In early October 2020, Europol released their Internet Organized Crime Threat Assessment (IOCTA) 2020, detailing the latest trends and impacts of cybercrime. After reading over the report, we wanted to explore some of their main points as they pertain to Digital Shadows (now ReliaQuest)’ research. This blog will revisit some of Europol’s leading trends and expand on relevant research we have conducted in recent months. 

More specifically, we want to dissect the following topics:

  1. Business email compromise (BEC) and attackers’ increasing use of qualitative tactics, targeted methods, and their impact on organizations. 
  2. Cryptocurrency remains a primary currency on cybercriminal forums and marketplaces, considerably due to its anonymization perks. 
  3. Ransomware continues to be one of the most popular and detrimental attack methods, affecting organizations of all sizes, geographies, and sectors.  
  4. Dark web marketplaces and forums are incredibly volatile. They are created, gain traction, then disappear for a myriad of reasons – the cycle continues. 
  5. Dark web community administrators continue to be resilient and innovative in implementing new features and security measures to enable a safer dark web experience. 
Europol on Twitter
(Source: @Europol on Twitter)

“BEC remains an area of concern as it has increased, grown in sophistication, and become more targeted.”

For the fifth year running, BEC attacks, a specialized form of phishing, comprise the highest reported financial loss, a whopping $1.8 billion in 2019. In July 2020, Digital Shadows (now ReliaQuest) released an extensive report on Account Takeover (ATO), including the analysis of over 15 billion exposed credentials. Throughout the report and into our blog series, we explored BEC and the sheer impact it has on organizations

From Exposure to Takeover

The fallout from a credential breach extends beyond an organization and to its customers. The relevant accounts can hold (or have access to) incredibly sensitive information. Digital Shadows (now ReliaQuest) found that more than two million of the compromised credentials we identified contained email addresses and usernames related to departments dealing with sensitive information – [email protected] or [email protected], for example.

We found that email addresses containing “invoice” or “invoices” were by far the most common, accounting for about 1.3 million of the 2 million credentials. “Partners” and “payments” were tied for second place, both with roughly 200,000 credentials. Just imagine the type of data sitting in accounting inboxes! An attacker who gets their hands on credentials for valid accounts could inflict untold damage: logging into internal databases, exfiltrating sensitive data, or launching social-engineering attacks.

BEC has several different variants, but in one standard method, the attacker can either impersonate an executive’s email address or use a compromised business email account to target an employee, customer, or supplier to move funds or confidential information to the phisher. While they are not nearly as widespread as other, more common phishing attack types, the profitability offered by a successful BEC attack (think millions of dollars) continues to attract cybercriminals.

Trends from 2019 revealed a significant increase in BEC attacks that explicitly targeted the diversion of payroll funds. It is highly likely that threat actors will continue to use this method for monetary gain in future attacks. 

“Cryptocurrencies continue to facilitate payments for various forms of cybercrime, as developments evolve with respect to privacy-oriented crypto coins and services.”

Over the past ten years, cryptocurrencies have become the go-to form of payment for the less law-abiding citizens of the world due to their secure and anonymous nature. The now-defunct dark web marketplace Silk Road pioneered Bitcoin’s use back in 2011, and other cybercriminal platforms soon followed. Even today, the use of cryptocurrencies shows no sign of abating; Forbes reported that the total value of Bitcoin transacted on the dark web grew by 340% over the past three years, with an increase of 65% in the past year alone. 

While Bitcoin has generally been the most popular cryptocurrency among cybercriminals since its launch in 2008, several thousand alternative cryptocurrencies (“altcoins”) have been created in the intervening years, and names such as Litecoin, Ethereum, and Monero have become familiar terms in the dark web scene. Monero, in particular, has represented a real challenge to Bitcoin’s crown since its creation in 2014, mainly in part due to its core belief in security and the increased demand for anonymity. Being the original decentralized cryptocurrency, Bitcoin has been the staple of the cryptocurrency world since the beginning. This has naturally led to more media exposure and time to become the majority’s go-to cryptocurrency; it is popular, easy to get a hold of, and primarily accepted across an array of platforms. A textbook case of supply-and-demand. However, Bitcoin’s level of exposure has come at the risk of anonymity and law enforcement becoming more adept at tracing the blockchain.

