CyberWire Daily - Online underground markets in the Middle East. [Research Saturday]
Episode Date: February 2, 2019Researchers at Trend Micro recently published their look inside online underground marketplaces in the Middle East and North Africa, where criminals are buying and selling malware, laundering money an...d event booking their next discount vacation. Jon Clay is director of global threat communications at Trend Micro, and he joins us with their findings. The original research can be found here: https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/cash-and-communication-new-trends-in-the-middle-east-and-north-africa-underground Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and
analysts tracking down threats and vulnerabilities and solving some of the hard problems of
protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools expand your attack surface
with public-facing IPs that are exploited by bad actors
more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust Plus AI stops attackers
by hiding your attack surface,
making apps and IPs invisible,
eliminating lateral movement, connecting users only to specific apps, not the entire network, continuously verifying
every request based on identity and context, simplifying security management with AI-powered
automation, and detecting threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
Trend Micro has been basically researching a number of the underground, cybercriminal underground communities around the world. That's John Clay. He's director of global
threat communications at Trend Micro. The research we're discussing today is titled
Cash and Communication, New Trends in the Middle East and North Africa Underground.
titled Cash and Communication, New Trends in the Middle East and North Africa Underground.
So we've done research on the Chinese one, the Japanese, Russian, a whole slew of them. And so we thought we would move to the Middle East and North Africa region and see what's
going on within those undergrounds. So we started doing research a couple of years ago.
We published our first
report last year, and then we made an update to it this year. So let's dig into some of the things
that you found. What were some of the things that shifted in 2018? Yeah, it's interesting. It
appears that this underground is getting more sophisticated. And part of the reason we're
seeing this trend is because of
the way they're communicating within the community. Last year, what we saw is a lot of open source
messaging solutions being used, communication channels being used, and they've really moved
to a more secure channel. They're using more encryption-based messaging products now so that the communications between each other
is encrypted. And so obviously they're looking to stay under the radar, stay out of reach of
law enforcement by going to this route. So that's one thing. The second thing that we noticed was
more money laundering services being offered within this underground. And again, it shows the sophistication moving to
a better form of selling their services and goods in order to make a profit and keeping it
under the radar again. So we're seeing a lot more of these actors within this underground
utilizing better communication channels and improved selling services.
better communication channels and improved selling services. Well, let's dig into some of the details here, specifically with the financial services. Can you take us through what sort of things are
they doing here and how are they handling their money? Yeah, you know, it's interesting because
we see this in other communities out there around the world where other actors will offer actors within the community
underground services. And in this case, it's money laundering. So they're using money laundering
services and offering those to other criminals within the underground. This allows them,
obviously, to make more money. They are working within the community. They get to know the other
actors within the community. You start building up a reputation within that community of offering good service.
And as such, we're seeing these actors utilize more and more these types of money laundering
services. And this really is just a way for them to make sure that a transaction cannot be found
by law enforcement or other good people out there in the world that are tracking this kind of stuff.
Now, they're also using these types of services to convert actual physical items into cash?
Yeah, that's part of the service as well. what is stolen. If it is electronic data, obviously, then they're trying to sell that
data in that underground to other actors or to people who come to this underground from other
areas of the world to buy goods and services within this underground. So they're selling
the electronic stuff. But in a lot of cases, they will try to utilize physical goods and services
as a way to create money for themselves. So let's say,
for example, you wanted to change some electronic money into physical cash, you can go and get gift
cards or do something, you know, purchase goods and services using stolen credit cards and get
those physical items shipped to you and then you can sell them to people around that community.
and then you can sell them to people around that community.
Now, in terms of these folks finding each other,
can you describe to us what are the forums like?
Is this a private thing?
How does one prove their worth to be able to have access in these forums?
