Jeff Peters

Cybercrime is Increasingly Interconnected, Says New SurfWatch Labs Report

The first half of 2016 is over, and SurfWatch Labs analysts have spent the past few weeks sifting through the huge amount of cybercrime data we collected — totaling tens of thousands of CyberFacts across more than 3,400 industry targets — in order to identify threat intelligence trends to include in our mid-year 2016 report.

“If anything,” the report notes, “the stories behind these breaches seem to contradict the increasingly familiar spin that follows most incidents: ‘We were the victim of a sophisticated attack. The incident has been contained.'”

Download the full Mid-Year 2016 Cyber Trends Report

To the contrary, the data behind the year’s many incidents indicates many cyber-attacks are neither sophisticated nor isolated.

For example, this year’s top trending cybercrime target was LinkedIn. In May 2016 LinkedIn announced that a 2012 breach, which was believed to have been contained four years ago by resetting passwords on impacted accounts, was much larger than originally thought. An additional 100 million members were affected. Since that announcement, reports continue to surface of secondary organizations having their data stolen due to a combination of those now exposed LinkedIn passwords, widespread password reuse among employees, and remote access software from services such as GoToMyPC, LogMeIn, and TeamViewer.

To make matters worse, LinkedIn was just one of several massive credential dumps to make headlines — not to mention the numerous high-profile breaches affecting personal information or other sensitive data.

Trending Industry Targets Tied to Cybercrime in 1H 2016

SurfWatch Labs collected data on 3,488 industry targets tied to cybercrime in the first half of 2016. Of those, 1,934 industry targets were observed being discussed on the traditional web and 1,775 were observed on the dark web.

Malicious actors excel at taking one piece of information and leveraging it to perform further attacks, gain more information, and widen their reach. As we noted in May, this has led to many companies making headlines for data breaches — even though a breach may not have occurred. For example:

Music service Spotify had a list of user credentials posted to Pastebin that were collected from other data breaches. This led to a series of articles about the company “denying” a data breach.

China’s online shopping site Tabao had hackers use a database of previously stolen usernames and passwords to try to access over 20 million active accounts.

GitHub, Carbonite, Twitter, and more have all forced password resets for users after large-scale targeting of user accounts or lists of user credentials appeared on the dark web.

Other unnamed companies have confirmed to media outlets that sensitive information has been stolen recently due to password reuse attacks.

SurfWatch Labs’ data paints a picture of an increasingly connected cybercrime world where malicious actors leverage past successes to create new victims. The pool of compromised information widens; the effects of cybercrime ripple outwards.

However, those effects are largely dependent on industry sector and the types of information or resources that are attractive to different individuals, hacktivists, cybercriminal groups, and other malicious actors. SurfWatch Labs’ data so far this year reflects that fact.

Updated_Effect_Heatmap2 — Infected/exploited assets, service interruption and data stolen/leaked were the top trending effect categories overall in the first half of 2016, based on the percentage of CyberFacts that contained those tags.

For example, SurfWatch Labs report identifies infected/exploited assets as the top effect category overall, although it only appeared in 14% of entertainment and government-related CyberFacts. In those sectors, the majority of discussion was around account hijacks (37%) and service interruption (33%), respectively, as actors targeted social media accounts with large followings or hacktivists utilized defacement and DDoS attacks to spread their messages.

Similarly, the healthcare sector saw increased chatter around the financial loss and data altered/destroyed categories due to several high-profile ransomware attacks and warnings from various bodies about potential extortion attacks.

Other interesting data points and trends from the report include:

IT, global government, and consumer goods were the most targeted industries. Of all the CyberFacts analyzed, the information technology industry was hit the hardest in the first half of 2016. Microsoft was second behind LinkedIn as the top target. After IT, the government sector had the highest number of publicly discussed cybercrime targets, led by a breach at the Commission on Elections in the Philippines. The consumer goods sector made up the largest share of industry targets with information bought, sold, or otherwise discussed on the dark web.

