Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

10/10/2017
08:15 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Cybercrime Meets Culture In Middle East, North African Underground

Spirit of sharing and free malware a characteristic of crimeware markets in this region, Trend Micro says.

Cybercriminals shopping for malware tools and services can find plenty of wares available for free or next to nothing in emerging Middle East and North African cybercrime underground marketplaces.

Shopping these markets can be tricky for outsiders and often involves a vetting process, a joining fee, and more than just a passing knowledge of Arabic. But those that do manage to become members often can get a range of malware tools including SQL injection tools, keyloggers, crypters and instruction manuals for free, a study by Trend Micro has revealed.

"The most interesting driver here is the deep permeation of religious influence – from what is sold to how users and sellers interact," says Ed Cabrera, chief cybersecurity officer for Trend Micro.

The trend is significant. The Middle East and North Africa is a young but emerging cybercrime region. It is increasingly thriving as a place where threat actors can coordinate and launch attacks against targets around the world. As underground markets and threat actors in the region develop and diversify, expect to see cyberattacks that go well beyond the usual Web defacements and denial of service attacks, Trend Micro said.

Expect also to see continued and closer coordination with the Russian underground, which has shown a tendency to hire malware coders from the Middle East and North Africa, the report says. Already, one of the underground sites that Trend Micro studied had advertisements promoting Russian and China-based underground forums.

Trend Micro studied Middle East and North Africa’s online underworld between July 2016 and December 2016. During that time the security vendor examined things like the kind of merchandise available for sale in these markets, average prices for malware tools, and the interactions between buyers and sellers.

What Trend Micro discovered was a marketplace that was both similar to and very different from other underground markets elsewhere around the world.

Many of the malware products and services available in Middle East and North African markets were the same as that available elsewhere. Products included credit card and credential dumps, malware tools, and stolen identity information including passport scans and driver's license data.  Several markets that Trend Micro studied also supplied do-it-yourself kits for launching malware schemes.

The general offerings between the underground markets in the Middle East and North Africa and elsewhere were relatively consistent, Cabrera says. "Differences that we see stem from the societal influences that drive each of the economies," he says.

Unlike cyber underground markets in Russia and China for instance, profit did not appear to be a primary driving factor behind many of the Middle Eastern and North African operations. Instead, a spirit of sharing and a sense of brotherhood appeared to be the primary drivers behind the distribution of crimeware.

Many of the sellers and buyers in these digital souks appear gathered around a common cause and ideology. In addition to members readily handing out malware tools for free, they also tended to cooperate with each other in planning and launching malicious campaigns such as Web defacement and distributed denial-of-service attacks.

While such sharing exists in other forums as well, the sheer prevalence of it on Middle Eastern and North African digital souks is interesting, Cabrera says.  "Other underground marketplaces provide support to members, but the extent and willingness in this region is unique," he notes. 

Significantly, none of the marketplaces that Trend Micro studied was involved in the sale of weapons or drugs. Visitors looking to buy these items were directed to forums in the North American underground instead.

Prices for individual malware and hacking tools in these markets tended to be more expensive than in other regions. For example, keyloggers that sell for between $1 and $4 in the North American underground can cost as much as $19 in Middle Eastern and North African forums. But because members are willing to share their malware for a mutual cause, the price difference is usually balanced out, Cabrera said. 

In some cases, tools and information that fetch a hefty price in other markets were available for free. Port numbers for Internet-connected Supervisory Control and Data Acquisition (SCADA) system, for instance, were available for free in the cybercriminal underworld in this region, while the WannaCry ransomware sample was available for just $50.

"There is a broad range of technical capabilities seen among actors in this underground." Cabrera observes.

"The culture allows for budding script kiddies to get their feet wet, while some of the larger Hacking as a Service and defacement campaigns are run by more experienced, sophisticated actors. This is similar to what we’ve seen in the North American or Russian underground that foster a breadth of malicious actors."

Related content:

 

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
7 Truths About BEC Scams
Ericka Chickowski, Contributing Writer,  6/13/2019
DNS Firewalls Could Prevent Billions in Losses to Cybercrime
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/13/2019
10 Notable Security Acquisitions of 2019 (So Far)
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12865
PUBLISHED: 2019-06-17
In radare2 through 3.5.1, cmd_mount in libr/core/cmd_mount.c has a double free for the ms command.
CVE-2017-10720
PUBLISHED: 2019-06-17
Recently it was discovered as a part of the research on IoT devices in the most recent firmware for Shekar Endoscope that the desktop application used to connect to the device suffers from a stack overflow if more than 26 characters are passed to it as the Wi-Fi name. This application is installed o...
CVE-2017-10721
PUBLISHED: 2019-06-17
Recently it was discovered as a part of the research on IoT devices in the most recent firmware for Shekar Endoscope that the device has Telnet functionality enabled by default. This device acts as an Endoscope camera that allows its users to use it in various industrial systems and settings, car ga...
CVE-2017-10722
PUBLISHED: 2019-06-17
Recently it was discovered as a part of the research on IoT devices in the most recent firmware for Shekar Endoscope that the desktop application used to connect to the device suffers from a stack overflow if more than 26 characters are passed to it as the Wi-Fi password. This application is install...
CVE-2017-10723
PUBLISHED: 2019-06-17
Recently it was discovered as a part of the research on IoT devices in the most recent firmware for Shekar Endoscope that an attacker connected to the device Wi-Fi SSID can exploit a memory corruption issue and execute remote code on the device. This device acts as an Endoscope camera that allows it...