Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

2/1/2017
02:30 PM
Ian W. Gray
Ian W. Gray
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

The Interconnected Nature Of International Cybercrime

How burgeoning hackers are honing their craft across language barriers from top tier cybercriminal ecosystems and forums of the Deep and Dark Web.

Flashpoint analysts monitoring a top-tier Russian hacking forum recently observed an actor who goes by the pseudonym "flokibot," developing a Trojan known as "Floki Bot." While the malware uses source code from the ZeuS Trojan, the actor reinvented the initial dropper process injection to instead target point-of-sale (PoS) terminals. The Floki Bot Trojan is not only representative of the increasingly-collaborative nature of cybercrime, it also illustrates the growing presence of "connectors" within the Deep and Dark Web.

Flashpoint defines "connectors" as individuals who interact on Deep & Dark Web forums maintained outside of their country of residence. These individuals make efforts to communicate outside their native language in order to obtain and import knowledge and tools back to their native communities.

Flokibot is a prime example of a connector who brings capabilities from top-tier cybercriminal ecosystems to the burgeoning Brazilian underground. While flokibot is active on number of top-tier Russian-hacking and English-language forums, the actor appears to use translation tools and/or intermediaries to communicate, and is most likely not a native Russian- nor English-speaker. In fact, the actor’s use of Portuguese, IP address, user-agent, and compromised victims all indicate that flokibot may be Brazilian.

"Connectors:" A Rising Underground Trend
While flokibot is one notable example, Flashpoint considers the presence of connectors to be a rising trend within the cybercriminal underground. This assessment is based upon a heuristic analysis of actors across several seemingly-disparate Deep and Dark Web forums. The proliferation of open-source learning and translation tools has allowed burgeoning hackers and cybercriminals to communicate across language barriers into Deep and Dark Web forums from which more advanced malware development and tools have been known to emerge.

For those seeking to combat cybercrime, the rising prevalence of connectors is problematic in many ways. First, connectors appear to be contributing to an increase in the number of sophisticated malware samples surfacing from regions that have historically not been prone to cybercrime of this nature. In addition, connectors have also been known to perpetuate fraud schemes across international borders. Although these crimes may not necessarily require technical expertise, many do require physical or privileged access to the targeted institutions and can include insider threats, ATM skimmer installations, and bank drops.

Fraud has not only grown more common as a result, but the perceived profitability of certain fraud schemes continues to attract newer, less-experienced actors eager to capitalize on cybercrime and learn from others within Deep and Dark Web forums. While many would anticipate the profitability of these fraud schemes to consequently decrease, the collaboration of connectors is instead driving innovation. As flokibot has illustrated, cybercriminals are collaborating across regions, advancing their skills, and adapting new techniques to victimize and capitalize on larger populations.

The Growing Pool of Victims
While the expansion of Internet infrastructure in developing countries has indeed spawned connectors, it has also created a larger, more vulnerable population of potential victims that may be less aware of common fraud schemes. The growing amount of Internet-connected users relying upon the virtualization of commercial activities - such as banking and commerce - has rendered even more individuals susceptible to phishing and other cybercriminal schemes. Although many countries have begun enforcing strict legislation to combat cybercrime, many others - particularly developing countries - have yet to implement effective controls. However, as Internet users and government agencies become increasingly aware of common fraud tactics, connectors will likely look externally to develop new skills for launching different types of cybercriminal schemes.

Above all else, it’s crucial to recognize that the presence of "connectors" on the Deep and Dark Web is steadily growing larger and more influential. Cybercrime’s profitability will keep attracting new entrants into communities outside of their native language and nationality. Additionally, sophisticated actors will continue searching for partners to help them perpetrate increasingly advanced fraud schemes and penetrate new markets. In order to both deter and mitigate the risks associated with connectors and cybercrime, intelligence professionals, security teams, and law enforcement officials alike must be agile and proactive in monitoring the cybercriminal landscape. Otherwise, connectors will continue to evade detection, exert a substantial influence over the Deep and Dark Web ecosystem, and exacerbate the risks of future cybercrime. 

Related Content:

 

Ian W. Gray is Director of Americas, Research and Analysis, at Flashpoint, where he focuses on producing strategic and business risk intelligence reports on emerging cybercrime and hacktivist threats. Ian is also a military reservist with extensive knowledge of the maritime ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
VitaliK100
50%
50%
VitaliK100,
User Rank: Author
4/13/2017 | 4:45:10 PM
Re: Cybercrime not just cyber
Great article, Ian. This is especically relevant today given the recent capture of one of the most prolific spammers of all tiime under the alias "Severa," also known as a Russian national Pyotr Levashov. Mr. Levashov is known to have supported cybercriminals across the globe highlighting his reach outside of the typical Russian undergound ecosystem and reaching other cybercrime geographies & communities.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
2/2/2017 | 7:45:31 AM
Cybercrime not just cyber
Moreover (and I think this tidbit adds flavor to your point re: cybercrime tools being used to overcome language barriers and communicate more freely), as others have noted, the world of cybercrime isn't just about crime that is purely "cyber" -- e.g., spam and ransomware schemes.  Organized cybercrime, points out Brian Krebs in Spam Nation, is intrinsically connected to the illegal drug trade, counterfeiting, human trafficking, sex crimes, and other "IRL" criminal activity.
News
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
News
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
News
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-3035
PUBLISHED: 2021-04-20
An unsafe deserialization vulnerability in Bridgecrew Checkov by Prisma Cloud allows arbitrary code execution when processing a malicious terraform file. This issue impacts Checkov 2.0 versions earlier than Checkov 2.0.26. Checkov 1.0 versions are not impacted.
CVE-2021-3036
PUBLISHED: 2021-04-20
An information exposure through log file vulnerability exists in Palo Alto Networks PAN-OS software where secrets in PAN-OS XML API requests are logged in cleartext to the web server logs when the API is used incorrectly. This vulnerability applies only to PAN-OS appliances that are configured to us...
CVE-2021-3037
PUBLISHED: 2021-04-20
An information exposure through log file vulnerability exists in Palo Alto Networks PAN-OS software where the connection details for a scheduled configuration export are logged in system logs. Logged information includes the cleartext username, password, and IP address used to export the PAN-OS conf...
CVE-2021-3038
PUBLISHED: 2021-04-20
A denial-of-service (DoS) vulnerability in Palo Alto Networks GlobalProtect app on Windows systems allows a limited Windows user to send specifically-crafted input to the GlobalProtect app that results in a Windows blue screen of death (BSOD) error. This issue impacts: GlobalProtect app 5.1 versions...
CVE-2021-3506
PUBLISHED: 2021-04-19
An out-of-bounds (OOB) memory access flaw was found in fs/f2fs/node.c in the f2fs module in the Linux kernel in versions before 5.12.0-rc4. A bounds check failure allows a local attacker to gain access to out-of-bounds memory leading to a system crash or a leak of internal kernel information. The hi...