Employee data is being targeted more often. Some organizations reported falling victim to scams targeting data such as W-2 information even though they were able to successfully identify and avoid other more traditional wire fraud scams. Malicious actors may be trying to take advantage of these “softer” targets in the human resources, bookkeeping, or auditing departments by performing attacks that are not as easily recognizable as large-dollar wire fraud attempts.

Point-of-sale chatter remains relatively low. Point-of-sale breaches are not making as many headlines, but breaches so far this year have proven that for many organizations the associated costs are as high or higher than they have ever been.

Ransomware and extortion threats continue to grow. The first half of 2016 saw a spike in ransomware and extortion-related tags as researchers, organizations, and government officials tried to deal with the growing and costly problem of data or services being held hostage for ransom.

For more threat intelligence trends, download the full Mid-Year 2016 Cyber Trends Report from SurfWatch Labs.

Costs of Data Breaches Rising, But Its Not All Bad News

It should come as no surprise, but data breaches are costly for organizations. Each stolen record containing sensitive or confidential information costs an organization an average of $158, according to the 2016 Ponemon Cost of Data Breach Study released last month. That price more than doubles – to $355 – when looking at a highly regulated industry such as healthcare.

Those costs add up. The final tally for an average breach is now a whopping $4 million. That’s up from the $3.79 million last year and a 29 percent in total costs since 2013.

Clearly, data breaches have a significant impact on business. In fact, the biggest financial consequence often comes in the form of lost customers, according to Ponemon. The findings confirm what others surveys have recently reported: consumers are increasingly unforgiving when it comes to data breaches, particularly younger generations.

A FICO survey found that 29 percent of millennials will close all accounts with a bank after a fraud incident. Not only will they take away their own business, a significant percentage will actively campaign against others using the bank. A quarter will turn to social media with negative posts, and more than a fifth will actively discourage their friends families from using the services.

Can the C-Suite Make a Difference?

It’s not all bad news when it comes to cybercrime-related research though. In fact, The Economist Intelligence Unit recently found that certain types of organizations are having at least some success when it comes to fighting against the tidal wave of cyber-attacks. Making cybersecurity a priority at the top of an organization can have a significant impact on cyber risk.

According to the survey:

A proactive strategy backed by an engaged C-suite and board of directors reduced the growth of cyber-attacks and breaches by 53% over comparable firms.
This includes a 60% slower growth in hacking, a 47% slower growth in ransomware, and a 40% slower growth in malware attacks than their less successful counterparts.
Successful firms were also 56% more likely to maintain a standing board committee on cybersecurity.

Unfortunately, many organizations are either overwhelmed with low-level data and tasks, or they are unable to clearly articulate relevant threats to those executives. This leaves them more vulnerable to the various cyber threats facing their organizations — and the potential costs and other fallout associated with those incidents.

That’s why it’s crucial that those in the C-suite and on the board of directors have strategic threat intelligence — including dark web data on the cybercriminals themselves — provided in a clear, concise and ongoing manner. It is possible to stem the tide of cyber-attacks with a combination of the proper leadership, expertise and tools, but all too often those organizations are operating without a crucial piece of the puzzle — the high-level threat intelligence to help guide those decisions.

Taking Action with Threat Intelligence

Much has been written about the cybersecurity knowledge gap in the C-suite; however, that issue runs both ways. Earlier this year, ISACA released its State of Cybersecurity: Implications for 2016 report, and they found that respondents “overwhelmingly reported that the largest [skills] gap exists in cybersecurity and information security practitioners’ ability to understand the business.”

This is a crucial problem as security experts continue to hammer home the point that cybersecurity is no longer an IT problem, but a business one. Cybersecurity employees understanding business concerns and business executives understanding cybersecurity concerns isn’t just an aspiration, it’s a necessity for properly managing cyber risk.

That collaboration and understanding is at the heart of effective cyber threat intelligence.

