Global black markets and the underground economy
Adam Tyler is the Chief Innovative Officer at CSID. In this interview he discusses global black markets, what type of information is most valuable for cybercriminals, modern malware, and much more.
What are currently the most vital global black markets and how do cybercriminals access them?
There are a number of different types of digital black markets that fraudsters use. Much like in the real world, each type has their own prominent entity. The ways in which these are accessed usually differs, depending on the types or services or products offered. For example, in the physical black market world (e.g. illegal physical products such as guns, drugs or other non-digital services ) the majority of markets are hosted via the TOR network. This is a platform that makes users anonymous, allowing both clients and hosts to hide their locations, ensuring that their activities and identities cannot be tracked.
In the fraudulent data world, the majority of markets and communities are actually still hosted on traditional HTTP-based sites, accessible from any computer with a normal web browser. One of the most prominent markets dealing in stolen credit card and dump data (track 1 + track 2 information taken from physical cards to allow for cloning) is an entity named Rescator – rescator.cm. Rescator.cm gained a lot of notoriety after the Target breach, as they were one of the main outlets through which the stolen target Card Data was sold. Even though they are a clearly illegal entity, they are still online and accessible through a traditional web site.
What information is traded most and what type of information gets the highest valuation?
Credit card information is probably the most prevalent type of digital data that is offered for sale. We see a huge number of username/password and credential data distributed online, but these are often given away for free unless they are associated with high value entities (i.e. internal bank systems, corporate database servers, etc.).
There are now hundreds of thousands – if not millions – of credit cards available through various underground markets and sellers. This is due to the ease in which many experienced criminals can monetize this data, and the guaranteed return from a financial card.
With regards to the information that holds the highest value, this is probably either online bank accounts, which allow fraudsters to directly access victims savings accounts and attempt to execute large-value transfers to other compromised or mule accounts, or credentials for high-value organisations, which can be utilised by skilled individuals to extract additional data.
The general public usually assumes most cybercriminal rings are from countries like Romania and Ukraine. Based on your research, is that the case?
We still see a huge amount of activity coming from the areas such as Romain, Ukraine, Russia and China. However, the ease in which malware can be accessed (for free), as well as the wealth of information and tutorials that are available, has enabled a new subset of users to partake in these kinds of activities. Previously, digital crimes were usually associated with highly skilled individuals from foreign states that had a significant amount of technical competency. Nowadays we are just as likely to see teenagers conducting malware attacks as we are the more traditional cybercriminal rings.
Although the malware packages being offered for free are now relatively old (e.g. Zeus, Spyeye, Citadel, etc.), they are still incredibly powerful tools that allow fraudsters to steal highly valuable data.
What type of malware is a hot commodity these days? Do you see a trend of malware-as-a-service replacing traditional malware?
POS malware and mobile malware have had a huge amount of focus over the past few years. As users migrate to mobile-based platforms and store more and more valuable digital information on their devices, fraudsters have started to realize the potential return from attacking mobile platforms.
POS-based attacks have been responsible for the compromise of hundreds of millions of details over the past two years alone.
Malware-as-a-service is an interesting concept that has been around for a few years now, but which still makes up a minimal percentage of the current market. The methodology first became popular with the advent of DBD (Drive-By-Download) exploit kit services, which offer fraudsters the ability to transparently infect users simply by getting them to visit a URL. However the majority of malware samples are still offered as a distributable product rather than a hosted platform.
What are the privacy and financial implications of the massive data breaches we’ve seen in the past year?
Data breaches are a huge issue which we see increasing year over year. The biggest impact of data breaches is the distribution of large quantities of personal data that, even if not deemed valuable on its own, can be used in follow-up attacks.
Some users see the compromise of their username and password as a minimal risk. However, over 69% of individuals still engage in poor password policies, utilizing the same credentials on multiple sites. This leads to huge issues in a breach situation, with the data extracted being used to access individuals digital identities on other sites.
Even an email address on its own carries a certain amount of risk. Fraudsters routinely distribute email lists which are used in phishing campaigns. These have evolved from the traditional fake bank emails seen in previous years, and more towards a mechanism to enable the distribution of malware.