The ongoing COVID-19 (aka coronavirus) pandemic is having a highly detrimental effect on most businesses and organizations, yet companies linked with antibacterials and cleaning products, for example, will likely experience record sales. In yet another example of the dark web mirroring real life, the situation is no different in the cybercriminal underground.

Digital Shadows (now ReliaQuest) has observed threat actors operating on cybercriminal forums and marketplaces expressing their worries and a sense of desperation as to how the pandemic will affect their established business models. Some are urgently trying to adapt their offerings to survive in this vastly changed landscape. Other cybercriminals see an opportunity to profit from mass hysteria and panic or take advantage of the increased online exposure that virus-tackling measures have inadvertently caused.

 

Opportunity

Digital Shadows (now ReliaQuest) has observed threat actors on multiple Russian- and English-language cybercriminal forums initiating threads to discuss the likely impact of coronavirus on established services and offerings and the different types of cybercriminality that might be boosted by this unprecedented situation.

 

Online carding

Many of us are currently either being forced to self-isolate or are reluctant to leave our homes to visit physical shops, which has led to a huge surge in online transactions as people order deliveries to their doorsteps, a point that has not been missed by cybercriminals.

example of discussion thread comment

Example of discussion thread comment

 

  • In one discussion thread on the gated Russian-language carding forum Verified, one user predicted a rise in credit and debit card transactions with the increased numbers of people working or studying at home. The user opined that this would benefit carding activity because “the greater the volume and diversity of transactions, the more difficult it is to attribute fraud”.
  • A user on the high-profile Russian-language cybercriminal forum Exploit echoed this viewpoint, stating that as “everyone is afraid to go out on the streets”, they are choosing what they think is a safer option and paying online or with cashless methods in shops, which will cause carding to “develop even more”.
  • Although not explicitly stated in the forum discussion threads, increased online shopping could lead to increased online fraud for a number of reasons, including less cyber-savvy consumers using online platforms more than they usually would and businesses standing up rushed online shopping systems that don’t protect customer details as well as they could.

According to data from online bank Starling, online shopping (which usually accounts for less than a third of transactions) outstripped all other forms of spending among the bank’s customers in the United Kingdom for the first time on 24 Mar 2020 (hitting 51.5% of transactions). It appears that these threat actors’ predictions of increased online shopping are being borne out, although it’s too early to quantify the effect of this on cybercrime.

 

Spreading malware

Current government advice in many countries across the world recommends that people work from home wherever possible, which has dramatically increased online activity.

Club2CRD commentary

Club2CRD commentary about increased opportunities for installing malware

 

  • One user on the Russian- and English-language carding forum Club2CRD pondered “how to get the maximum benefit from this quarantine”. They observed that as time spent online will likely increase globally during worldwide lockdowns, cybercriminals who specialize in rerouting or abusing Internet traffic “will not miss the moment” and that consequently the number and quality of malicious software installed via this method will increase.
  • There are many ways that cybercriminals could take advantage of increased online activity to spread malware, including interfering with IP addresses to direct increased numbers of people to fake websites hosting malware, or creating malicious advertisements on search engines to trick visitors into visiting harmful sites.

 

Adapting current business models for personal gain

Many users on cybercriminal forums have been discussing or exhibiting ways in which they can adapt their current business models to derive increased profit from the current situation.

  • An Exploit forum user who has been creating fake web pages for stealing credit card or bank details for many years updated their long-standing thread to offer COVID-19-themed fakes.

Exploit user offering coronavirus-themed fake email and website creation

Exploit user offering coronavirus-themed fake email and website creation

 

  • Digital Shadows (now ReliaQuest) has also observed several marketplace vendors who have previously been engaged in drug sales and/or carding relating activity who have now pivoted to advertising “coronavirus face masks” or miracle corona-related cures on dark web marketplaces.

Marketplace listing offering a coronavirus vaccine

Marketplace listing offering a coronavirus vaccine

 

However, it is sometimes unclear whether the changes that cybercriminals are making to their business models are prompted by pure greed or whether they are actually necessary measures for vendors facing real financial challenges.

  • One vendor active on the cybercriminal community forum Dread and the dark web marketplace Empire has instituted a store-wide sale on their extensive range of drugs “In preparation for the lock downs happening across the country”. The vendor highlighted that customer safety was the service’s “highest priority” and that “to help protect you against the spread of the coronavirus, all packages we send are being thoroughly sterilized with a disinfectant and bleach solution prior to shipping for your protection”. Digital Shadows (now ReliaQuest) observed multiple other vendors with similar offerings.