Effective threat intelligence empowers those in the C-suite and board of directors with relevant and easy-to-comprehend information about the most important cyber threats impacting their business, their competitors and their supply chain. Effective threat intelligence also serves as a guidepost for those in IT to ensure that tactical defenses and resources are aligned with the most pressing business concerns.

In short, threat intelligence is a key component in getting away from the never-ending game of whackamole that results from blindly chasing down the latest headline-grabbing cyber threats and instead operating with a more thoughtful, harmonious and strategic approach. It’s applying the same combination of technical analysis and business insight that are commonplace in other key areas of the organization in order to achieve the biggest return on your cybersecurity investment.

It’s no wonder then that those organizations are seeing the best results when it comes to reducing their overall cyber risk.

More Financial Institutions Fall Victim to SWIFT Attacks

In late June, reports surfaced of an unnamed Ukrainian bank having $10 million stolen, adding to the growing list of cyber-attacks leveraging SWIFT, the messaging system used by financial institutions around the world.

“At the current moment, dozens of banks (mostly in Ukraine and Russia) have been compromised, from which has been stolen hundreds of millions of dollars,” said the Information Systems Audit and Control Association (ISACA).

These SWIFT-related attacks often require significant time investment from cybercrimnals, but the payouts can be substantial — including an $81 million theft from Bangladesh’s central bank in February.

According to the Kyiv Post:

[ISACA] said that such hacks usually take months to complete. After breaking into a financial institution’s internal networks, hackers will take time to study the bank’s internal processes and controls. Then, using the knowledge and access they have gathered, the hackers will begin to submit fraudulent money orders to webs of offshore companies, allowing them to siphon off millions of dollars.

“The SWIFT case — it’s actually more in line with what’s happening right now, which we call multi-dimensional attacks because it involves many areas,” said ThetaRay CEO Mark Gazit, who was a guest on this week’s Cyber Chat podcast.

The attacks shed light on the trend of some cybercriminal groups moving beyond personal information and credit card theft. Instead, they are focusing on the institutions themselves and the potentially massive payouts that come along with a successful attack.

These groups are becoming smarter and often know the inner working of banks, Gazit said.

“If you go to the dark web you can find the set of rules for banks in the United States, and some of the banks will have more than 10,000 rules. They’re all published.”

Growing Problem for Financial Organizations

Customers have an expectation of certain convenience features, and banks have to keep pace with those expectations in order to not lose business. The growing digital footprint makes those financial institutions much more susceptible to cybercrime, which is increasingly automated, Gazit said.

This means that cyber-attacks have more impact throughout organizations.

“It becomes a board issue, a CEO issue, a risk issue. Suddenly, it’s not just an issue that IT guys should deal with somewhere in back office rooms. It’s actually becoming something that relates the very core part of the business.”

On Monday, SWIFT announced that they were engaging with several security companies to assist the community by providing forensic investigations related to SWIFT products as well as providing anonymized intelligence data to help prevent future fraud.

Part of the problem around cybersecurity is that teams may be hampered by their past successes and failures, Gazit said.

“Existing organizations such as financial institutions, utility companies, they still have very good people that have extensive knowledge that is derived from the past, and sometimes past knowledge can be a curse when you try to prepare yourself against new attacks.”

He added, “I think that we’ll see more surprises, more attacks that nobody expected, more crime that people will be very much surprised how it happened or how it could happen.”

For more, listen to the full conversation with ThetaRay’s Mark Gazit about how financial sector attacks are evolving and what needs to be done to stay ahead of cybercriminals.

Top Dark Web Markets: HANSA, Piracy and Exit Scams

HANSA Market is the third most popular dark web market this year, according to data from SurfWatch Labs. It’s a new and growing market focused on the security of its users. Previously in this series we’ve talked about Alpha Bay and the problem of stolen credentials and Dream Market and the cybercrime-as-a-service model. As we turn our attention to HANSA, it’s an opportunity to reflect on how these dark web markets work — and the reason there has been so much turnover the past few years.

