitoring a top-tier Russian hacking forum recently observed an actor who goes by the pseudonym "flokibot," developing a Trojan known as "Floki Bot." While the malware uses source code from the ZeuS Trojan, the actor reinvented the initial dropper process injection to instead target point-of-sale (PoS) terminals. The Floki Bot Trojan is not only representative of the increasingly-collaborative nature of cybercrime, it also illustrates the growing presence of "connectors" within the Deep and Dark Web.

Flashpoint defines "connectors" as individuals who interact on Deep & Dark Web forums maintained outside of their country of residence. These individuals make efforts to communicate outside their native language in order to obtain and import knowledge and tools back to their native communities.

Flokibot is a prime example of a connector who brings capabilities from top-tier cybercriminal ecosystems to the burgeoning Brazilian underground. While flokibot is active on number of top-tier Russian-hacking and English-language forums, the actor appears to use translation tools and/or intermediaries to communicate, and is most likely not a native Russian- nor English-speaker. In fact, the actor’s use of Portuguese, IP address, user-agent, and compromised victims all indicate that flokibot may be Brazilian.

"Connectors:" A Rising Underground Trend
While flokibot is one notable example, Flashpoint considers the presence of connectors to be a rising trend within the cybercriminal underground. This assessment is based upon a heuristic analysis of actors across several seemingly-disparate Deep and Dark Web forums. The proliferation of open-source learning and translation tools has allowed burgeoning hackers and cybercriminals to communicate across language barriers into Deep and Dark Web forums from which more advanced malware development and tools have been known to emerge.

For those seeking to combat cybercrime, the rising prevalence of connectors is problematic in many ways. First, connectors appear to be contributing to an increase in the number of sophisticated malware samples surfacing from regions that have historically not been prone to cybercrime of this nature. In addition, connectors have also been known to perpetuate fraud schemes across international borders. Although these crimes may not necessarily require technical expertise, many do require physical or privileged access to the targeted institutions and can include insider threats, ATM skimmer installations, and bank drops.

Fraud has not only grown more common as a result, but the perceived profitability of certain fraud schemes continues to attract newer, less-experienced actors eager to capitalize on cybercrime and learn from others within Deep and Dark Web forums. While many would anticipate the profitability of these fraud schemes to consequently decrease, the collaboration of connectors is instead driving innovation. As flokibot has illustrated, cybercriminals are collaborating across regions, advancing their skills, and adapting new techniques to victimize and capitalize on larger populations.

The Growing Pool of Victims
While the expansion of Internet infrastructure in developing countries has indeed spawned connectors, it has also created a larger, more vulnerable population of potential victims that may be less aware of common fraud schemes. The growing amount of Internet-connected users relying upon the virtualization of commercial activities - such as banking and commerce - has rendered even more individuals susceptible to phishing and other cybercriminal schemes. Although many countries have begun enforcing strict legislation to combat cybercrime, many others - particularly developing countries - have yet to implement effective controls. However, as Internet users and government agencies become increasingly aware of common fraud tactics, connectors will likely look externally to develop new skills for launching different types of cybercriminal schemes.

Above all else, it’s crucial to recognize that the presence of "connectors" on the Deep and Dark Web is steadily growing larger and more influential. Cybercrime’s profitability will keep attracting new entrants into communities outside of their native language and nationality. Additionally, sophisticated actors will continue searching for partners to help them perpetrate increasingly advanced fraud schemes and penetrate new markets. In order to both deter and mitigate the risks associated with connectors and cybercrime, intelligence professionals, security teams, and law enforcement officials alike must be agile and proactive in monitoring the cybercriminal landscape. Otherwise, connectors will continue to evade detection, exert a substantial influence over the Deep and Dark Web ecosystem, and exacerbate the risks of future cybercrime. 

Related Content:

 

Ian W. Gray is a cyber intelligence analyst at Flashpoint, where he focuses on producing strategic and business risk intelligence reports on emerging cybercrime and hacktivist threats. Ian is also a military reservist with extensive knowledge of the maritime domain and ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
VitaliK100
50%
50%
VitaliK100,
User Rank: Author
4/13/2017 | 4:45:10 PM
Re: Cybercrime not just cyber
Great article, Ian. This is especically relevant today given the recent capture of one of the most prolific spammers of all tiime under the alias "Severa," also known as a Russian national Pyotr Levashov. Mr. Levashov is known to have supported cybercriminals across the globe highlighting his reach outside of the typical Russian undergound ecosystem and reaching other cybercrime geographies & communities.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
2/2/2017 | 7:45:31 AM
Cybercrime not just cyber
Moreover (and I think this tidbit adds flavor to your point re: cybercrime tools being used to overcome language barriers and communicate more freely), as others have noted, the world of cybercrime isn't just about crime that is purely "cyber" -- e.g., spam and ransomware schemes.  Organized cybercrime, points out Brian Krebs in Spam Nation, is intrinsically connected to the illegal drug trade, counterfeiting, human trafficking, sex crimes, and other "IRL" criminal activity.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This is a secure windows pc.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.