Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

10/10/2017
08:15 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Cybercrime Meets Culture In Middle East, North African Underground

Spirit of sharing and free malware a characteristic of crimeware markets in this region, Trend Micro says.

Cybercriminals shopping for malware tools and services can find plenty of wares available for free or next to nothing in emerging Middle East and North African cybercrime underground marketplaces.

Shopping these markets can be tricky for outsiders and often involves a vetting process, a joining fee, and more than just a passing knowledge of Arabic. But those that do manage to become members often can get a range of malware tools including SQL injection tools, keyloggers, crypters and instruction manuals for free, a study by Trend Micro has revealed.

"The most interesting driver here is the deep permeation of religious influence – from what is sold to how users and sellers interact," says Ed Cabrera, chief cybersecurity officer for Trend Micro.

The trend is significant. The Middle East and North Africa is a young but emerging cybercrime region. It is increasingly thriving as a place where threat actors can coordinate and launch attacks against targets around the world. As underground markets and threat actors in the region develop and diversify, expect to see cyberattacks that go well beyond the usual Web defacements and denial of service attacks, Trend Micro said.

Expect also to see continued and closer coordination with the Russian underground, which has shown a tendency to hire malware coders from the Middle East and North Africa, the report says. Already, one of the underground sites that Trend Micro studied had advertisements promoting Russian and China-based underground forums.

Trend Micro studied Middle East and North Africa’s online underworld between July 2016 and December 2016. During that time the security vendor examined things like the kind of merchandise available for sale in these markets, average prices for malware tools, and the interactions between buyers and sellers.

What Trend Micro discovered was a marketplace that was both similar to and very different from other underground markets elsewhere around the world.

Many of the malware products and services available in Middle East and North African markets were the same as that available elsewhere. Products included credit card and credential dumps, malware tools, and stolen identity information including passport scans and driver's license data.  Several markets that Trend Micro studied also supplied do-it-yourself kits for launching malware schemes.

The general offerings between the underground markets in the Middle East and North Africa and elsewhere were relatively consistent, Cabrera says. "Differences that we see stem from the societal influences that drive each of the economies," he says.

Unlike cyber underground markets in Russia and China for instance, profit did not appear to be a primary driving factor behind many of the Middle Eastern and North African operations. Instead, a spirit of sharing and a sense of brotherhood appeared to be the primary drivers behind the distribution of crimeware.

Many of the sellers and buyers in these digital souks appear gathered around a common cause and ideology. In addition to members readily handing out malware tools for free, they also tended to cooperate with each other in planning and launching malicious campaigns such as Web defacement and distributed denial-of-service attacks.

While such sharing exists in other forums as well, the sheer prevalence of it on Middle Eastern and North African digital souks is interesting, Cabrera says.  "Other underground marketplaces provide support to members, but the extent and willingness in this region is unique," he notes. 

Significantly, none of the marketplaces that Trend Micro studied was involved in the sale of weapons or drugs. Visitors looking to buy these items were directed to forums in the North American underground instead.

Prices for individual malware and hacking tools in these markets tended to be more expensive than in other regions. For example, keyloggers that sell for between $1 and $4 in the North American underground can cost as much as $19 in Middle Eastern and North African forums. But because members are willing to share their malware for a mutual cause, the price difference is usually balanced out, Cabrera said. 

In some cases, tools and information that fetch a hefty price in other markets were available for free. Port numbers for Internet-connected Supervisory Control and Data Acquisition (SCADA) system, for instance, were available for free in the cybercriminal underworld in this region, while the WannaCry ransomware sample was available for just $50.

"There is a broad range of technical capabilities seen among actors in this underground." Cabrera observes.

"The culture allows for budding script kiddies to get their feet wet, while some of the larger Hacking as a Service and defacement campaigns are run by more experienced, sophisticated actors. This is similar to what we’ve seen in the North American or Russian underground that foster a breadth of malicious actors."

Related content:

 

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/27/2020
How an Industry Consortium Can Reinvent Security Solution Testing
Henry Harrison, Co-founder & Chief Technology Officer, Garrison,  5/21/2020
10 iOS Security Tips to Lock Down Your iPhone
Kelly Sheridan, Staff Editor, Dark Reading,  5/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-13386
PUBLISHED: 2020-05-27
In SmartDraw 2020 27.0.0.0, the installer gives inherited write permissions to the Authenticated Users group on the SmartDraw 2020 installation folder. Additionally, when the product is installed, two scheduled tasks are created on the machine, SDMsgUpdate (Local) and SDMsgUpdate (TE). The scheduled...
CVE-2019-20806
PUBLISHED: 2020-05-27
An issue was discovered in the Linux kernel before 5.2. There is a NULL pointer dereference in tw5864_handle_frame() in drivers/media/pci/tw5864/tw5864-video.c, which may cause denial of service, aka CID-2e7682ebfc75.
CVE-2020-10737
PUBLISHED: 2020-05-27
A race condition was found in the mkhomedir tool shipped with the oddjob package in versions before 0.34.5 and 0.34.6 wherein, during the home creation, mkhomedir copies the /etc/skel directory into the newly created home and changes its ownership to the home's user without properly checking the hom...
CVE-2020-13622
PUBLISHED: 2020-05-27
JerryScript 2.2.0 allows attackers to cause a denial of service (assertion failure) because a property key query for a Proxy object returns unintended data.
CVE-2020-13623
PUBLISHED: 2020-05-27
JerryScript 2.2.0 allows attackers to cause a denial of service (stack consumption) via a proxy operation.