Hansa_books — Piracy is one of the top trending cybercrime categories on HANSA market. This includes pirated software, video games, movies, books and other media as well as credentials for related accounts. In the screenshot above a vendor is selling a collection of 21 ebooks by a popular author for just $4.99.

HANSA was created in response to the many exit scams that have occurred over the past few years. Most dark web markets require buyers to deposit money (bitcoins) before they can purchase. Once a market becomes popular, there can be a significant amount of bitcoins in limbo, and owners are often tempted to shut the market down and take all the money that has built up. HANSA created a system that they claim ensures that no exit scam is possible.

“After recent exit scams of various marketplaces (e.g. Evolution, BlackBank) we wanted to create a market where it is impossible for either admins or vendors to run away with your funds,” the admins wrote. “Most markets operate the same: Blindly deposit money into your account, wait for confirmations and then make the purchase. … On HANSA you do not have to deposit Bitcoins before your purchase. Every order is simply a Bitcoin transaction itself.”

How Do Exit Scams Work?

Not long ago — before the FBI took down Silk Road and creator Ross Ulbricht was sentenced to life in prison — there was a dream of a victimless black market where users could Anonymously purchase illicit goods such as drugs beyond the reach of intrusive government laws. But as Wired’s Andy Greenberg wrote in January, that dream is now largely dead due to the many exit scams and the turnover in marketplace leaders over the past few years:

The result has been that the libertarian free-trade zone that the Silk Road once stood for has devolved into a more fragmented, less ethical, and far less trusted collection of scam-ridden black market bazaars. Instead of the Silk Road’s principled—if still very illegal—alternative to the violence and unpredictable products of street dealers, the dark web’s economy has become nearly as shady as the Internet back alley politicians and moralizing TV pundits have long compared it to.

The most striking example of this is the Evolution Market exit scam. In March of 2015, the Evolution marketplace halted bitcoin withdrawals from the site for a week, using the excuse of technical difficulties as the owners, known as Verto and Kimble, let the virtual coffers build. Then they closed up shop and walked away with an estimated $12 million in bitcoin.

An admin for the market summed up the bad news to fellow users in a Reddit post, “I am so sorry, but Verto and Kimble have fucked us all.”

In April 2016, a year after the disappearance of Evolution, Nucleus Market, at the time the number two most popular dark web marketplace, suddenly vanished. Rumors of an exit scam abound.

However, not all exit scams are so high profile. Most exit scams are actually done by individual vendors, as Motherboard’s Jon Christian noted.

“It turns out that a logistical problem with darknet markets is that when a vendor throws in the towel, it’s very tempting for him or her to stop mailing drugs, but continue pocketing customers’ payments for as long as possible,” Christian wrote. “If you’ve built up a good reputation on a darknet market’s seller rating system — which, like eBay, is based on feedback from other users — why not keep pulling in cash until the review system catches up with you?”

Escrow Payments and Finalizing Early

Many markets offer protection to buyers against this type of scam in the form of escrow payments. A neutral third party such as the market holds the money until the buyer has received the goods. After the buyer receives the order, payment is released. In the case of disputes, marketplace admins often act as an arbiter. However, many buyers and sellers use something known as “Finalize Early.” Essentially, the buyer releases the funds from escrow before receiving the goods or services. Some vendors abuse this trust.

HANSA does not offer the option to Finalize Early, ensuring that extra layer of protection is behind all market transactions.

While this policy helps protect buyers from vendor exit scams, there is still the concern that the market itself may perform an exit scam. In fact, this is one reason why some vendors prefer Finalizing Early. With numerous transactions in escrow, the market can at any time be holding a significant amount of bitcoins, and that can be tempting to steal. Finalizing Early lets those vendors receive payment immediately.

Multisignature Transactions

This is where multisignature escrow applies. HANSA uses a 2-of-2 multisignature escrow process (vendor-HANSA). As they explain, “Funds can only be accessed by the vendor after the buyer finalizes a transaction and can never be accessed by the site staff. Theft from either party is impossible.”