Privacy Coins
(Figure 1: Altenen user discussing “privacy coins”)

As the most anonymous cryptocurrency on the market, Monero has represented a haven for threat actors recognizing Bitcoin’s value and its weaknesses due to its exposure and traceability. Monero has been seen as a way forward in an even more anonymous and secure payment method. As the demand for Monero has increased, both vendors and cybercriminal platforms have reacted accordingly. High profile takedowns of forums and marketplaces also highlight that maybe anonymity and security needs to take precedence over ease of access and usability if cybercriminals want to improve. Still, Monero might not be the answer the cybercriminal community has been looking for; after six years on the market, Monero has yet to reach the same level of exposure as Bitcoin, and the recent announcement of Monero reportedly being to some degree traceable might slow down its recent surge in popularity. 

Bitcoin is still the most accessible and widely accepted cryptocurrency within the dark web community and is not likely to go away anytime soon. This is primarily due to its market share hold and the visible effort by threat actors to develop methods, tools, and services to secure Bitcoin. The case of Monero has shown that there are an array of alternative cryptocurrencies lining up which, if striking the balance of demand and security right, might eventually topple Bitcoin from the top — but only when the cybercriminal community starts to fully unite behind more anonymous and secure cryptocurrencies, such as Monero, will we begin to see a real shift.

“Ransomware remains the most dominant threat as criminals increase pressure by threatening publication of data if victims do not pay.”

Ransomware continues to be a thorn in everyone’s side, and attacks have evolved over the years to be impressively sophisticated and targeted. As ransomware was once primarily a threat to consumers (coined the “spray and pray” method), threat actors have switched gears to methodically target businesses, likely due to the sheer profitability and monetary value of employee data and organizations’ proprietary information. While 2019 was a big year for ransomware, which included the fall of GandCrab, the rise of Sodinokibi, and persistent attacks against various sectors with variants like Ryuk, 2020 has proven to be even more of a volatile epoch for organizations facing ransomware threats.

Ransomware operators have realized that there are alternative ways of monetizing the data they have encrypted, which can pressure companies more effectively into paying the ransom demands. This has led to the emergence of many ransomware data dump sites. This “pay or get breached” trend, when combined with a surge in new variants, makes ransomware an understandably prescient topic right now. Digital Shadows (now ReliaQuest) tracks a large number of ransomware dump sites. Unsurprisingly, the security teams we work with need this visibility to understand if their suppliers have been referenced on any of these ransomware blogs. Almost 80% of the Digital Shadows (now ReliaQuest)’ intelligence tippers are associated with just four ransomware data dump blogs – Conti, NetWalker, Sodinokibi, and Maze.

As criminals shift to target businesses and deploy enterprise-crippling ransomware, it is highly likely that organizations will have to strategically consider the reality of potentially falling victim to future ransomware attacks. With the introduction and continuous trend of the pay-or-get-breached ransomware model, organizations will also have to begin processing ransomware attacks like data breaches. In the coming months and years, it is highly probable that ransomware operators will continue to use multiple attack vectors, including vulnerability exploitation, spearphishing, and brute-force techniques as a method of compromise for monetary gain and sensitive data collection.

“The dark web environment has remained volatile, life cycles of dark web marketplaces have shortened, and no clear dominant market has risen over the past year compared to previous years to fill the vacuum left by the takedowns in 2019.”

We have repeated time and time that cybercriminal marketplaces and forums are incredibly volatile. In September 2020, a joint international operation resulted in 179 individuals’ arrest and the seizures of USD 6.5 million and 500 kilograms of illicit substances. The successful outcome of Operation DisrupTor (pause for appreciation of the operation name) elicited some strong words from the head of Europol’s European Cybercrime Centre (EC3). According to the EC3, “the hidden internet is no longer hidden, and your anonymous activity is not anonymous,” followed by Europol claiming that “the golden age of the dark web marketplace is over.”

