BLACK HAT USA 2021 – Not all cybercriminals are operational masterminds. In fact, the foundation of many criminal activities comes from an opportunistic "informal economy" made up of people who participate in small ways for small chunks of profit.

Some people may not know they're aiding cybercrime at all, said researchers in a Black Hat USA presentation called "The Mass Effect: How Opportunistic Workers Drift into Cybercrime." Their research began with the goal of learning the context and motivation of attackers behind the Geost banking Trojan, a botnet detected in 2018 with nearly one million victims, 17 command-and-control servers, and thousands of malicious Android application packages (APKs).

It ended, however, with a large-scale analysis of behaviors seen in an informal online market and alternative way of describing criminal economies that involves a "working class". These groups act as a "mass effect", according to the researchers, who represent Secureworks, GoSecure, and the Czech Technical University in Prague.

In medicine, the mass effect refers to a growing mass that pushes or displaces surrounding tissues and organs, increasing the scale of the initial problem, explained Serge-Olivier Paquette, senior manager of data science at SecureWorks, in a virtual briefing. In cybercrime, researchers refer to the mass effect as the growth of an informal workforce supporting criminal activities.

"There is a large informal workforce evolving at the periphery of the malware industry that is necessary to its operation," said Masarah Paquet-Clouston, security researcher at GoSecure.

A Deep Dive into Online Forums

Geost was discovered by researchers at Stratosphere Labs who were investigating HtBot. They found Geost thanks to the mistakes their operators made, which included using the illegal proxy network of HtBot, not encrypting their C2 servers, and failing to encrypt their chat sessions.

A chat log found on VirusTotal contained private discussions among people involved with spreading Geost. Researchers had access to 6,000 messages sent between June 2018 and April 2018, in which 32 participants exchanged key information about Geost's C2 commands, IP addresses, and domains, as well as some newly infected APKs.

Their thematic analysis on the chat log revealed three themes: adverse business environment, amateur work, and a leniency toward criminality. It was clear the people using it had unreliable business partners with declining business prospects, lacked technical skills, used defective tools, and were aware they participated in criminal activity.

These themes encompassed most of the conversation, said Paquet-Clouston.

"Definitely, they were not the bot masters or the motivated offenders behind the Geost botnet, but they seemed rather to be those individuals at the periphery of the criminal scheme, helping the infected APKs to spread in the wild."

The private chat log was a valuable resource for a team who sought to learn more about Geost, but researchers noticed something else: members were discussing conversations that happened in a public space.

"Very rarely do we have information on private discussions as well as public ones, so we pivoted to understanding what they were discussing on a public forum, which is called searchengine[.]guru and has over half a million users," said Paquet-Clouston. The forum was a Russian-speaking Internet marketing platform, and its members were an "informal workforce."

The forum was divided into nine seemingly clean categories: how to monetize websites, how to build websites, search engine optimization, and other related topics. Its subcategories, however, hinted at malicious activity: "doorways and cloaking", for one, referred to black hat SEO and manipulating people into clicking links they wouldn't normally agree to click.

Researchers noticed there were three people who formed the bulk of conversations in the 33-person private chat: an entrepreneur, webmaster, and developer. Their business model was to develop Android portals for infected APKs, which ultimately spread the Geost botnet. These same three people were also highly active in the public forum, where they interacted with users across categories.

Never in their public posts did they mention Geost or spreading any kind of malware, Paquette noted, adding that their messaging was "covertly displayed in the public space."

The 'Drift' Into Cybercrime

Once the researchers understood how the Geost criminals operated, they had a new goal: to assess whether the forum had users who would also be involved with potentially criminal activities. These so-called "drifters" both speak on the public form and more criminally-prone platforms.

One technique the researchers used was called username matching, chosen based on research indicating people tend to reuse usernames across platforms. After adjusting for some traits – they filtered for usernames containing at least five characters, for example – and timeframe around Geost, they found matches across 38 platforms. Seventeen were in the clear web, 21 on the Dark Web.

Of the 21,726 users who fit the filter, 1,557 were identified as drifters, or 7.2%. Researchers tried to use several factors to determine which separated one group from another, but their analysis didn't yield any clear results.

"It seems like drifters and non-drifters are indistinguishable, at least based on the discriminatory variables we would think of," Paquette said. They concluded the drifter population is likely larger than 7%, and there are drifters outside their sample hindering results.

How many users migrate to criminal platforms? An analysis of drifter data from 2012 to 2020 revealed 75% of public forum users favor informal online spaces over cybercrime-prone spaces. Roughly one-quarter of users permanently drift into cybercriminal forums, the researchers said.

This research only focused on a subset of drifters supporting cybercrime. Researchers collected data from platforms similar to the public forum they studied, summed the advertised number of users, and applied the same 7% drifter rate. This suggested 500,000 "crimino-curious" users.

"The individuals that we studied in the private chat log, they were not motivated offenders; they were not the people behind Geost," said Paquet-Clouston. "They were, rather, these individuals like the workforce surrounding it, allowing the Geost operators to spread their infected APKs."

Based on their findings, the researchers believe most people would "probably rather not" drift into cybercrime, and there may be possibilities to help them avoid criminal activity by changing their opportunistic landscape. They emphasized a need to explore the idea of mass effect and the role of informal economies where "drifters are dancing on the crime line."