In January HANSA announced that it now supports 2-of-3 multisig transactions (buyer-vendor-HANSA) as well.

“The only flaw our market had in the past was the loss of Bitcoins in cases like the vendor losing his/her Bitcoin private key or him/her refusing to refund buyers in cases of disputes,” HANSA announced. “Fortunately this has happened very rarely and we have reimbursed the buyer every time out of our own pocket. Still, this can be avoided.”

With 2-of-3 multisig transactions, money is transferred into an escrow fund shared by the buyer, the seller and HANSA. Once two out those three parties approve the transaction, the funds are released.

This isn’t a new system. In fact, Evolution offered multisignature transactions designed to stop the exact kind of exit scam they eventually performed, but not many buyers used the feature.

As a moderater of the DarkNetMarket subreddit noted after the Evolution theft, “Maybe this will open more people’s eyes to the benefits of multisig.” Then he added, “Nah, who am I kidding? When has an event like this ever changed anything?”

The disadvantage is that the process can seem complicated and may turn away some users, which may be one of the reasons why HANSA is not quite as popular as AlphaBay and Dream Market — although at the moment it remains as one of the more trusted and stable dark web markets.

Podcast: Healthcare Leaks, POS Breaches, and Latest Malware and Legal News

A new episode of the SurfWatch Cyber Risk Roundup has been posted, Episode 75: Healthcare Leaks, POS Breaches, and Latest Malware and Legal News:

Several large healthcare databases have been put up for sale on the dark web, and the actor behind the leaks is promising more. Point-of-sale breaches made headlines this week at Hard Rock Hotel & Casino Las Vegas and Noodles & Company. More SWIFT attacks are impacting “dozens of banks.” Sports and cybercrime intersected as ransomware hit NASCAR and the SEC was the victim of a Twitter hack. Advisories this week include vulnerabilities in Symantec products that Google’s Project Zero called “as bad as it gets,” Bart and Cerber ransomware warnings, Marcher and Retefe banking Trojan developments, and a botnet utilizing CCTVs. The legal side saw congressmen urging HHS to examine ransomware, the FTC clarifying what they’re looking for during investigations, privacy lawsuits affecting both researchers and the FBI, and new and potential cybersecurity laws in Rhode Island and China. Lastly, a man is using technology to fight parking tickets.

Listen to the podcast via the player below, or learn more about SurfWatch Labs’ podcasts on our podcast page.

The “IT Middle Class” and the Growing Skills Gap

One of the cyber challenges that has long faced organizations is the IT skills gap, and as cybercriminals have widened their focus and moved down the food chain to target more small and medium-sized businesses, that problem has become more pronounced. This is particularly true for what Confer founder and VP of products Paul Morville describes as the “IT middle class.”

“You’ve seen this massive acceleration in terms of people who need to worry about security, people who have to acquire talent in that area,” said Morville, who was a guest on this week’s Cyber Chat podcast. “It’s only getting harder.”

That “democratization” of who is being targeted is the biggest driver behind the often-reported skills gap, Morville said. More businesses than ever are in need of security professionals, and there’s just not enough talent to go around.

The Growing IT Middle Class

The numbers back up those assertions. According to a 2015 analysis of Bureau of Labor Statistics numbers, the demand for IT security professionals is expected grow by 53 percent through 2018, and a 2016 ISACA report found that 62 percent of those surveyed stated their organizations have too few information security professionals.

In addition, the ISACA report noted:

Finding talent can take a long time: More than half of organizations require at least three months to fill open cybersecurity positions, and nine percent could not fill the positions at all.
Most applicants do not have adequate skills: Fifty-nine percent of respondents said that less than half of cybersecurity candidates were considered “qualified upon hire,” up from 50 percent a year prior.
Security confidence is down: Only 75 percent of respondents reported that they were comfortable with their security teams’ ability to detect and respond to incidents, down from 87 percent a year prior.

