Why cybercriminals use forums and the dark web on a large scale

Get a free Techzine subscription!

The amount of cybercrime activity has increased in recent years, despite attempts by various authorities to reduce these numbers. The underworld of the internet, especially forums and the dark web, is a popular source to spread cybercrime. Recently, security company Trend Micro conducted research to discover some trends, which we discussed with Technical Director Rense Buijen.

The activities of criminals on forums and the dark web received a lot of attention a few years ago. Mostly because of the popularity of Silk Road, a market place where criminals traded their illegal goods (such as drugs and weapons). The American FBI and Europol worked hard to take down this marketplace. Eventually, they succeeded. Several key figures were arrested and convicted.

The takedown of Silk Road didn’t mean all the illegal activities suddenly stopped. It is still popular to trade all kinds of products and services this way. In addition to illegal drugs and weapons, this also includes ransomware and botnets. The underground forums and the dark web pose a significant risk to companies because it also influences the operations of cybercriminals.

Easy, anonymous and lucrative

The popularity of the forums is due to several factors. For example, it’s relatively easy to access a forum, Trend Micro’s Technical Director explains. There are underground forums that you can access from your regular internet browser without any additional security steps, like the use of a VPN. All a user needs is the URL of a forum and maybe a translator because these forums might not always be in English. In addition, there are also marketplaces that users can only access with additional security measures. The Tor network is commonly used to ensure the user is anonymous because every internet request is processed through many other servers. Also, when buying a product or service, the user remains fairly anonymous, because cryptocurrency is used by default. In this case, the user is located on the so-called dark web, the part of the internet that regular users do not have access to. Buijen made it clear that users with a bit of IT knowledge are usually able to access an underground forum by doing some research.

Despite the interesting developments for criminals, efforts of police and other authorities seem to have an impact on the underworld

In addition the operations conducted on this part of the internet are also lucrative. Trend Micro’s research tells us stolen accounts are by far the most popular among visitors. Visitors can buy an account for a streaming service for about 1 euro. Hackers often stole these accounts by a successfull attack on a database with hundreds of thousands of accounts. These accounts can be sold in bulk via the dark web, and these sales are often automated. Hackers can earn a lot of money this way.

Despite these developments in favor for criminals, the report states that efforts by the police and other authorities seem to have impact on the underworld. International police operations have removed several forums. In addition, existing forums are reported to experience persistent DDoS attacks and login problems, undermining their efficiency.

Ransomware is a concern

Ultimately, many illegal transactions take place on this part of the internet, and there’s a trade in a wide variety of products and services. For companies, there are some worrisome developments. Buijen’s biggest concern is the influence of the dark web on the development of malware, especially ransomware.

The Trend Micro report indicates that the transaction volume of ransomware does not rank among the biggest in the forums. This is partly due to the price of ransomware and the fact it is not easy to use these services. Ransomware, however, remains a significant source of income for cybercriminals. In 2016, no less than 1 billion dollars (885 million euros) was earned worldwide with ransomware, an amount that in the meantime is expected to have grown even further.

Innovation of ransomware is worrying. This means offering attacks ‘as a Service’ and developing hybrid variants.

What is worrisome is that ransomware is always innovating. This means offering attacks ‘as a Service’ and developing hybrid variants. Ransomware as a Service (RaaS) is often developed by advanced cybercriminals who ofton have a lot of experience in creating malware and offering criminal services. The RaaS operators develop the ransomware, support and payment sites, while the person who purchases the RaaS product carries out the attack. The creators of RaaS earn money by charging a percentage of the paid ransomware or by issuing a license fee. Other types of malware are offered to potential customers through an as a Service model. These types of malware seem to be very lucrative because of the revenue model, but also because hackers who purchase RaaS are being encouraged to advertise the RaaS service to other hackers to earn more money.

In addition, hybrid variants of malware also emerge, which pose a danger to companies. Buijen quotes a report by Intel 471 on this issue, which discusses attacks that combine Emotet, Ryuk and TrickBot. This is called a ‘loader-ransomware-banker trifecta’, in reference to the built-in versatility. Emotet, Ryuk and Trickbot are already very effective on their own, but by combining ransomware and Trojan elements, they potentially cause even more damage. Emotet and Trickbot are Trojans with downloader components that allow them to download new malicious components. A hybrid attack can install Ryuk-ransomware on the endpoint.

Less trust

Cybercriminals seem to connect more often, which may lead to increased efficiency. At the same time, Trend Micro‘s data shows that there is a lose in trust. As a result, vendors are looking for new ways to communicate. Whereas previously Telegram was a popular communication channel, previous year Discord became a popular tool for criminals. Underground forums are currently using private Discord channels to complete transactions.

The conflict between authorities and cybercriminals is beneficial for the authorities but seems to cause caution among criminals.

The conflict between authorities and cybercriminals is beneficial for the authorities but seems to cause caution among criminals.. They have grown to be more cautious. For example, the lack of trust among cybercriminals further led to DarkNet Trust, a website to validate vendors and increase anonymity. Other underground markets introduced new security measures, including encrypted messaging and multi-signatures for cryptocurrency transactions.

Cheaper and/or continued demand

Trend Micro is basing its research on recent data, although shifting trends are also observed based on similar studies in previous years. The company observes a drop in prices of many cybercriminal products and services. Some examples are crypting services and generic bots, which previously cost 1,000 dollars a month and 200 dollars a day. The prices of these services are now 20 dollars a month and 5 dollars a day. Prices of other cybercrime products, such as ransomware and Remote Access Trojans, remained unchanged due to continued demand.

In addition, it is noteworthy that Access as a Service as a market is emerging on the forums and the dark web, which causes concern among companies. Access as a Service sells access to hacked devices and corporate networks, often to launch malicious activities aimed at large companies. Access to business data often costs more than 1,000 euros. Criminals even trade in access to the largest companies in the world.

The Trend Micro report shows that there are positive and negative trends going on regarding forums and the dark web. The efforts of authorities seem to have positive impacts. At the same time, worrisome new developments are taking place that could increase the popularity of cybercrime products. The battle between the two sides will likely go on for the time to come.

Tip: Trend Micro strongly focuses on the multicloud