Cyber Crime Toolkits Go On Sale
Christal Rasband
A cybercrime group developed and sold phishing software that attackers deployed over the past 10 months in attempts to compromise an estimated 56,000 Microsoft 365 accounts, researchers with Group-IB said Wednesday.
It appears that hackers successfully compromised roughly 8,000 of the corporate Microsoft email accounts using the phishing kits, the researchers found. Group-IB notified all relevant law enforcement agencies of its findings, the company said.
The analysis identified at least 858 unique phishing websites connected to W3LL tools. Most of the targets are in the U.S., U.K., Australia, Germany, France, Italy, Switzerland and the Netherlands and span multiple industries, including manufacturing, IT, financial services healthcare and others.
Attackers using the tools benefit from successful compromises in a variety of ways, the researchers said, including data theft, fake invoice scams, email owner impersonation or by using the business email for further malware distribution.
To use the W3LL marketplace, existing users must refer new customers. Then, they need to sign up for a three-month subscription for $500 and renew for $150 per month after that. One of the main tools for managing attacks, the W3LL Panel, requires attackers to authenticate each deployed phishing page through the panel, which then generates a unique token, according to the research, or the phishing page will not work. This tactic is likely to prevent vendors from reselling the phishing kit and related items such as other tools and lists of business domaines, the researchers speculated.
When discussing malware, we tend to focus on the technical aspect of how a specific Trojan operates on an infected system. The processes executed by a malware variant, ranging from how it latches onto an infected device to how it manipulates the user into providing it with credentials, are just a small subset of the cybercrime ecosystem. Roughly eight years ago, a single operator would be in charge of everything from coding the malware to distributing it, including setting up command-and-control (C&C) servers, identifying infection points, working with money mules and more. Today, the whole process, or at least each individual element, can be easily outsourced.
Underground cybercrime forums offer professionals and amateurs alike a wide array of tools and services with varying prices and support levels. Some tools, such as malware samples, can be downloaded for free, while other elements of the fraud chain, such as cashing out via a mule account, come at a high cost due to scarce resources in the field. Almost any form of online fraud requires more than just one tool. Whether it is phishing, ransomware or financial crimeware, they need hosting sites, C&C servers and/or a cash-out methodology. Some underground services are now also sold as cloud services, offering easy access and added security.
The underground market is showing no signs of slowing down, but rather of adaptation to industry trends. Even services and tools described in the infographic above can be broken down and sold separately. For example, HTML injections, specific scripts, configuration services and more can all be purchased separately when designing the malware of choice. It is also worth noting that cybercriminals are not only discussing and selling financial fraud tools, but also advanced targeting tools and RATs, health care and insurance fraud tools and services and much more.
The current cybercrime ecosystem makes a wealth of options available to cybercriminals. Unfortunately, that drastically increases the scope and complexity of schemes that could target an organization. Thorough prevention and detection systems are needed to avoid these security problems, but they must be fortified with tools such as fraud protection for a comprehensive defense.
The news today is full of stories about financial damage caused by hacker attacks against organizations, or about hundreds of thousands of user accounts being leaked from some website. Yet there's never any information about how much it costs to prepare and launch such attacks. But since the point of any work, including cybercrime, is to make a profit, hackers will simply switch to other, more lucrative pursuits if the costs of an attack are comparable or exceed the potential revenue.
In our recent study of current cyberthreats, we noted an increase in the number of major cyberincidents: Q1 2018 saw 32 percent more detections than in Q1 2017.1 What's more, most malware attacks involved the use of programs for data theft and hidden cryptocurrency mining. Meanwhile, information keeps appearing online about the code for various Trojans being made open-source. The availability of ready-made malware is, in our view, the reason behind the significant rise in the number of attacks. The aim of this study is to investigate the cost of such software and the complexity of acquiring it, as well as analyze the market supply and demand.