In many ways the problem of the cybersecurity skills gap is defined by this growing IT middle class, as Morville noted:

Currently, the largest organizations — such as mega-banks and the military — have the resources to excel at IT security. … Just one tier down from this elite group, it’s a different story. … Under these circumstances, security teams are forced to rely on security tools that are outdated, siloed and inefficient. These tools allow too many attacks to get through, are often disruptive to users, and offer no post-incident value.

Organizations at the top of their industries devote a lot of resources and manpower towards security, but that drops off “really fast” when you start moving down market, Morville said.

Addressing the Gap

Finding the right candidate can be challenging because — as others have said — security professionals often have to be a chameleon and wear many different hats.

“When you look at a security person, they’re part engineer, they’re part researcher, they’re part operational in nature, they’re partly a police officer,” Morville said. “You can’t go to a university right now and study that. There’s very few programs that are specialized in this area.”

He added, “I think the more we can do in terms of feeding more people with this skill set into the funnel, the better off we’ll be.”

But finding people to stop the bad guys is only half the equation, Morville said. The other half is doing so in a way that frees up resources. That’s where security tools need to improve to make sure they’re helping organizations become more efficient.

“I put a lot of burden back on the security vendor community in terms trying to create products that, as I said, become more of a force multiplier.”

As SurfWatch Labs chief security strategist Adam Meyer wrote, there is a huge difference between being actionable and being practical, and tools and intelligence need to be more practical. This means security tools should help free employees from low-level tasks so that the employees organizations do have can better utilize their time, Morville said.

“Everybody is just always looking for new security people — people to add to the team. It’s hard to find people, and it’s hard to train people, and it’s hard to retain people.”

For more, listen to the full conversation with Confer’s Paul Morville about the skills gap, how it’s affecting the IT middle class, and what security vendors, businesses and others can do to help address the problem.

Podcast: Hackers Get Political, Massive Cryptocurrency Theft and Password Woes Continue

A new episode of the SurfWatch Cyber Risk Roundup has been posted, Episode 74: Hackers Get Political, Massive Cryptocurrency Theft and Password Woes Continue:

Cybercrime and politics crossed paths yet again as a data breach at the Clinton Foundation was revealed as part of a wide-reaching campaign. A massive cryptocurrency theft led to tens of millions of dollars in potential losses for The DAO. Acer is notifying users of a breach at the company’s e-commerce site. And banks continue to be targeted with DDoS attacks. A variety of companies are also reporting secondary breaches stemming from the breaches at LinkedIn and others, keeping the issue of password reuse in the spotlight. Researchers highlighted a variety of malware this week including PunkeyPOS, DED Cryptor, RAA ransomware, Magnit and GozNym. The FBI released updated stats on business email compromise scams, and surprise, it’s only getting worse. Legal news includes financial institutions filing a lawsuit against Wendy’s, Home Depot filing an antitrust lawsuit against Visa and MasterCard over chip-and-signature issues, the SEC warning of a man hacking accounts to make unauthorized trades, and a $950,000 privacy settlement with the FTC. Also, some people are not too happy about a Game of Thrones spoiler service.

Listen to the podcast via the player below, or learn more about SurfWatch Labs’ podcasts on our podcast page.

Organizations Overwhelmed, “Literally Lose Track” of Sensitive Data

Many businesses cannot keep up with the plethora of sensitive data that’s being created and shared by their organization, and as a result they may face increasingly stiffer fines as new regulations and laws are passed to protect that data.

That’s according to John Wethington, VP of Americas for Ground Labs, a security company focused on helping organizations monitor their data.

“Simply put, there’s so much data being generated every single day that these organizations — they literally lose track of it,” said Wethington on SurfWatch Labs latest Cyber Chat podcast.

“The data is constantly being moved and shifted around. It’s being put in a variety of different formats, stored in a variety of different locations,” he said. “I think the average individual doesn’t see behind the scenes and understand all the hands that touch their data for a variety of different reasons.”

