WEBINAR | A Deep-Dive into 2023 Cyber Threats
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Beyond MDR
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Operational Technology
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Threat Hunting
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Threat Intelligence
Find cyber threats that have evaded your defenses.
Model Index
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
Phishing Analyzer
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
Integration Partners
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Blog
Company Blog
Case Studies
Brands of the world trust ReliaQuest to achieve their security goals.
Data Sheets
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
eBooks
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Podcasts
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
Solution Briefs
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
White Papers
The latest white papers focused on security operations strategy, technology & insight.
Videos
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
ReliaQuest ResourceCenter
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Threat Research
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
Shadow Talk
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
April 18, 2024
About ReliaQuest
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Leadership
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Careers
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
Contact Us
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
More results...
We often hear lines like “your past will always catch up with you, no matter how hard you try to make it go away,” stark reminders that the decisions we make today will impact the results of tomorrow. This phrase rings particularly true in the world of cybercriminals. History has served up multiple examples of crooks undone by their past mistakes. So is the criminal underground contributing to its downfall?
“Think before you register.” (Source: RaidForums)
Digital Shadows (now ReliaQuest) recently observed a moderator on a cybercriminal forum abruptly denying a member’s request that their account be deleted, pointing to the forum rule that accounts will not be removed for any reason, along with the tagline ,Think before you register.” This denial got us thinking: If they cannot cover up their past, are cybercriminals playing a dangerous game, waiting for their earlier mistakes to come back to haunt them?
Read further on our free research report, The Modern Cybercriminal Forum, here.
In the real world, we all develop as individuals through age, life experiences, and knowledge. To look back over our life and cringe at moments we wish hadn’t happened is only human nature. But what if some moments—especially illegal acts—haunted you for the rest of your life? Instead of learning from these moments, you might be constantly fearful that your previous self may have landed your future self in prison. This is where the issue of forum account deletions comes into the equation.
Imagine signing up for a cybercriminal forum with an email address that you thought was secure at the time. Still, it was loosely tied to your real-life identity (e.g., an email address referencing your name or an email obtained using your real-life details). As a complete newbie eager to learn, you begin to actively partake in forum life, learning whatever you can, developing your skills, and honing your trade until you start to become a member that others look up to. Loving your newfound status, you begin to join more advanced criminal forums with selected niches such as carding, fraud, and hacking, but—not wanting to lose the reputation tied to your original moniker—you sign up to these platforms under the same alias. Although the criminality level is more advanced, these sites bring more opportunities to make money and further establish yourself as a key player in the cybercriminal underworld.
One day, the forum administrator of one of these platforms is arrested for a deal gone wrong. At the point of arrest, the law enforcement agency involved manages to acquire the administrator’s credentials to the forum and extract data, including private messages, user information, email addresses, and Jabber IDs. Unfortunately for you, your username pops up on law enforcement’s radar as one of the site’s movers and shakers. But you’re not worried; you have good OPSEC practices, and you signed up to the forum with an encrypted email address separate from your real identity…
But wait, what about the username? Law enforcement officials can cross-reference this identifier to find linked accounts on other forums. Worse still, they could stumble across your account from your younger criminal days that you had completely forgotten. With a little digging, your real name and home address are uncovered thanks to this old account. With one small error of judgment from 10 years ago caused by inexperience and naivety, your life starts crumbling around you, and you are contemplating life behind bars.
This might sound a bit far-fetched, but there have been numerous instances where simple misjudgments have been the undoing of high-profile threat actors. A good example is the high-profile arrest of Canadian citizen Alexandre Cazes, the administrator of the notorious, now-defunct dark web marketplace AlphaBay. Investigations into the email headers in messages sent by Cazes to a marketplace user revealed an email address that law enforcement managed to tie back to Cazes, ultimately leading to his downfall. And who could forget Dread Pirate Roberts, the notorious Silk Road creator, undone by using a personal email that referenced his full name, Ross Ulbricht, on a forum post tied to an associated moniker asking for programming help for the marketplace. Both cases show how historical errors of judgment have come back to haunt a user who thought they would never get caught. A final example involves the creator of the popular Anubis banking trojan, arrested in 2019 following their use of a real-world IP address and how it was associated with an email address that was subsequently used to sign up for the Russian cybercriminal forum Exploit.
