Activity in the Cybercrime Underground Requires a New Approach to Cybersecurity

As Threat Actors Continue to Adapt their TTPs in the Current Threat Landscape, So Should You

Earlier this year, threat researchers at Cybersixgill released their annual report, The state of the Cybercrime Underground. The research comes from an analysis of intelligence items that Cybersixgill collects throughout the year 2022, gleaned from the deep, dark, and lucid web. This report examines the ongoing evolution of threat actor tactics, tools and procedures (TTP) in the Digital Age – and how organizations can adapt to reduce risk and maintain business resilience.

This article summarizes some of the report’s findings, including trends in credit card fraud, observations about cryptocurrencies, developments in AI and how they lower barriers to entry to cybercrime, and the rise of cybercriminal “as-a-service” activity. Further below, I also discuss the need for a new security approach, combining attack surface management (ASM) and cyber threat intelligence (CTI) to combat the ever-changing methods of threat actors. That Cybersixgill’s full report is available here.

1 — Credit card fraud is (mostly) on the decline

Credit card fraud has been a common threat and has been frequently used by underground cybercriminals for years. But some recent developments slowed down the flow and significantly reduced incidents of credit card fraud. Recently, we’ve seen a significant drop in sales of compromised credit cards on the black market. For example, in 2019, the dark web market listed around 140 million compromised cards for sale. The number decreased to around 102 million in 2020 and fell another 60% to almost 42 million cards in 2021. Finally, in 2022, this number has fallen again to only 9 million cards. The significant decrease in credit card fraud was mainly due to the following:

1. Improvements in authentication and fraud prevention – Banks and financial institutions are using advanced authentication and “passwordless” methods that make cards more difficult to compromise, such as biometric authentication (for example, fingerprint and facial recognition), as well as PIN, EMV chip, and authentication multi-factor (MFA).
2. Real-time fraud detection – Implemented primarily by credit card companies, real-time fraud detection systems that use machine learning algorithms to analyze user behavior, spending patterns, and geolocation data can identify anomalies or suspicious activity. Once a transaction is flagged as suspicious, the issuer may request additional types of verification, such as asking a security question or sending an SMS verification, making it more difficult for fraudsters to use stolen cards.
3. Enhanced e-commerce security – Since 2021, e-commerce sites have adopted stronger security measures, such as two-factor authentication (2FA), address verification systems, and secure payment systems that comply with PCI DSS, making it more difficult for cybercriminals to threaten actors. steal credit card data from consumers.

2 — Cryptocurrencies: tools and targets

The hallmark of cryptocurrencies is that they are decentralized, allowing user anonymity and privacy. It’s no surprise, then, that cryptocurrencies are the preferred payment method for cybercriminals to purchase illegal goods and services, launder the proceeds of cyberattacks, and receive ransomware payments. As cryptocurrency has gained wider adoption for legitimate purposes, it has also become a target for threat actors, presenting new opportunities for “crypto-jacking”, expropriation of digital wallets, crypto mining, and siphoning of digital assets from crypto exchanges.

Even with the fallout from the crypto crash of 2022, the value of crypto among cybercriminals has only increased. As our report reveals, we are seeing a 79% increase in crypto account takeover attacks by 2022. (Ultimately, cybercriminals use crypto to move money, not make money. While underground transactions are carried out in cryptocurrency, prices are listed in dollar value.) However, threat actors may eventually abandon cryptocurrencies if investors continue to withdraw due to market volatility, as fewer crypto users make it easier for law enforcement to track illicit transactions and legislators to enforce stricter regulations. We continue to observe this space to see how it develops.

3 — Democratization of AI

In less than a year since it first appeared, cybercriminals continue to show great enthusiasm for ChatGPT – as well as other recently released AI tools – and its promise as a force multiplier for cybercrime. With their ability to emulate human language for social engineering and even automate the development of malware code, with the right pointers and guidance, threat actors can streamline the entire attack chain. ChatGPT allows novice and less sophisticated cybercriminals to carry out malicious acts more quickly, with relative ease. As discussed in our report, AI technologies make cybercrime more accessible and lower the barrier to entry by enabling threat actors to quickly write malicious code and perform other “pre-ransomware” preparation activities.

4 — Commercializing Cybercrime with As-a-Service Offerings

The as-a-service business model is improving, given its ability to help cybercriminals commercialize their expertise and the scale of their operations. By purchasing sophisticated hacking services, infrastructure or tools, threat actors can outsource the basic work required to launch cyber attacks with minimal effort. Of greatest concern is the continued rise of Ransomware-as-a-Service (RaaS). The RaaS business model operates much like a modern business, where ransomware developers and operators lease their ransomware technology and infrastructure to less skilled ‘affiliate’ networks for distribution in exchange for a cut of ransom extortion profits, thereby improving their operations. These as-a-service offerings make the extortion business accessible and benefit large groups of cybercriminals – driving a rapid increase in ransomware attacks year after year.

ASM and CTI: Powerful Cyber ​​Weapons Against Underground Cybercrime

Every connected asset within an organization’s broad attack surface presents cybercriminals with a potential entry point for attacks. Today, protecting an organization’s sprawling attack surface with only cyber threat intelligence to evaluate exposure is a nearly impossible task. Modern attack surfaces are increasingly external, going beyond known network boundaries to include vast ecosystems of unknown assets from cloud-based resources, connected IPs, SaaS applications, and third-party supply chains. As a result, most organizations suffer from a major blind spot into a complete IT environment exposed to attackers, while struggling with copious amounts of cyber threat intelligence data. To effectively defend against cyber threats, security teams need complete visibility into their unique attack surface and real-time insight into their threat exposure.

Embedded with our market-leading native Cyber ​​Threat Intelligence (CTI), Cybersixgill’s Attack Surface Management (ASM) solution eliminates visibility blind spots by automating invisible discovery. With this combined solution, we continuously discover, map, reach and classify unknown network assets that can put your organization at risk, monitoring your full asset inventory in real-time on the deep, dark and clean web. The ASM integration augments our market-leading threat intelligence to focus on each organization’s specific attack surface, providing the earliest possible warning of emerging threats targeting their business. With full visibility into an organization’s threat exposure, security teams can confidently prioritize their efforts and resources where they are most needed, dramatically accelerating Mean Time to Remediate (MTTR).

Given the evolving threat landscape of the Digital Age, the ability to identify the highest priority risks facing their organization and focus their efforts accordingly offers tremendous benefits to resource-constrained security teams.

For more information please download The state of the Cybercrime Underground.

To schedule a demo, visit https://cybersixgill.com/book-a-demo.

Notes: This article was expertly written and contributed by Delilah Schwartz, Security Strategist at Cybersixgill.