Cloud
2/1/2017
02:30 PM
Ian W. Gray
Ian W. Gray
Commentary
50%
50%

The Interconnected Nature Of International Cybercrime

How burgeoning hackers are honing their craft across language barriers from top tier cybercriminal ecosystems and forums of the Deep and Dark Web.

Flashpoint analysts monitoring a top-tier Russian hacking forum recently observed an actor who goes by the pseudonym "flokibot," developing a Trojan known as "Floki Bot." While the malware uses source code from the ZeuS Trojan, the actor reinvented the initial dropper process injection to instead target point-of-sale (PoS) terminals. The Floki Bot Trojan is not only representative of the increasingly-collaborative nature of cybercrime, it also illustrates the growing presence of "connectors" within the Deep and Dark Web.

Flashpoint defines "connectors" as individuals who interact on Deep & Dark Web forums maintained outside of their country of residence. These individuals make efforts to communicate outside their native language in order to obtain and import knowledge and tools back to their native communities.

Flokibot is a prime example of a connector who brings capabilities from top-tier cybercriminal ecosystems to the burgeoning Brazilian underground. While flokibot is active on number of top-tier Russian-hacking and English-language forums, the actor appears to use translation tools and/or intermediaries to communicate, and is most likely not a native Russian- nor English-speaker. In fact, the actor’s use of Portuguese, IP address, user-agent, and compromised victims all indicate that flokibot may be Brazilian.

"Connectors:" A Rising Underground Trend
While flokibot is one notable example, Flashpoint considers the presence of connectors to be a rising trend within the cybercriminal underground. This assessment is based upon a heuristic analysis of actors across several seemingly-disparate Deep and Dark Web forums. The proliferation of open-source learning and translation tools has allowed burgeoning hackers and cybercriminals to communicate across language barriers into Deep and Dark Web forums from which more advanced malware development and tools have been known to emerge.

For those seeking to combat cybercrime, the rising prevalence of connectors is problematic in many ways. First, connectors appear to be contributing to an increase in the number of sophisticated malware samples surfacing from regions that have historically not been prone to cybercrime of this nature. In addition, connectors have also been known to perpetuate fraud schemes across international borders. Although these crimes may not necessarily require technical expertise, many do require physical or privileged access to the targeted institutions and can include insider threats, ATM skimmer installations, and bank drops.

Fraud has not only grown more common as a result, but the perceived profitability of certain fraud schemes continues to attract newer, less-experienced actors eager to capitalize on cybercrime and learn from others within Deep and Dark Web forums. While many would anticipate the profitability of these fraud schemes to consequently decrease, the collaboration of connectors is instead driving innovation. As flokibot has illustrated, cybercriminals are collaborating across regions, advancing their skills, and adapting new techniques to victimize and capitalize on larger populations.

The Growing Pool of Victims
While the expansion of Internet infrastructure in developing countries has indeed spawned connectors, it has also created a larger, more vulnerable population of potential victims that may be less aware of common fraud schemes. The growing amount of Internet-connected users relying upon the virtualization of commercial activities - such as banking and commerce - has rendered even more individuals susceptible to phishing and other cybercriminal schemes. Although many countries have begun enforcing strict legislation to combat cybercrime, many others - particularly developing countries - have yet to implement effective controls. However, as Internet users and government agencies become increasingly aware of common fraud tactics, connectors will likely look externally to develop new skills for launching different types of cybercriminal schemes.

Above all else, it’s crucial to recognize that the presence of "connectors" on the Deep and Dark Web is steadily growing larger and more influential. Cybercrime’s profitability will keep attracting new entrants into communities outside of their native language and nationality. Additionally, sophisticated actors will continue searching for partners to help them perpetrate increasingly advanced fraud schemes and penetrate new markets. In order to both deter and mitigate the risks associated with connectors and cybercrime, intelligence professionals, security teams, and law enforcement officials alike must be agile and proactive in monitoring the cybercriminal landscape. Otherwise, connectors will continue to evade detection, exert a substantial influence over the Deep and Dark Web ecosystem, and exacerbate the risks of future cybercrime. 

Related Content:

 

Ian W. Gray is a cyber intelligence analyst at Flashpoint, where he focuses on producing strategic and business risk intelligence reports on emerging cybercrime and hacktivist threats. Ian is also a military reservist with extensive knowledge of the maritime domain and ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
VitaliK100
50%
50%
VitaliK100,
User Rank: Author
4/13/2017 | 4:45:10 PM
Re: Cybercrime not just cyber
Great article, Ian. This is especically relevant today given the recent capture of one of the most prolific spammers of all tiime under the alias "Severa," also known as a Russian national Pyotr Levashov. Mr. Levashov is known to have supported cybercriminals across the globe highlighting his reach outside of the typical Russian undergound ecosystem and reaching other cybercrime geographies & communities.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
2/2/2017 | 7:45:31 AM
Cybercrime not just cyber
Moreover (and I think this tidbit adds flavor to your point re: cybercrime tools being used to overcome language barriers and communicate more freely), as others have noted, the world of cybercrime isn't just about crime that is purely "cyber" -- e.g., spam and ransomware schemes.  Organized cybercrime, points out Brian Krebs in Spam Nation, is intrinsically connected to the illegal drug trade, counterfeiting, human trafficking, sex crimes, and other "IRL" criminal activity.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio