To increase their level of sophistication and effectiveness, raise their collective capabilities and maximize their profits, threat actors collaborate and share resources with one another, providing them with the ability to launch more threatening attacks. According to the World Economic Forum Global Risk Report, these organized cybercriminals are better able to avoid law enforcement agencies, having only a 0.05% chance of detection and prosecution.
In this blog post, we will delve into the world of cybercriminal collaboration where we will explore the dark underworld of how cybercriminals conduct their business by working together to elevate their threat.
Image: CSO
The Power of Cybercriminal Collaboration
A variety of different threat actors exist, each with their own skill, motivation, end goal, and level of cooperation with other threat actors. Cooperation is often sought out by different cybercriminals as this allows them to leverage their combined knowledge, technology, and tools to carry out more complex and sophisticated attacks, potentially targeting larger and more lucrative targets. Additionally, working together and sharing ideas allows cybercriminals to increase their level of efficiency and innovation to further develop their attacks and increase their likelihood of success. This can significantly impact individuals and businesses financially and in terms of their reputation.
Cybercriminal groups can also use collaboration to minimize risks and cover their tracks by spreading their operations across different jurisdictions and using multiple layers of encryption, deception, and obfuscation to evade detection and attribution. This can make it harder for law enforcement agencies and security researchers to identify and dismantle their operations.
These threat actors generally collaborate in two ways; either ad hoc as lone threat actors who rent or sell their service to other threat actors, also known as Cybercrime-as-a-Service (CaaS), or in an organized group where their activity is aligned and the attack from start to finish is an orchestrated effort.
Cybercrime-as-a-Service
Developing advanced cyber tools or services that get sold or rented to others, is known as Cybercrime-as-a-Service (CaaS). Essentially, malicious payloads are being sold in a business model that grants less knowledgeable threat actors with the ability to benefit from and use the capabilities from more advanced threat actors to launch more sophisticated and successful attacks. This allows a greater amount of threat actors to play a part in the cybercriminal world. This business model has created a more fragmented operation with multiple threat actors involved, ultimately complicating threat attribution, as the threat actor who gained initial access to a system is no longer necessarily connected to the affiliate threat actor.
Threat actors do this with malware (Malware-as-a-Service), ransomware (Ransomware-as- a-Service), Phishing (Phishing-as-a-Service), and Exploits (Exploit-as-a-Service), to name a few. In Phishing-as-a-Service, for example, threat actors provide users with access to a phishing kit that most often contains email templates for sending messages to victims, templates for fake brand impersonated websites that victims will be directed to, detailed user instructions, customer support, and sometimes even lists of potential targets.
The images below show an example of a phishing kit, where buyers get access to a brand impersonated content for Alibaba.com, including a fake login website and email message.
Organized Group Collaboration
Cybercriminal groups can be highly organized and operate like businesses, with the division of labor, hierarchy, and rules for member behavior, such as in the example below showcasing the organizational structure of CONTI. They may also use specialized tools and techniques to evade law enforcement and cover their tracks. This can make it harder for law enforcement agencies to detect and prosecute these groups. Furthermore, the use of specialized tools and techniques can make these groups even more effective at carrying out attacks, as they may be able to take advantage of vulnerabilities that are not well-known or understood by the broader cybersecurity community.
Source: RiskInsight
By operating as part of a larger group or gang, with each member specializing in a particular area, it allows the individual actor to focus on their specific area of expertise. For example, one member may specialize in developing malware, while another may focus on carrying out phishing attacks. This type of specialization allows for the creation of highly effective and complex attacks that can be much more difficult to detect and prevent.
The Hidden World of Cybercrime Marketplaces, Forums and Chat Rooms
Online forums and marketplaces have become a common ground for criminals to buy and sell goods and services as well as share knowledge and expertise in a relatively safe and anonymous manner. These forums and marketplaces are often hidden on the dark web, making it harder for law enforcement to monitor and take down illegal activity. Cybercriminals can purchase a wide range of goods and services, including hacking tools, stolen data, and even access to compromised systems. This makes it easier for them to carry out attacks that would be much more difficult to execute alone.
A Russian marketplace selling stolen account data from various websites
One of the key benefits of these online forums and marketplaces is their anonymity. This anonymity is provided through a lack of tracking and the use of cryptocurrency, making it easier for cybercriminals to trade illegal goods and services without being traced. It also makes it easier for them to collaborate with other criminals, share knowledge and expertise, and create more sophisticated attacks.
More recently, many cybercriminals have migrated to messaging apps to avoid being monitored by administrators in forums, and experience increased anonymity and privacy controls. The messaging app, Telegram is most widely used as it offers a simple and secure method of communication where cybercriminals can message one another individually or in groups, send and receive large data files, and join channels that align with their specific interests and goals.
Threat actor on Telegram selling scam login page for America First Credit Union
Addressing the Evolved Threat
Bfore.Ai provides organizations with the necessary tools to safeguard their brand and manage the evolved threat of cybercriminals synergizing. Bfore.Ai's PreCrime Technology identifies potential cyber threats before they occur. By leveraging machine learning and artificial intelligence, Bfore.Ai can identify patterns and anomalies in data to identify and preempt cyber-attacks. This proactive approach can help businesses stay ahead of cybercriminals and protect their valuable assets from the damaging effects of cybercrime.
Take control of your brand’s reputation and schedule a demo with Bfore.ai today to see how we can help your company stop brand attacks.
