Occasionally all of us stumble upon some news from the information industry, often covering consequences of recent cyber attacks or data breaches that occurred as a result. security This information is forming our understanding of the security landscape, but it isn’t systematic and mostly resembles a set of do’s and don’ts that we might keep in mind, for a while. Not everyone has time to research and ingest relevant content on a regular basis. Consequently, threat actors and coverage of their malicious activity is regarded as “something that my AV or IT guy should deal with.” This approach is naive and there are plenty of individuals and organizations that have learned it the hard way through breaches and data loss. Researchers and security awareness pros that security habits and awareness training must be an ongoing and collective task for all organizations. agree Awareness training should provide users with a 360-degree view of the modern security landscape both from the security side and that of the threat actors. In a way, the user is the prize in a battle of 2 rival ecosystems. However, users who understand the risks and are informed about the underlying connections between different types of malware and possible attack vectors are less likely to be hacked. In order to know the enemy better, today we will discuss business and social engineering attacks popular among hackers for stealing credentials or spreading malware. We will also point out the details of cybercrime economy, trade and new business models among hackers operating on the Dark Web. email phishing Why Is Phishing Security Important? Phishing goes hand in hand with ransomware and other malware often serving as the “delivery method”. According to Ventures, ransomware damage costs for 2017 were at $5 billion in May 2017. However, long-term follow-up estimates published in November that year set the bar much higher. Global damages are to exceed $11.5 billion annually, with businesses attacked nearly every 14 seconds by the end of 2019. The threat landscape is expanding, phishing business is prosperous and more adversaries are joining the hunt for money and sensitive data. There are no signs of it stopping in the foreseeable future, so staying informed is crucial to every internet user. Cybersecurity estimated predicted Furthermore, according to PhishLab’s , threat actors have been adjusting the way of monetizing attacks, shifting from simply using a victim’s credentials to immediately steal the money to reusing credentials in hopes of gaining access accounts. 2017 Phishing Trends and Intelligence to more Monetization types are also diversifying. Now it is increasingly common to sell massive sets of credentials on marketplaces. In line with the changing approach, cyber crooks have become more focused on obtaining victim’s’ phone numbers due to growing usage of 2-factor authentication. Dark Web What Is the State of the Phishing Threats? 2017 report shows that phishing and social engineering techniques represented “98% of incidents and breaches that involved social action.” A whopping 95% of phishing attacks leading up to a breach involved malware installation. In general, in 66% of cases, malware installation occurs via email as attachments. The findings are based on a data set of 1616 incidents and 828 confirmed disclosures. Verizon Data Breach Investigations Email is the primary channel for malware delivery. Source: 2017 Verizon Data Breach Investigations Report Interestingly, according to data from organizations contributing to reports, 7.3% of more than 3 million unique users have been lured into clicking malicious link or opening an attachment. Moreover, 15% of those who fell victim once, were tricked for the 2nd time. 3% clicked more than twice. A small amount of users clicked more than 3 times. These stats shouldn’t be attributed solely to users’ gullibility, because threat actors are constantly improving the quality of their spoof emails. What is Driving Phishing Attackers? he findings on motivation of threat actors listed in Verizon DBIR are in line with observations made by other researchers: Other reasons adversaries engage in phishing include fun, ideology (hacktivism), and holding a grudge (ex-employees). 66% of cases involving social action are financially motivated, with espionage occupying the second place with 33% respectively. Motivation behind malware distribution and attacks according to 2017 Verizon Data Breach Investigation Report The Dark Web and the Shadow Economy of Phishing Business From an adversary prospective, phishing is an effective tool, powering their lucrative business. As already mentioned, they monetize in several ways, some of them staying invisible to general public. While most of us are using the visible web (the part of internet indexed by search engines ) or the Deep Web (the part of the web not indexed by search engines like your email account), adversary dealings, like selling victims’ personal data occur in the “walled off” segment of the internet, known as the Dark Web. One of the motivators for using the Dark Web is that it’s not accessible without special software. Its decentralization and greater anonymity of communication protocols are among other reasons why government agencies and and law enforcement are not able to regulate it stringently, with the exceptions of occasional takedowns of separate Dark Web websites. Still it doesn’t mean that Dark web is 100% anonymous and not monitored at all — on one of the websites can get you jailed. buying a bomb There is no lack of marketplaces where various illegal goods are sold, ranging from drugs to credit card credentials and malware. Payments are processed in (Bitcoin, Monero, etc.) which contributes to even greater anonymity, if certain precautions are met. Due to this, hacking communities are quite active on the Dark Web and one can find a variety of services