Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

10/10/2017
08:15 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Cybercrime Meets Culture In Middle East, North African Underground

Spirit of sharing and free malware a characteristic of crimeware markets in this region, Trend Micro says.

Cybercriminals shopping for malware tools and services can find plenty of wares available for free or next to nothing in emerging Middle East and North African cybercrime underground marketplaces.

Shopping these markets can be tricky for outsiders and often involves a vetting process, a joining fee, and more than just a passing knowledge of Arabic. But those that do manage to become members often can get a range of malware tools including SQL injection tools, keyloggers, crypters and instruction manuals for free, a study by Trend Micro has revealed.

"The most interesting driver here is the deep permeation of religious influence – from what is sold to how users and sellers interact," says Ed Cabrera, chief cybersecurity officer for Trend Micro.

The trend is significant. The Middle East and North Africa is a young but emerging cybercrime region. It is increasingly thriving as a place where threat actors can coordinate and launch attacks against targets around the world. As underground markets and threat actors in the region develop and diversify, expect to see cyberattacks that go well beyond the usual Web defacements and denial of service attacks, Trend Micro said.

Expect also to see continued and closer coordination with the Russian underground, which has shown a tendency to hire malware coders from the Middle East and North Africa, the report says. Already, one of the underground sites that Trend Micro studied had advertisements promoting Russian and China-based underground forums.

Trend Micro studied Middle East and North Africa’s online underworld between July 2016 and December 2016. During that time the security vendor examined things like the kind of merchandise available for sale in these markets, average prices for malware tools, and the interactions between buyers and sellers.

What Trend Micro discovered was a marketplace that was both similar to and very different from other underground markets elsewhere around the world.

Many of the malware products and services available in Middle East and North African markets were the same as that available elsewhere. Products included credit card and credential dumps, malware tools, and stolen identity information including passport scans and driver's license data.  Several markets that Trend Micro studied also supplied do-it-yourself kits for launching malware schemes.

The general offerings between the underground markets in the Middle East and North Africa and elsewhere were relatively consistent, Cabrera says. "Differences that we see stem from the societal influences that drive each of the economies," he says.

Unlike cyber underground markets in Russia and China for instance, profit did not appear to be a primary driving factor behind many of the Middle Eastern and North African operations. Instead, a spirit of sharing and a sense of brotherhood appeared to be the primary drivers behind the distribution of crimeware.

Many of the sellers and buyers in these digital souks appear gathered around a common cause and ideology. In addition to members readily handing out malware tools for free, they also tended to cooperate with each other in planning and launching malicious campaigns such as Web defacement and distributed denial-of-service attacks.

While such sharing exists in other forums as well, the sheer prevalence of it on Middle Eastern and North African digital souks is interesting, Cabrera says.  "Other underground marketplaces provide support to members, but the extent and willingness in this region is unique," he notes. 

Significantly, none of the marketplaces that Trend Micro studied was involved in the sale of weapons or drugs. Visitors looking to buy these items were directed to forums in the North American underground instead.

Prices for individual malware and hacking tools in these markets tended to be more expensive than in other regions. For example, keyloggers that sell for between $1 and $4 in the North American underground can cost as much as $19 in Middle Eastern and North African forums. But because members are willing to share their malware for a mutual cause, the price difference is usually balanced out, Cabrera said. 

In some cases, tools and information that fetch a hefty price in other markets were available for free. Port numbers for Internet-connected Supervisory Control and Data Acquisition (SCADA) system, for instance, were available for free in the cybercriminal underworld in this region, while the WannaCry ransomware sample was available for just $50.

"There is a broad range of technical capabilities seen among actors in this underground." Cabrera observes.

"The culture allows for budding script kiddies to get their feet wet, while some of the larger Hacking as a Service and defacement campaigns are run by more experienced, sophisticated actors. This is similar to what we’ve seen in the North American or Russian underground that foster a breadth of malicious actors."

Related content:

 

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
AI Is Everywhere, but Don't Ignore the Basics
Howie Xu, Vice President of AI and Machine Learning at Zscaler,  9/10/2019
Fed Kaspersky Ban Made Permanent by New Rules
Dark Reading Staff 9/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-4147
PUBLISHED: 2019-09-16
IBM Sterling File Gateway 2.2.0.0 through 6.0.1.0 is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. IBM X-Force ID: 158413.
CVE-2019-5481
PUBLISHED: 2019-09-16
Double-free vulnerability in the FTP-kerberos code in cURL 7.52.0 to 7.65.3.
CVE-2019-5482
PUBLISHED: 2019-09-16
Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3.
CVE-2019-15741
PUBLISHED: 2019-09-16
An issue was discovered in GitLab Omnibus 7.4 through 12.2.1. An unsafe interaction with logrotate could result in a privilege escalation
CVE-2019-16370
PUBLISHED: 2019-09-16
The PGP signing plugin in Gradle before 6.0 relies on the SHA-1 algorithm, which might allow an attacker to replace an artifact with a different one that has the same SHA-1 message digest, a related issue to CVE-2005-4900.