Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

6/25/2020
04:10 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

Criminals Turn to IM Platforms to Avoid Law Enforcement Scrutiny

Researchers from IntSights observed a sharp increase in the use of popular instant messaging apps over the past year among threat groups.

Threat groups are increasingly leveraging popular instant messaging platforms such as Telegram and Discord to buy, sell, and exchange criminal goods, advertise products, and communicate with each other.

Much of the popularity has to do with the secure, encrypted, peer-to-peer communications available with these platforms, allowing criminals to transact business relatively openly while avoiding scrutiny from law enforcement.

The trend highlights the need for organizations to pay closer attention to malicious activity on IM channels, says Etay Maor, chief security officer at IntSights, which this week released a report based on a yearlong study of IM usage among criminals.

"Enterprises should be aware of the changes and trends in threat actor behavior," Maor says. Organizations that wish to stay ahead of the curve have to know how and where threat actors communicate. "Security is not a static 'check, we are done here' process. Enterprises have to make sure they know what the threat landscape looks like, how and what their adversaries are planning," he says.

IntSights' researchers observed a substantial increase in IM platform usage among threat actors between January 2019 and January 2020. Data pulled from the company's proprietary external threat intelligence platform and other sources showed platforms such as Telegram, Discord, and ICQ to be especially popular among criminal actors.

IntSights researchers counted more than 56,800 Telegram invite links and some 223,000 mentions of the application across cybercrime forums during the one-year period, suggesting it was the most widely used platform. It was also the most heavily discussed on non-English language forums.

However, Discord — a popular chat and IM platform among gamers — appeared to be the fastest-growing platform within the criminal community based on the over 392,000 mentions of the app in forums used by threat groups. ICQ, a messaging system that's been around since 1996, ranked third in popularity based on the number of invite links to ICQ chat groups and the number of mentions on criminal forums. Other platforms that cybercriminals are using, but somewhat less widely, include WhatsApp, Skype, IRC, and Signal.

IntSights researchers found that groups engaged in financial fraud — such as selling or buying stolen payment card data, physical goods, and counterfeit products — tended to use IM platforms more heavily than other crooks. Generally, cybercriminals also tended to use these platforms to share news, exchange vulnerability and exploit information, and cite research work from within the cybersecurity community.

"Threat actors leverage the real-time communication to inform each other of any fresh cyber landscape news that could impact their future efforts," IntSights said in its report this week.

Reasons Why IMs are Popular
Maor says there are several reasons for the popularity of IM apps and services among cybercriminals. Chief among them are operational security, relative ease of use, accessibility by mobile users, and automation.

"While you can install a mobile Dark Web browser, IMs are much easier to access on mobile platforms, giving threat actors the ability to communicate on the go," Maor says.

The solid, end-to-end encryption available with many modern IM platforms gives attackers a way to conceal their activity from law enforcement more so than possible on the Web.

"It is known that law enforcement agencies have the capability to track and attribute Deep and even Dark Web communications on forums," Maor notes.

As one example, he points to "Operation Bayonet," the international law enforcement operation that resulted in two of the most notorious Dark Web markets — AlphaBay and Hansa — being taken down. Such takedowns have pushed threat actors to using IM platforms more heavily recently.

Communications on IM are also more challenging to break into, especially on platforms that allow users to create their own servers. IM protocols like Jabber — now known as Extensible Messaging and Presence Protocol (XMPP), for instance — allow cybercriminals to operate their own private networks with no outside interference, Maor says.

IM platforms by nature also have a quick turnaround time, as opposed to forums where criminals first post and then have to wait for a reply. Tools like chatbots allow for automated replies and advertising on chats, helping threat actors achieve more in less time, he notes.

IM applications have been around for some time, and in fact were the go-to platform for criminals in the past. When Dark Web forums began increasing in popularity, IM apps were used mainly for out-of-channel communications and closing deals.

"Now, with rise in popularity of secured, encrypted IMs," Maor says, "more and more threat actors [are moving] every aspect of their business there."

Related Content:

 
 
 
 
Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really bad day" in cybersecurity. Click for more information and to register for this On-Demand event. 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
6/29/2020 | 9:20:48 PM
Quick response
IM platforms by nature also have a quick turnaround time, as opposed to forums where criminals first post and then have to wait for a reply. That makes sense, hackers would prefer quick ROI.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
6/29/2020 | 9:19:06 PM
Discord
However, Discord a popular chat and IM platform among gamers appeared to be the fastest-growing platform within the criminal community based on the over 392,00 mentions of the app in forums used by threat groups Yes, I recently created my discord login. I noticed it is widely used
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
6/29/2020 | 9:17:04 PM
Security
Security is not a static 'check, we are done here' process Really true. Security is a process, not a point in time.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
6/29/2020 | 9:15:29 PM
Secure
Much of the popularity has to do with the secure, encrypted, peer-to-peer communications available with these platforms, allowing criminals to transact business relatively openly while avoiding scrutiny from law enforcement. Only certain messaging apps are secure not all. Unless they have end to end encryption.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
6/29/2020 | 9:13:16 PM
Messaging apps
Threat groups are increasingly leveraging popular instant messaging platforms such as Telegram and Discord to buy, sell, and exchange criminal goods, advertise products, and communicate with each other This makes sense since we tend to use messaging apps more these days.
newtech.iqbal
50%
50%
newtech.iqbal,
User Rank: Apprentice
6/26/2020 | 12:23:04 AM
Criminals Turn to IM Platforms to Avoid Law Enforcement Scrutiny
The issue highlighted is really pain of the day for normal firms as well. Employee can use MI to exchange corporate secrets as well. IM applications are available in abundance and easy access to encryption APIs made the developing for encryption a hassle-free activity. Policies and implementation need more deepen thoughts
Cloud Security Threats for 2021
Or Azarzar, CTO & Co-Founder of Lightspin,  12/3/2020
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Assessing Cybersecurity Risk in Todays Enterprises
Assessing Cybersecurity Risk in Todays Enterprises
COVID-19 has created a new IT paradigm in the enterprise and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-27772
PUBLISHED: 2020-12-04
A flaw was found in ImageMagick in coders/bmp.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of values outside the range of type `unsigned int`. This would most likely lead to an impact to application availability, but could po...
CVE-2020-27773
PUBLISHED: 2020-12-04
A flaw was found in ImageMagick in MagickCore/gem-private.h. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of values outside the range of type `unsigned char` or division by zero. This would most likely lead to an impact to appli...
CVE-2020-28950
PUBLISHED: 2020-12-04
The installer of Kaspersky Anti-Ransomware Tool (KART) prior to KART 4.0 Patch C was vulnerable to a DLL hijacking attack that allowed an attacker to elevate privileges during installation process.
CVE-2020-27774
PUBLISHED: 2020-12-04
A flaw was found in ImageMagick in MagickCore/statistic.c. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of a too large shift for 64-bit type `ssize_t`. This would most likely lead to an impact to application availability, but co...
CVE-2020-27775
PUBLISHED: 2020-12-04
A flaw was found in ImageMagick in MagickCore/quantum.h. An attacker who submits a crafted file that is processed by ImageMagick could trigger undefined behavior in the form of values outside the range of type unsigned char. This would most likely lead to an impact to application availability, but c...