Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

6/25/2020
04:10 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

Criminals Turn to IM Platforms to Avoid Law Enforcement Scrutiny

Researchers from IntSights observed a sharp increase in the use of popular instant messaging apps over the past year among threat groups.

Threat groups are increasingly leveraging popular instant messaging platforms such as Telegram and Discord to buy, sell, and exchange criminal goods, advertise products, and communicate with each other.

Much of the popularity has to do with the secure, encrypted, peer-to-peer communications available with these platforms, allowing criminals to transact business relatively openly while avoiding scrutiny from law enforcement.

The trend highlights the need for organizations to pay closer attention to malicious activity on IM channels, says Etay Maor, chief security officer at IntSights, which this week released a report based on a yearlong study of IM usage among criminals.

"Enterprises should be aware of the changes and trends in threat actor behavior," Maor says. Organizations that wish to stay ahead of the curve have to know how and where threat actors communicate. "Security is not a static 'check, we are done here' process. Enterprises have to make sure they know what the threat landscape looks like, how and what their adversaries are planning," he says.

IntSights' researchers observed a substantial increase in IM platform usage among threat actors between January 2019 and January 2020. Data pulled from the company's proprietary external threat intelligence platform and other sources showed platforms such as Telegram, Discord, and ICQ to be especially popular among criminal actors.

IntSights researchers counted more than 56,800 Telegram invite links and some 223,000 mentions of the application across cybercrime forums during the one-year period, suggesting it was the most widely used platform. It was also the most heavily discussed on non-English language forums.

However, Discord — a popular chat and IM platform among gamers — appeared to be the fastest-growing platform within the criminal community based on the over 392,000 mentions of the app in forums used by threat groups. ICQ, a messaging system that's been around since 1996, ranked third in popularity based on the number of invite links to ICQ chat groups and the number of mentions on criminal forums. Other platforms that cybercriminals are using, but somewhat less widely, include WhatsApp, Skype, IRC, and Signal.

IntSights researchers found that groups engaged in financial fraud — such as selling or buying stolen payment card data, physical goods, and counterfeit products — tended to use IM platforms more heavily than other crooks. Generally, cybercriminals also tended to use these platforms to share news, exchange vulnerability and exploit information, and cite research work from within the cybersecurity community.

"Threat actors leverage the real-time communication to inform each other of any fresh cyber landscape news that could impact their future efforts," IntSights said in its report this week.

Reasons Why IMs are Popular
Maor says there are several reasons for the popularity of IM apps and services among cybercriminals. Chief among them are operational security, relative ease of use, accessibility by mobile users, and automation.

"While you can install a mobile Dark Web browser, IMs are much easier to access on mobile platforms, giving threat actors the ability to communicate on the go," Maor says.

The solid, end-to-end encryption available with many modern IM platforms gives attackers a way to conceal their activity from law enforcement more so than possible on the Web.

"It is known that law enforcement agencies have the capability to track and attribute Deep and even Dark Web communications on forums," Maor notes.

As one example, he points to "Operation Bayonet," the international law enforcement operation that resulted in two of the most notorious Dark Web markets — AlphaBay and Hansa — being taken down. Such takedowns have pushed threat actors to using IM platforms more heavily recently.

Communications on IM are also more challenging to break into, especially on platforms that allow users to create their own servers. IM protocols like Jabber — now known as Extensible Messaging and Presence Protocol (XMPP), for instance — allow cybercriminals to operate their own private networks with no outside interference, Maor says.

IM platforms by nature also have a quick turnaround time, as opposed to forums where criminals first post and then have to wait for a reply. Tools like chatbots allow for automated replies and advertising on chats, helping threat actors achieve more in less time, he notes.

IM applications have been around for some time, and in fact were the go-to platform for criminals in the past. When Dark Web forums began increasing in popularity, IM apps were used mainly for out-of-channel communications and closing deals.

"Now, with rise in popularity of secured, encrypted IMs," Maor says, "more and more threat actors [are moving] every aspect of their business there."

Related Content:

 
 
 
 
Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really bad day" in cybersecurity. Click for more information and to register for this On-Demand event. 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
6/29/2020 | 9:20:48 PM
Quick response
IM platforms by nature also have a quick turnaround time, as opposed to forums where criminals first post and then have to wait for a reply. That makes sense, hackers would prefer quick ROI.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
6/29/2020 | 9:19:06 PM
Discord
However, Discord a popular chat and IM platform among gamers appeared to be the fastest-growing platform within the criminal community based on the over 392,00 mentions of the app in forums used by threat groups Yes, I recently created my discord login. I noticed it is widely used
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
6/29/2020 | 9:17:04 PM
Security
Security is not a static 'check, we are done here' process Really true. Security is a process, not a point in time.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
6/29/2020 | 9:15:29 PM
Secure
Much of the popularity has to do with the secure, encrypted, peer-to-peer communications available with these platforms, allowing criminals to transact business relatively openly while avoiding scrutiny from law enforcement. Only certain messaging apps are secure not all. Unless they have end to end encryption.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
6/29/2020 | 9:13:16 PM
Messaging apps
Threat groups are increasingly leveraging popular instant messaging platforms such as Telegram and Discord to buy, sell, and exchange criminal goods, advertise products, and communicate with each other This makes sense since we tend to use messaging apps more these days.
newtech.iqbal
50%
50%
newtech.iqbal,
User Rank: Apprentice
6/26/2020 | 12:23:04 AM
Criminals Turn to IM Platforms to Avoid Law Enforcement Scrutiny
The issue highlighted is really pain of the day for normal firms as well. Employee can use MI to exchange corporate secrets as well. IM applications are available in abundance and easy access to encryption APIs made the developing for encryption a hassle-free activity. Policies and implementation need more deepen thoughts
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-13295
PUBLISHED: 2020-08-10
For GitLab Runner before 13.0.12, 13.1.6, 13.2.3, by replacing dockerd with a malicious server, the Shared Runner is susceptible to SSRF.
CVE-2020-6070
PUBLISHED: 2020-08-10
An exploitable code execution vulnerability exists in the file system checking functionality of fsck.f2fs 1.12.0. A specially crafted f2fs file can cause a logic flaw and out-of-bounds heap operations, resulting in code execution. An attacker can provide a malicious file to trigger this vulnerabilit...
CVE-2020-6145
PUBLISHED: 2020-08-10
An SQL injection vulnerability exists in the frappe.desk.reportview.get functionality of ERPNext 11.1.38. A specially crafted HTTP request can cause an SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerability.
CVE-2020-8224
PUBLISHED: 2020-08-10
A code injection in Nextcloud Desktop Client 2.6.4 allowed to load arbitrary code when placing a malicious OpenSSL config into a fixed directory.
CVE-2020-8229
PUBLISHED: 2020-08-10
A memory leak in the OCUtil.dll library used by Nextcloud Desktop Client 2.6.4 can lead to a DoS against the host system.