We analyzed in detail the market for cybercriminal services and tried to assess whether cybercriminals need a wide range of specialized knowledge, or whether everything can be outsourced to the shadow market: hackers of websites and servers, malware developers and distributors, botnet owners, and other practitioners. During the analysis, we repeatedly encountered situations where the login credentials for systems and web shells for remote management of large companies' servers were up for sale. We immediately passed on the relevant information to the compromised organizations, warning about the need to take protective measures and carry out an investigation.
For the objects of our study, we selected the 25 most popular shadow trading platforms, whose names we do not disclose, with a total number of registered users in excess of three million. We analyzed more than 10,000 ads in total, without taking into account obvious scams, which inundate the gray market like any other.
Instead of in-house products and services, most modern cyberattacks deploy ones purchased and leased from third parties. This not only lowers the cybercrime entry threshold and simplifies carrying out attacks, but also makes it difficult or impossible to accurately attribute targeted attacks.
The diagram below presents some common types of attacks, as well as their minimum cost in US dollars, assuming that the attack masterminds purchase all necessary means and tools with money. For example, the cost of a targeted attack against an organization, depending on its complexity, can start from $4,500, including hiring an expert hacker, leasing infrastructure, and purchasing the relevant tools. Hacking a site and gaining full control over a web application costs only $150, yet we found ads for the targeted hacking of sites with prices climbing to $1,000.
The study showed that cryptominers, hacking utilities, botnet malware, RATs, and ransomware Trojans are widely available in the shadow cyberservices market, while the highest demand is typically for malware development and distribution. The market offers more than 50 different categories of goods and services, which together can be used to organize any attack.
According to FireCompas, only 4 percent of Internet pages are indexed by search engines.6 Private forums and databases (medical, research, financial), and other resources invisible to search engines are collectively known as the deep web, or the deep Internet. Besides resources with confidential and other legal data, the deep web contains specialized platforms and forums of an unlawful nature, collectively known as the dark web. And since such resources often trade in illegal products and services, altogether they also called the shadow market. Our study focused on hacker forums.
Today, malware is a key element in almost every cyberattack, since it handles tasks related to automation, speed of execution, and attack invisibility. Depending on its purpose, malware is divided into several types:
The diagram below shows the prevalence of dark web ads for particular malware. It should be noted that during the research we encountered seller ads either for ready-made Trojans or malware developers, but no buyer ads for a specific ready-made Trojan. This suggests that the demand is almost completely covered by the wide range of malware offers, and when a specific solution is required, cybercriminals implement it independently or hire programmers. We explore the topic of hiring programmers separately (see Section 3.1.1).
In 2017, the rapid rise in the value of cryptocurrencies caused an explosion in the use of hidden mining software. It accounts for 19 percent of malware currently up for sale. In Q1 2018, the share of cyberattacks using this type of malware stood at 23 percent.7 The growing interest in cryptocurrencies also led to the wider dissemination of data-stealing malware (stealers, spyware) aimed primarily at taking funds from cryptocurrency accounts. With 11 percent of the total volume of malware offers, stealers are in first place by number of cyberincidents logged in Q1 2018 (30% of all such incidents).
Nineteen percent of offers up for sale were hacking tools, in which category we include software designed for website attacks, mass mailings, address and password generators, and packers and encryptors of executable files.
The average prices for tools from each category are given in the diagram above. The most expensive malware was for ATMs. This is not surprising, since cybercriminals can use it to gain substantial profit.
With a stealer costing around $10, stolen data can fetch anything from a few dollars to several hundred dollars for credentials for email accounts, social networks, and other resources containing personal information. And if the malware enables the theft of user data for payment systems or passwords for cryptocurrency wallets, the potential revenue is thousands of times greater than the cost of the attack.
When hackers are not simply after a certain set of data, but looking to establish a longterm latent presence in the system and execute commands remotely, they use what is known as a remote access Trojan (RAT). Typically, malware of this type allows the cybercriminal to:
7fc3f7cf58