Threat Intelligence

6/5/2018
04:36 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Dark Web Marketplaces Dissolve Post-AlphaBay, Hansa Takedown

Cybercrime marketplaces reshape into smaller forums and individual chats as threat actors find new ways to evade law enforcement.

One year after Operation Bayonet took down AlphaBay in 2017, the marketplace model of cybercrime continues to decline -- but it's not a sign for security teams to sit back and relax. The risk to businesses and consumers is alive and well. It's simply taking a different form.

The operation that shuttered AlphaBay and Hansa led to multiple subsequent arrests, says Rafael Amado, strategy and research analyst at Digital Shadows. For a period of time after the takedown, many people didn't understand what was going on. When they did, they panicked.

"They thought it was an exit scam, or technical difficulties," he says. "There were all these different rumors flying about … it started to sow the seeds of mistrust, suspicion, cynicism."

AlphaBay's seizure meant thousands of vendors and buyers in the English-speaking cybercrime community had to look elsewhere to conduct their illicit business. The marketplace consisted of more than 40,000 vendors and generated more than $1 billion in trade, Digital Shadows reports in "Seize and Desist?," a new report examining cybercrime marketplaces post-AlphaBay.

"It cemented the issue of mistrust in the cybercriminal community … it made people really, really suspicious of established marketplaces, and new ones as well," he continues.

AlphaBay's demise left a gap, though it wasn't as large as experts expected -- the marketplace was just one player among many on the underground. However, other markets like Dream and Olympus failed to capitalize on the gap. Instead, cybercriminals found new and stealthier means of continuing their businesses while evading the watchful eye of law enforcement.

Find Me on the Forums

Cybercriminals, increasingly suspicious of marketplaces, began to retreat into older and specialized platforms to buy and sell. Peer-to-peer networks and chat channels have grown more popular, a trend that predates Operation Bayonet but has evolved in its wake.

Over the past six months, Digital Shadows researchers have observed more than 5,000 Telegram links shared across criminal forums and Dark Web sites. Of these, 1,667 were invitation links to join new groups. Discord, another private messaging app, is seeing greater adoption but to a lesser extent, with 743 invites shared within the same timeframe.

The centralized marketplace has dissolved into a decentralized model as wary threat actors err on the side of caution, opting for subtle transactions over markets that require plentiful resources to operate. New tech, processes, and peer-to-peer (P2P) communication give cybercriminals greater anonymity and make them even harder to pin down.

"Your account information and payment card details, along with counterfeit documents, ID scans, banking Trojans … those things are still being traded," Amado explains. "They're not being sold on marketplaces, they're being sold on forums."

Specialized forums cater to buyers and sellers in the market for specific purposes: credit card numbers, malware, hacking tools. Buyers post what they're looking for; sellers post what they have. They share Telegram, Discord, or Jabber info and slip into private messages. People generally want to directly communicate with the actors they're buying from, he adds. Forums serve as a complete log of conversation and are easier targets for law enforcement.

The future of Telegram as hackers' preferred tool is uncertain, Amado points out. It recently came to light that Apple has blocked updates since April, when Russia blocked Telegram and demanded its removal from the Apple App Store because it refused to provide decryption keys for users' communication with Russian security agencies.

"We'll see if Telegram will be forced to comply and if they are, you'll see people move away from Telegram as a communication method of choice," he expects.

Hackers Buckle Down on Forum Security

Forum administrators have been integrating processes to facilitate trust among their users. Blockchain DNS, user vetting, site access restrictions, and domain concealment supplement the use of P2P networks to build a sense of security.

Tralfamadore is an example of a decentralized market that uses blockchain to store databases and code to support front-end user interfaces. Transactions are done in cryptocurrency and are permanently recorded; this way, if one user attempts to scam another, it can be identified.

Cybercriminals using forums are wary of law enforcement posing as users. Some forums regulate activity with "forum lifecycles," which limit new users' access and set posting restrictions until they reach a certain level of activity. New users might require positive feedback from other members until these limitations are lifted.

Some forums require members to pay for premium subscriptions or have multiple referral invitations from established participants. Others create a hierarchy: the longer you're a member and more you prove your legitimacy, the more you're allowed to post.

Amado advises businesses to know what type of data they hold, how it could be monetized, and how an attacker might gain access to it, to prevent their information being trapped in the cybercrime web. With a better idea of how the cybercrime ecosystem is adapting, they can better monitor where stolen data might flow.

Related Content:

 

Top industry experts will offer a range of information and insight on who the bad guys are – and why they might be targeting your enterprise. Click for more information

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
12 Free, Ready-to-Use Security Tools
Steve Zurier, Freelance Writer,  10/12/2018
Most IT Security Pros Want to Change Jobs
Dark Reading Staff 10/12/2018
6 Security Trends for 2018/2019
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/15/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-10839
PUBLISHED: 2018-10-16
Qemu emulator <= 3.0.0 built with the NE2000 NIC emulation support is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS.
CVE-2018-13399
PUBLISHED: 2018-10-16
The Microsoft Windows Installer for Atlassian Fisheye and Crucible before version 4.6.1 allows local attackers to escalate privileges because of weak permissions on the installation directory.
CVE-2018-18381
PUBLISHED: 2018-10-16
Z-BlogPHP 1.5.2.1935 (Zero) has a stored XSS Vulnerability in zb_system/function/c_system_admin.php via the Content-Type header during the uploading of image attachments.
CVE-2018-18382
PUBLISHED: 2018-10-16
Advanced HRM 1.6 allows Remote Code Execution via PHP code in a .php file to the user/update-user-avatar URI, which can be accessed through an "Update Profile" "Change Picture" (aka user/edit-profile) action.
CVE-2018-18374
PUBLISHED: 2018-10-16
XSS exists in the MetInfo 6.1.2 admin/index.php page via the anyid parameter.