Do You Know Where Your Data Is?

That lack of insight is leading to data breaches caused by both mistakes within the organization as well as external actors such as cybercriminals and hacktivists.

Although data storage and data use has shifted over the past few years — more cloud services, more sharing, more tools to extract and analyze information — cybersecurity has often lagged behind that shifting approach.

If an organization isn’t closely monitoring that sensitive information, they may be in for a rude awakening, Wethington said.

“Much like a child, you have to constantly keep an eye on them otherwise they’re going to wander off somewhere you’re not going to expect, and the same thing with the data. It’s going to wander off somewhere, you’re not going to expect it to be there, and then you’re going to find yourself in trouble.”

Evolving Regulatory Landscape

That lost data may lead to larger fines and penalties as new regulations such as the EU’s General Data Protection Regulation (GDPR) come into effect and organizations have to deal with issues such as the right to be forgotten.

The GDPR, which goes into full effect in May 2018, comes with a considerable increase in potential monetary fines for those that don’t keep personal information protected: up to 4% of firms’ total worldwide annual turnover.

The global regulatory environment is “rapidly changing” as governments try to create different ways to compel organizations to maintain data security, Wethington said. As a result, organizations are trying to understand what new regulations such as GDPR will mean for them.

He added, “It’s going to be an interesting couple of years ahead of us.”

Listen to the full conversation with Ground Labs John Wethington below:

About the Podcast
Throughout 2016 we’ve seen numerous data breaches related to businesses being unable to properly monitor and protect their data. As Ground Labs VP of Americas John Wethington put it, organizations simply cannot keep track of the growing amount of data they have. However, new regulations such as the EU’s General Data Protection Regulation come with stiff penalties for those organizations that do not protect the sensitive data they collect.

On today’s Cyber Chat we talk with Wethington about why businesses are having trouble monitoring that data, how they can improve, and what the future holds for data security.

Podcast: DNC Hacked, Espionage Makes Headlines, and Updates on CISA and Net Neutrality

A new episode of the SurfWatch Cyber Risk Roundup has been posted, Episode 73: DNC Hacked, Espionage Makes Headlines, and Updates on CISA and Net Neutrality:

This week’s trending cybercrime events include Wendy’s announcing its point-of-sale breach is significantly larger than previously reported, a breach at the Democratic National Committee and theft of Donald Trump opposition research, and a nearly 8-million strong breach at Japan’s top travel agency. The University of Calgary also joined the growing list of organizations that have made sizable ransomware payments, and file sharing service iMesh became the latest company to face a massive breach of user records. Advisories include more dark web dumps, a variety of espionage-related headlines, the apparent demise of the Angler Exploit Kit, and updates on malware, including ransomware targeting smart TVs. Trending legal stories include a hearing on the 6-month-old Cybersecurity Information Sharing Act, a ruling in favor of Net Neutrality, and a $1 million Morgan Stanley fine. Also, the once maligned Healthcare.gov website now ranks among the web’s most trustworthy sites.

Listen to the podcast via the player below, or learn more about SurfWatch Labs’ podcasts on our podcast page.

Top Dark Web Markets: With Dream Market You Can Be a Criminal Too!

Two weeks ago we talked about the disappearance of Nucleus Market and how many of its former users have moved to AlphaBay, the unquestioned leader in terms of current dark web activity.

This week we turn our attention to Dream Market, the second most popular dark web market of 2016, according to SurfWatch Labs’ threat intelligence data.

A Quick Look at Dream Market

The places where cybercriminals go to sell their illicit goods and services are constantly changing. This is due to a combination of exit scams that rip off buyers, law enforcement disrupting operations, and a healthy paranoia that may lead those running certain markets to close up shop before getting caught. Dream Market has been around since November 2013 — a significant achievement in the ever-evolving cybercriminal scene. At two-and-a-half years of age, it is the oldest existing dark web marketplace, and that longevity has helped it to establish a certain level of trust among its users.