for sale and hackers for hire. cryptocurrency It Is Easier Than Ever to Start a Phishing Business A big part of the Dark Web economy that supplies security researchers with new threats to work on every day is based on evolution of the malware business model. Nowadays coding skills are not a prerequisite for someone who decides to make money from distributing malware or enter the phishing business “niche”. The entry-level is considerably lower due to new types of offers promoted on the Dark Web and on some hacking forums on the visible web. They are known as Ransomware as a Service (RaaS) or Phishing as a Service (PhaaS). The business model is borrowed from legitimate software vendors. Basically, you no longer have to write malicious code yourself. You can buy it! Highly skilled malware authors do the hard work of creating a RaaS or PhaaS software that they offer to less experienced criminals. In some cases, they may go even further to develop a sort of affiliate platform that combines a stats dashboard and control panel their customers can use. Cyber crime is becoming more organized and structured, just like their opposition in infosec and AV industry. Adversaries implement organization models where each participant takes on certain set of tasks, from development of specific hacking tools, to marketing and distribution via numerous Dark web outlets. Hackers offer full scale services with support and infrastructure for rent, acting very much like software as a service (SaaS) companies. Virtually anyone who’s able to get on the Dark Web, can pay an RaaS author to start an extortion campaign of their own. RaaS distribution may be taken care of by purchasing a PhaaS product and a database of email addresses to send to. Threat authors use different payment models,from one-time payment to fixed revenue share percentage for every victim paying ransom. Some RaaS “products” are built on the basis of certain ransomware families and their further customization evokes more new strains that circulate on the web. Let’s take a glimpse at some of the Dark Web marketplaces that offer hacking tools and services. Dark web marketplaces offer guides on phishing business, malware distribution as well as stolen personal data. There is a number of marketplaces selling hacking tutorials and various types of personal data such as emails, credit card info, social security numbers etc. Sellers have ratings and buyers are able to leave reviews based on their experience, much like on legit websites across the visible web. Dark web actors embrace customer service practices by offering “satisfaction guarantee” policies and “support.” However, fraud is widespread on Dark web, it’s scammers trading with scammers, after all. This RaaS (Ransomware as a service website), called “Ranion” has been around for a while, offering configured and compiled ransomware tool along with Dark web based Command and Control Dashboard. It allows threat actors to operate the extortion business and collect ransom covertly . Ransomware authors are offering several packages with varying set of features, depending on price. They boast using unbreakable encryption too. Notice the phony disclaimer saying: “Our products are for educational purposes only” — fairly weak attempt at humor. Ranion RaaS main page Ranion Ransomware FAQ provides information for potential buyers, including the type of files it encrypts, support and paid addons. Ironically, RaaS authors even promise to take care of buyers’ privacy with their no-logging server policy. Ranion RaaS FAQ: support, privacy and other info to convince “potential customers” Finally, the most interesting section of Ranion RaaS website, Reviews. Site owners proudly link to legitimate security website that posted an article about their “product”. Bleepingcomputer Ranion RaaS Reviews section One more RaaS listing on one of the hacking forums I came across on Dark web. It is called “Princess” and has detection bypass and evasion functionality built into it. Crooks also claim that no free decryptor exists and won’t exist in future. Conditions listed in “Partnership” section resemble those of legitimate software vendors advertising their offer to affiliates on ad network, including commission structure. They propose 60% Revenue share deal between the criminal group and ransomware distributors, which is a pretty standard deal. Other traditional services that affiliates normally request from the program like partner dashboard,support and product localization are also provided. Princess RaaS authors recruiting distribution partners on Dark web hacking forum Dark web is also a place where less ethical hackers offer their services, here’s an example for you to take a look at. Rent-A-Hacker website contains “product packages” and hacker’s “CV” A Final Word on Phishing Business Email is one of the handiest inventions that accompanied the Internet, but at the same time it’s an Achilles heel of personal online security and IT infrastructure. Changes in the cybercrime ecosystem and growing availability of on-demand malware require new approaches from users and organizations. The old paradigm, which relied on endpoint protection and signature-based detections, isn’t viable in the present day threat landscape. Cyber crooks constantly innovate and a failure to keep up will most likely result in financial losses or data breaches. Modern enterprise security should be aimed at prevention, proactive monitoring and sandboxing techniques deployed across the vast infrastructure. An appropriate level of automation is crucial in order for IT teams to maintain control,visibility and take full advantage of email security frameworks. Companies investing in continuous employee training including , are more likely to avoid the consequences of network security attacks and identify employees whose safety skills may need improvement. simulated phishing attacks