This discovery caused us to have a retrospective look at the history of dark web marketplaces, a gander down dark web memory lane if you will. How can one forget Silk Road and the “Dread Pirate Roberts”? Silk Road was one of the first dark web marketplaces to conduct sales using the once-strange concept of Bitcoin in February 2011. It quickly gained notoriety and popularity, but popularity drew attention from criminals and law enforcement alike. In 2013, as a result of action taken by the FBI, Silk Road was no more, and dark web marketplaces took off in the wake of its demise. Dread Pirate Roberts, Silk Road’s founder, received a life sentence, which was likely meant to be a deterrent. Still, some reports claim that dark web activity and drug listings multiplied after Silk Road’s fall.

We have observed multiple instances of dark web forums and marketplaces disappearing due to platform attrition, technological pitfalls, security errors, and law enforcement takedowns, including the Agora marketplace, AlphaBay, Hansa, Dream Market, Wall Street Market, and even more notable markets such as Apollon and Empire markets.  

(Figure 2: Empire Maret branding)

Clearly, there is a trend here. A dark web marketplace is created, it becomes popular, and it’s taken down – rinse and repeat. While Operation DisrupTor was, in many ways, a successful operation and a landmark for law enforcement activity from a dark web marketplace perspective, the belief that the “Golden Era” of dark web market activity is over is a bit far-fetched. It would be naive to assume that cybercriminals are unaware of law enforcement representatives maintaining a presence in these forums and marketplaces. In turn, this presence doesn’t stop them from continuing their wicked ways as the risk of being caught and likely will not outweigh the monetary reward they are achieving. The historical seizures of dark web marketplaces and marketplace exit scams have continually resulted in marketplace successors quickly taking over as top dog.

“The nature of the dark web community at administrator-level shows how adaptive it is under challenging times, including more effective cooperation in the search for better security solutions and safe dark web interaction.”

The dark web is incessantly plagued with DDoS attacks that knock cybercriminal forums and marketplaces offline, whether threat actors are incentivized by the thought of a significant pay-day through an extortion attempt, rival platforms disrupting their competition, or law enforcement trying to disable the platform. In May 2020, a Dread moderator announced a DDoS protection filter mechanism called “EndGame””EndGame” that would be free for the community. In a nutshell, EndGame is a collation of tools designed to prevent DDoS attacks on the front end against both dark web services, and whoever else might be interested. The collaborative effort to find a possible solution to an ongoing problem indicates the community’s intent to stop DDoS attacks against dark web services once and for all. While we cannot tell whether EndGame will eradicate DDoSing activities across the dark web community, a tool-set offering a number of features, customizations, and solutions moves the scene into a much better position than before.

In November 2019, a dark web search engine called “Kilos” emerged from the depths of the cybercriminal underground, ostensibly to play the role of new heavyweight champion of search engines for cybercriminal marketplaces, forums, and illicit products. And with this title, Kilos recognized the need to stand out from the crowd and ensure its entrance onto the scene was not one to be forgotten. Kilos possibly evolved from the well-known dark web search engine “Grams,” which ceased operations in 2017. Both Grams and Kilos are dark web search engines that imitate the Google search engine’s renowned design and functionalities. In a clever play on words, both follow a naming convention inspired by units of measure. Since going online in November 2019, Kilos appears to have taken on the task of indexing more platforms and adding more search functionalities than Grams ever did. Kilos has also introduced updates, new features, and services that aim to ensure security and anonymity for its users and add a more human element to the site not previously seen on other prominent dark web-based search engines.

kilos dark web search engine interface with advanced filtering
(Figure 3: Kilos search engine interface with advanced filtering options)

In response to law enforcement coalitions tackling cybercriminal vendors on marketplaces, and their ability to track down vendors, criminal marketplace administrative teams may take more security-aware approaches, such as implementing PGP encryption, two-factor authentication (2FA), and leveraging Monero (XMR) to avoid tracking. Ultimately, cybercriminal marketplaces still have a purpose; it just might be in a different guise as to what it is now. While this may be the end of the golden era of marketplaces as we currently know them, vendors will still need to advertise via an open platform to acquire as many buyers as they can. 

We’ll see what they come up with next. 

Interested in learning more about BEC, ransomware, and dark web forums and marketplaces? Trust us, there’s plenty more to unpack – join us on the Digital Shadows (now ReliaQuest)’ Resources Center