I think a lot of it comes from just the sharing of the different forums,
people doing searches within the underground community,
finding the different forums that are out there. So there's forums on carding, there's forums on money
laundering, there's lots of different things there. So you just kind of search for it. And
once you find a community or a forum that you want to be able to work with, in a lot of cases,
you do have to join. They can be private, although a lot of them still are public. We still do see a lot of public
communications out there in this underground because it still is a pretty new underground
community within the big scheme of things. So they are learning as they go. Most of the actors we
found as being male in their mid-20s is kind of the profile today of the typical actor within this community.
And so, you know, they are just communicating amongst each other. Once they find somebody who
they like and they work with well, then usually you see that communication move to a more of a
private mode. And again, using communication channels that are all encrypted. I see. Now,
one of the other things that you highlighted in this research is the availability of discount
travel services. What's going on here? Yeah, this is an interesting one. In fact,
we even published a full report on this and we're seeing more and more of these, you know,
the actors want to go on vacation, right? Just like anybody else in the world.
They want to be able to go and take a trip.
Now, the thing that is interesting in the underground is that they can get these trips and whether it's a airline ticket or hotels or car service.
And they're buying these services in the underground at very discounted prices because in a lot of cases, other actors are stealing this type of data or obtaining this kind of data at a very low discount or very large discount, I should say.
And so, again, there's lots of different services being available in these undergrounds.
Travel is one of them and is being used by more and more of these actors because they do,
like I said, want to just go and take some vacation sometime. Now, is this another opportunity to launder some money by having it flow through these travel services? Very much so. Again,
you know, these actors have found another way of laundering their goods and services that they have
stolen. And so they basically money launder it by
selling that to other actors who pay them money for those services, then they're done with them.
So it's another form of looking for profit and obtaining profit from their mischievous activities.
Now, is there any sort of reputation tracking? I can imagine, particularly with travel,
if I show up at a
hotel somewhere halfway around the world and they don't know anything about my reservation,
well, my vacation might be ruined. Yeah. In fact, part of the service is actually,
they have a concierge service. So you can contact the organization that you purchased these from,
and they will manage that for you.
So they will be contacting the hotel, for example, making sure the reservation is good.
And again, you know, part of it is when you find an organization or an actor who is providing this, if he's providing a good service, you get, you know, just like the others, you can get five stars or four stars, something like that.
And you get rated.
So people will use those that have a good reputation and those that follow through on the goods and services that they are selling.
Now let's dig into some of the means by which they're communicating with each other.
This is another thing that you all tracked in the research.
Yeah, again, the shift that we saw was the use of some of the more public messaging.
So Facebook Messenger or some of the other types of open source, so to speak, messaging platforms to some of the newer platforms that have a more encrypted capacity associated with it or
feature associated with it. So we're starting to see more and more of these actors move to these platforms,
these messaging platforms that have encryption built into them.
And that allows them, again, to ensure that their communication between each other is private
and is very difficult to break, essentially.
And so the sort of flow of the conversation is,
do they meet each other in a forum and then generally take it offline?
Yeah, that's one way.
But even within the forums, if you're communicating, in a lot of cases, they will try to do encrypted channels within the forum as well.
So you're going to see that.
But definitely in the one-to-one communication model, it is definitely going to be an encrypted channel in most cases today.
So what are you tracking as we head into the new year, just starting with 2019? What do you expect
to see happening here? What sort of evolution are you going to track? Well, we're definitely
going to keep tracking this underground because we are seeing a lot of shifts and changes within it.
We tend to focus on the cyber criminal aspect of
it. We don't look at the nation state, potential nation state type activities. We're looking at
more of the cyber crime profit oriented actors within this underground. And what we're seeing
them is definitely shifting to a more global presence. So they are looking to attack more global
organizations outside of their region. We're seeing a more improved malware development within
the underground. So we'll likely see improved malware coming out of this underground and being
used by the actors within this underground. I think we're also seeing somewhat of a shift
in who they're targeting.
In the past, they were targeting some of the government and other types of organizations,
and we're seeing them shift more to the oil and gas industry within that region.