Vendor announcing store-wide sale on Dread

Vendor announcing store-wide sale on Dread

 

  • Another Dread user recently announced a coronavirus-induced sale of cannabis products. Their post read “Stuck inside under coronavirus qaurentine while btc plummets? WizardofOZs has you covered introducing the internet breaking CoronaVirus sale – live now [sic]”, and promised “Lab-Grown dense and sugary bud delivered to your door by a dedicated darknet vendor“.

Cannabis products offered on Dread

Cannabis products offered on Dread

 

These vendors’ advertisements give no indication as to whether the services see an opportunity to profit from people’s boredom while being stuck indoors or fear that their business may be adversely impacted in the coming weeks. Certainly, other forum posts that Digital Shadows (now ReliaQuest) identified indicated a real sense of panic.

 

Desperation

The earlier threads discussing COVID-19’s likely effects on the cybercriminal underground contained doom-laden posts as well as the more optimistic comments highlighted above.

 

Travel and event fraud

In a thread on Verified, one user highlighted travel- and event-related fraud as a sector of the cybercriminal-related economy that could be particularly hard-hit, noting that “people are afraid of flying and the borders are closed”.

Club2CRD travel vendor’s coronavirus-related post

Club2CRD travel vendor’s coronavirus-related post

 

  • Another Verified user who maintains a long-standing thread offering fraudulent tickets for same-day events posted an update stating that “everything is closed for 2 weeks” as a result of the cancellation of events across the globe.
  • A Club2CRD user responsible for promoting the travel services provided by an established vendor appeared to be trying to ride through the situation, encouraging users to “RUN from coronavirus”, adding “Many routes are still available and open”.
  • A different Verified user initiated a pleading thread titled “find a job for an old man” to beg for additional income. The post stated that the user had worked since 2012 on fraud targeting tourism, hotels, air travel, and excursions, but that “since the world decided to spin up a cool scam codenamed ‘coronavirus’ which will likely lead to another crisis… I am left without earnings for an indefinite period”. They suggested that they could take on work registering or checking fraudulently obtained accounts, or any other unspecified work that would guarantee daily hours and payment, adding that they already had access to the anonymizing infrastructure required for this type of work. At the time of writing, the user had posted again to reiterate their request, indicating they had had no luck so far in finding work.

 

Drops and cashing out

The discussion threads on coronavirus’s impact also highlighted the effect the illness has already had on cybercriminals engaged in bank-related fraud, cashing out, and warehouse or bank drops.

  • One Verified user stated that their usual “dropworker” can’t work because banks in their unspecified location are closed. This likely refers to the individuals employed to visit banks to withdraw money from fraudulently acquired accounts, allowing cybercriminals to “cash out” their illicitly earned funds.
  • Another forum member stated that in Spain and Italy, dropworkers are “afraid to leave the house”.

On 17 Mar 2020 Amazon announced that they would be blocking all shipments of products other than food, medicines, and other products deemed “essential” to its warehouses in response to increased demand, meaning that both legitimate and cybercriminal vendors who make use of Amazon’s storage and delivery network to move their goods will no longer be able to ship these non-essential products.

  • One Verified member who has been offering a drop service buying carded goods for resale since February 2011 announced that “Due to force majeure circumstances beyond our control (coronavirus epidemic) Amazon is stopping accepting goods with the exception of food and medicine products until at least 5 April due to an inability to process warehouse restocking. From today it is impossible to send your illiquid assets [i.e. goods that are not hot commodities among an extensive audience] on Amazon. Please do not create new packs with illiquid asses [sic], they will not be paid for”.
  • Another drop service provider on Verified has been experiencing identical issues. They updated their longstanding thread to announce that they had been “forced to stop buying all illiquid assets”. They added that “in connection with the panic over the coronavirus we have already started to run into problems with delivery”.

Browsing messages and offerings on cybercriminal forums and marketplaces shows that coronavirus truly is proving to be a double-edged sword for threat actors. Some enterprising cybercriminals may be relishing the increased earning opportunities that the current crisis will bring them, while others will be aghast at the thought of the swift destruction of the business models and reputations that have taken years to develop.

It will be interesting to see how the cybercriminal landscape has altered once the storm has passed, and who has been able to successfully weather the situation.

 

Check out our other threat intelligence updates around Coronavirus here.