Although most dark web markets sell a wide variety of items, certain sites tend to attract specific types of listings over others. For example, when we wrote about AlphaBay, we focused on the problem of stolen credentials, the market’s most popular practice tag, according to SurfWatch Labs’s data.

When looking at Dream Market, credentials trade is much less popular. Instead, the most popular type of listing involves crimeware.

2016-06-01_DreamPracticeHeatmap — This heat map is colored by the most popular cybercrime practice tags found on each market, with red signifying a higher percentage of listings. Interestingly, the three most popular markets this year all have a different focus: carded account trade for the now-defunct Nucleus Market, credentials trade for AlphaBay, and crimeware trade for Dream Market.

Although Dream Market’s popularity is growing, some users have reported occasional issues accessing the market since Nucleus went offline. This may be due to the influx of former Nucleus users or — as has occurred in the past — DDoS attacks from competitors trying to disrupt the user base.

Crimeware Trade and “Sophisticated” Cybercriminals

There’s a perception that cybercriminals are growing increasingly sophisticated. This is driven home by the fact that nearly every company’s PR team rolls out the “we were victims of a sophisticated cyber-attack” line after each incident. It’s true; the cybercrime-as-a-service model has allowed for advanced techniques to be more readily available to the average hacker. However, the root causes of data breaches and other cyber incidents tend to remain relatively unsophisticated.

When looking at the many listings on Dream Market related to crimeware trade, it’s clear that not everyone is a criminal mastermind performing million dollar wire fraud or business email compromises scams. In fact, many crimeware items for sale on Dream Market and elsewhere aren’t malware like remote access Trojans or keyloggers at all, but rather basic guides on how to perform simple, low-level thefts.

For example, there’s the below vendor who’s selling a guide on how to scam a major retailer for in-store credit. This “dead serious” scam has even been used to make money to take dates out for drinks and to get a tank of gas. Your satisfaction is guaranteed!

Are you hungry? You won’t be anymore if you follow this other vendor’s advice on scamming a popular pizza chain. Get unlimited free pizza.

Or are you an aspiring fraudster looking for someone to take you under their wing? For just the low price of $2.99, you can learn how to take advantage of this company’s obvious security flaws, handy smartphone application, and no-questions-asked refund policy. The vendor even claims it’s legal!

Or maybe you’ve hit hard times and need a few bucks. No worries! This vendor has a guide that’s “perfect for those in financial instability situations.” Just purchase some of the many bank account credentials that are advertised with enticing balances, and pair those with this handy step-by-step tutorial to cash them out — no knowledge necessary.

Or maybe you hear about all these tools used to discover vulnerabilities and hack businesses, but you don’t know how to use them. There are plenty of guides for those without technical knowledge.

Of course, real malware, tools and hacking services are for sale, along with stolen credentials, pirated media, counterfeit documents and more.

Cybercrime-as-a-Service

Although it’s fun to look at some of the over-the-top salesmanship and scams for sale on Dream Market and others, it is important to note that those low-dollar fraudulent charges, while not enough to make news headlines, do have a significant impact on the companies they’re targeting and the individuals they’re ripping off.

Also, the fact that potential criminals can have their hands held throughout the whole process of cybercrime — from phishing to malware to cashing out funds — is a growing concern. As we wrote in SurfWatch Labs’ 2015 Year in Review, “This separation of the technical aspect of cybercrime has widened the pool of potential hackers and lessened the knowledge gap that previously separated groups of malicious actors.”

There is no need to build an exploit kit or point-of-sale malware from scratch. Simply purchase the latest tools complete with customer service and technical support. Need a phishing page or information on a company’s employees? Buy one of the many guides on social engineering. No time for that? Simply hire one of the many services to do the technical legwork for you.

The good news? All of the information and tools available to those wannabe hackers can be leveraged by organizations as well. This dark web threat intelligence can help us better understand the relevant cyber threats facing organizations, their supply chain and their customers.

Next week we’ll look at another dark web market to see what intelligence we can learn.