And one of the things that we are concerned about is that they are somewhat doing proof
of concepts within their own region against oil and gas. And we could see a expansion
to some of the oil and gas organizations around the world
and targeting those organizations
through the learning process that they've made
to make sure that they can attack them
in a successful manner.
Now, when you say targeting oil and gas,
what kind of stuff are they doing there?
What are they going after?
It can be a lot of things.
A lot of it is extortion today. So they're looking to take down certain manufacturing process or certain
systems that are running the business in order to extort that organization into paying them money
to bring those systems back online. We also are seeing a lot of data theft. It could be intellectual
property theft that they plan to sell to other oil and
gas organizations around the world. So lots of different types of activities that we could see
come from them. Once you're inside an organization's network, you really have free reign to do what you
want. And so it really just depends on the actor and what they are interested in doing at the time.
Now, you mentioned how in your research,
you tend to keep separate the nation state activity from the criminals in this part of
the world. Do those two groups tend to stay apart from each other? Is there overlap? Do you have any
sense on that? I haven't seen that today, Dave, but I think one thing that you do see inside these undergrounds is the sharing of information and the selling of the threat content, the threat vector.
So whether it's a piece of malware or something.
So it's not unlikely to see actors who are doing different types of attacks using threats that come from the other actors that are building it for a different type of an attack,
right? Like a cyber criminal attack or a profit attack versus a destructive attack.
They may look at using the same type of malware or the same type of infrastructure.
Now, what about the breadth of services that you're seeing here? I'm thinking specifically of
catering to people with different technical capabilities.
If I was interested in something from a turnkey service to something more technically sophisticated,
can I sort of dial it in for myself?
Yeah, that's all available within this underground,
although this underground still is a bit early in terms of sophistication.
So if you're looking for a very sophisticated or a weaponized type of malware, you're probably going to go to a different underground, more likely like the Russian underground is known for that type of malware.
And that's the thing that also is unfortunate for us in this community because these actors are starting to be more global and work together
in other regions of the world. So, you know, picking and choosing which services you need
and who makes the best within that is you start seeing those types of communities being built up
and around the world. And so obviously with the internet being a global communication channel, you can do that.
But again, going back to this particular underground community, really it depends on what you want.
And if you want it, it's more than likely you'll be able to find it.
Now, what about language barriers?
Do the local languages spoken, does that tend to keep things more regional or are they staying close to home?
Yes. In fact, in this particular underground, the Middle East underground, they do speak in local languages more than we see in some of the other undergrounds around the world.
So that tends to keep it somewhat closed. So unless you are speaking the local language, you may not get access to some of those forums.
You may not be able to get participate in some of the communications that are happening in there.
So that does tend to hinder the size of this and growing the size of this underground.
where English is used in many, many cases, although Russian is still used in a lot of places,
but English is still available within that underground predominantly.
Now, in terms of folks around the world keeping this group on their radar, what are your recommendations for dialing in an appropriate level of monitoring and concern?
Yeah, I think for most people out there, obviously reading the reports
that us and other organizations are putting out about this underground is a good place to start
learning about it. I think we also are seeing, for example, the United States DHS coming out
on occasion with reports or alerts about activities that you see from this region of
the world.
So I think all of those are good places to start.
You know, we, like I said, we're going to continue to do investigations within this
underground and we'll continue, whether it's a blog update or another report next year,
keep you on your toes and see what's happening.
year, keep you on your toes and see what's happening. Our thanks to John Clay from Trend Micro for joining us. The research is titled Cash and Communication, New Trends in the Middle East
and North Africa Underground. We'll have a link in the show notes.
Thank you. worldwide. ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit ThreatLocker.com today to see how a default deny approach can keep
your company safe and compliant.
company safe and compliant.
The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and
technologies.
Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Bond,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Valecki, Gina Johnson, Bennett And I'm Dave Bittner.
Thanks for listening.