While many Russian-language forums conduct “purges” to remove old accounts, it is common for unused accounts to be deactivated rather than deleted. Essentially, this means the requesting account cannot be accessed by anyone else, and the account is appropriately marked up as deactivated on the forum. Interestingly, however, the user’s profile page and posting history can still be viewed and analyzed long after they have “left” the site. So although administrators do facilitate account deletion requests to some extent, other members can still retroactively search for the deactivated user and review their forum activity.
Despite the many differences between the English and Russian-language cybercriminal communities, the two scenes appear to be aligned on the issue of account deletion. Both English- and Russian-language sites tend to favor account deactivation or disablements over deletion. Perhaps one scene follows the precedent set by another, or maybe both recognize specific issues that come with account deletions and the difficulty of facilitating these requests on an individual basis.
The logical conclusion here is that cybercriminal sites should allow their members to request old accounts to be deleted to clean up their Internet history. In the real world, GDPR gives us the “right to be forgotten.” Moreover, you’d think forums would be happy to “tidy up” old and unused accounts. Yet, specifically on the English side, similar posts identified across Cracked TO, Nulled, and RaidForums all who refuse account deletion requests remind us that the cybercriminal world doesn’t operate like the real world.
We don’t know precisely why forum account deletions are so problematic. One RaidForums post stated, “deletion generally takes high db privileges. Which in those cases means that only an admin can do it and they have enough on their hands”. This argument is supported with a similar scenario on the cybercriminal forum Cracking org. An account deletion request was denied by the administrator, who instead offered to disable the requesting account. This indicates that the issue may relate to permission levels to the underlying user databases behind a forum. If a forum’s database can only be accessed by an approved administrator, an administrator must log in each time, manually search, find, and delete the specific user entry. This not only takes time but could lead to accidentally deleting users with similar names. Therefore, the forum admin’s possible way around this is to permit forum staff members to mark up accounts as disabled or deactivated, ultimately saving time and sharing the workload.
Another reason for preventing account deletions could be account reactivation and future scam attempts. If an account is permanently deleted, then the original owner runs the risk of that reputable username falling into the hands of a scammer who might try to benefit from the username’s previous success by creating a similar-sounding or even identical moniker. If the original owner can return to an account they previously owned and reactivate it— an efficient way to solve it. We have seen this numerous times in the past when users attempt to create forum accounts in the guises of other popular accounts by slightly altering the username, e.g., “GnosticPlayers” on RaidForums and the potential copy-cat accounts “GnosticPlayers1” and “GnosticPlayers2,” all stating they were the legitimate threat actor. Even though each of these accounts was subsequently banned for “multi-accounting,” it shows the difficulty facing forum administrators in allowing full account deletions.
If the cybercriminal world is aware of various high-profile arrests and how cybercriminals have been linked to associates, identifiers, and past activities through a trail of old aliases and usernames, surely forum administrators would be more than willing to make life more difficult for law enforcement?
Instead, it seems that, regardless of geography, a forum administrator’s time and resources outweigh the threat of arrest or blowback from any single user. In other words, how a threat actor conducts themselves on a forum is solely their responsibility. Though there are justifications for not facilitating account deletions (accessibility, purging, and account scammers), the risk of exposure remains prevalent as an individual responsibility to be shouldered for cybercriminals. If a user truly wants their account deleted, their only hope is for the forum to either shut down or be seized. Still, even this can be negated if a forum is brought back to life from an old forum back up years later ( e.g., the defunct forum DamageLab in its current iteration as XSS).
Though not so good if you are a reformed cybercriminal with a less-than-stellar past, this trail is spectacular intelligence for security teams. Say, for instance, a direct threat is made against your organization on a cybercriminal forum from the alias “c00kie_monster”. Threat intelligence can be gathered on the history of this alias’s activities across the deep and dark web to determine if the threat holds real risk, report on the sophistication and TTPs of the threat actor, and mitigate against the risk.
Photon continues to closely monitor the cybercriminal landscape, looking for more unique insights to understand the threat organizations’ delicate dynamics are facing. If you’d like to search the dark web and cybercriminal underworld for malicious mentions of your organization or exposed data for sale, sign up for a demo of SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) here.
Alternatively, you can individually access a constantly-updated threat intelligence library providing insight on this and other cybercriminal-related trends that might impact your organization and allow security teams to stay ahead of the game. Just sign up for a free seven-day test drive of SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) here.