Status of the CyberCrime Underground

12125871256?profile=RESIZE_400xEarlier this year, threat researchers at Cybersixgill released the annual report, The State of the Cybercrime Underground

https://cybersixgill.com/resources/the-state-of-the-underground-2023   

The research stems from an analysis of Cybersixgill's collected intelligence items throughout 2022, gathered from the deep, dark and clear web.  The report examines the continuous evolution of threat actors' tactics, tools, and procedures (TTPs) in the Digital Age and how organizations can adapt to reduce risk and maintain business resilience.  This article summarizes a few of the report's findings, including trends in credit card fraud, observations about cryptocurrency, AI developments and how they are lowering barriers to entry to cybercrime, and the rise of “Cybercrime as-a-Service" (CaaS) activities.[1]

Credit card fraud is (mostly) on the Decline - Credit card fraud has been a common and frequent threat used by underground cybercriminals for many years.  But several recent developments are slowing the tide and significantly reducing credit card fraud incidents.  More recently, we have seen a significant decline in compromised credit cards for sale on illicit underground markets.  For example, in 2019, dark web markets listed approximately 140 million compromised cards for sale.  The number declined to around 102 million in 2020 and plummeted again by another 60% to almost 42 million cards in 2021.  Finally, in 2022, this total plunged again to only 9 million cards.  The significant decline in credit card fraud is due mainly to the following:

  1. Improvements in authentication and fraud prevention – Banks and financial institutions are using advanced authentication and "passwordless" methods that make it harder to compromise a card, such as biometric authentication (e.g., fingerprints and face recognition), as well as PINs, EMV chips, and multi-factor authentication (MFA).
  2. Real-time fraud detection – Implemented primarily by credit card companies, real-time fraud detection systems that use machine learning algorithms to analyze user behavior, spending patterns, and geolocation data can identify anomalies or suspicious activity. Once a transaction is flagged as suspicious, the issuer might demand additional types of verification, such as asking a security question or sending an SMS verification, making it more challenging for fraudsters to use stolen cards.
  3. E-commerce security improvements – Since 2021, e-commerce sites have been using more robust security measures, such as two-factor authentication (2FA), address verification systems, and secure payment systems adhering to PCI DSS, making it harder for cybercriminal threat actors to steal credit card data from consumers.

Cryptocurrency: a tool and a target - A hallmark of cryptocurrency is that it's decentralized, allowing users anonymity and privacy.  No surprise, then, that cryptocurrencies are the payment method of choice for cybercriminals to purchase illicit goods and services, launder proceeds from cyberattacks, and receive ransomware payments.  As cryptocurrency has gained broader adoption for legitimate purposes, it's also become a target for threat actors, presenting new opportunities for "crypto-jacking," digital wallet takeovers, crypto-mining, and siphoning digital assets from crypto exchanges.

Even with the fallout from the 2022 crypto crash, crypto's value among cybercriminals has only increased.  As revealed in our report, we saw a 79% increase in crypto account takeover attacks in 2022.  (Ultimately, cybercriminals use crypto to move money, not make money. While transactions on the underground are consummated in cryptocurrency, prices are listed in dollar value.)  Yet, threat actors may ultimately abandon cryptocurrencies if investors continue to pull out due to the market's volatility, as fewer crypto users make it easier for law enforcement to track illicit transactions and for legislators to enforce stricter regulation.  Researchers are continuing to watch this space to see how it evolves.

Democratization of AI - In less than a year since it first arrived on the scene, cybercriminals continue to show great enthusiasm for ChatGPT - as well as other newly released AI tools and its promise as a force multiplier for cybercrime.  With its ability to emulate human language for social engineering and even automate the development of malware code, with the right prompts and guidance, threat actors can streamline the entire attack chain.  ChatGPT allows novice and less sophisticated cybercriminals to carry out malicious acts faster, with relative ease.   AI technology is making cybercrime more accessible and lowering the barrier of entry by enabling threat actors to quickly write malicious code and perform other "pre-ransomware" preparatory activities.

Commercializing Cybercrime with As-a-Service Offerings - The as-a-Service business model is increasing, given its ability to help cybercriminals commercialize their expertise and scale operations.  By purchasing sophisticated hackers' services, infrastructures, or tools, threat actors can outsource the groundwork required to launch a cyberattack with minimal effort.  Especially concerning is the continued rise of Ransomware-as-a-Service (RaaS).  The RaaS business model operates much like a modern business, whereby ransomware developers and operators lease out their ransomware technology and infrastructure to a network of lesser skilled 'affiliates' for distribution in return for a cut of the ransom extortion profits, thereby scaling their operations.  This as-a-Service offering makes the extortion business accessible and profitable to a larger pool of cybercriminals driving the rapid increase in ransomware attacks year over year.

Every connected asset within an organization's sprawling attack surface presents cybercriminals with a potential entry point for attack.  Today, protecting the expanding organizational attack surface with cyber threat intelligence alone to evaluate exposure is a near impossible task.  The modern attack surface is increasingly external, extending beyond the known network perimeter to include a vast ecosystem of unknown assets from cloud-based resources, connected IPs, SaaS applications, and third party supply chains. As a result, most organizations suffer from major blindspots into their complete attacker-exposed IT environment, while struggling with overwhelming quantities of cyber threat intelligence data.  To effectively defend against cyber threats, security teams need complete visibility into their unique attack surface and real-time insight into their threat exposure.

Given the ever-expanding threat landscape of the Digital Age, the ability to identify the highest priority risks facing their organization and focus their efforts accordingly offers tremendous benefits to resource-constrained security teams.

This article is presented at no charge for educational and informational purposes only.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.  For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@redskyalliance.com

Weekly Cyber Intelligence Briefings:

Weekly Cyber Intelligence Briefings:

REDSHORTS - Weekly Cyber Intelligence Briefings

https://attendee.gotowebinar.com/register/5504229295967742989

[1] https://thehackernews.com/2023/06/activities-in-cybercrime-underground.html

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!