Communication, commerce, and government are just a few aspectsof our daily lives that have been forever changed and in many ways made more convenient by computers, but these same advancementsalso afforded new tools for the technologically-savvy criminal. Such crimes as terrorism, espionage, financial fraud, and identity theft have long existed in the physical realm (analog) but are currently perpetrated in the cyber domain. One such clever subterfuge is steganography, the practice of concealing a pdf file, text message, images, or video within another file, message, image, o video. That particular method of obscuration is exemplified by a technique 911 terrorists coordinated to utilize autonomous international communications.
(commercialized history of your web browsing) devise a way to
10 Tips on how to identify Phishing Email
Recognize Phishing Attempts (child friendly)
1. From Gmail:
2. Open the message.
3. Next to Reply , click the Down arrow .
4. Click Report phishing.\
report phishing web page
Sponsored Content. IDG Communications, Inc.
Even though 91% of cyber incidents stem from email, spending on email security remains
only a fraction of a company’s overall security spend, indicating a sizable gap between the perceived and actual risk to organizations.
The losses are signi cant. According to CSO’s
2018 Global State of Information Security Survey, organizations su ered a loss of intellectual property as well as nancial losses, and in 22% of the compro- mises, ransomware was implanted on systems.
Although phishing awareness training reduces
risk, trusting that people will change their behavior goes only so far in securing business email. Unless organizations can protect the integrity of their email, they can’t defend against these increasingly prevalent threats. To have an advantage over threat actors,
stop threats and secure customer environments, email security solutions must be built on the most up-to-date and reliable threat intelligence.
To both detect and block malicious emails as they emerge, a multipronged strategy that includes FireEye Email Security is a smart option. This enables organizations to bene t from threat intelligence gained through covert engagement with hackers,
to track the main threat actors in nation-states, and to observe attacker behavior patterns. Access to advanced threat intelligence enables the platform to
Email’s Evolving Threat Landscape
Increasingly, spear-phishing and impersonation email attacks are becoming more sophisticated, making them di cult to detect. When emails evade detec- tion, they land in a user’s inbox. “Many companies
are still under the misconception that spam is the greatest email risk. What they don’t realize is that breaches most often start with an email,” says Ken Bagnall, vice president of email security at FireEye.
The very high return on investment that attackers
see with CEO fraud, where attackers impersonate executives to fool nance or human resources sta into making wire transfers or releasing con dential information, has spawned a new wave of threats. Says Bagnall, “The threats that have proven so successful are continuing to evolve into more-widespread, distributed attacks.” FireEye’s Email Threat Report
for January–June 2018 a rmed that email is every organization’s biggest vulnerability. Trending of late have been malicious but malware-less attacks.
Spear-Phishing, Impersonation, and Malware-less Attacks
What were once highly targeted attacks of CEO fraud have evolved into more-pervasive types of imperson- ation attacks. Using con dential information obtained through spear-phishing campaigns, cybercriminals leverage impersonation attacks to trick a user into
a fraudulent act that seems innocent, like paying a bogus invoice, rather than delivering malware. These malware-less attacks work well, because the message appears to have been sent from a trusted source.
as more personalized. In fact, it’s become so commonly used that 90% of the emails blocked by FireEye were malware-less attacks that
evaded anti-spam security solutions. To make
the emails appear more legitimate, attackers are wrapping their phishing emails into impersonation packages to get a higher rate of success.
Attackers have also expanded the use of domain fraud for spear-phishing, using typosquat- ting—spelling a trusted domain name with an additional character, such as FiireEye.com, to trick the user’s eye. Threat actors also employ the use of homoglyphs to manipulate the domain name, changing a letter to a number or using a di erent letter or alphabet, as in FlreEye.com.
Threats in Mobile
The proliferation of mobile technology has led
to increased risks with email security. “Seventy percent of emails are answered on a mobile device, which shows how attackers have evolved their techniques to align with how we use technology,” Bagnall says. Instead of showing the sender’s full email address, email clients show only a display name. Criminals are leveraging the inherent trust users have, knowing that when users see a boss’s or colleague’s name, they trust the source.
Ransomware and Malware
To evade detection, attackers continuously modify their tactics, which is why spikes in phishing attacks occur at di erent times of year. For example, last April saw an uptick in the number of W-2 fraud attacks, where fraudsters gained employee infor- mation in order to le fake tax returns. Although the threat of clicking on a malicious attachment
is still a tactic used in email attacks, only 10% of blocked email attacks contained some sort of virus, ransomware, worm, or Trojan horse.
Email Security Is More Than Basic AV/AS
As threats have evolved, so too have the solutions that protect against them. Antivirus and anti- spam tools remain critical in email security, but consolidating these capabilities with an advanced threat protection solution has advantages.
A consolidated email security platform also plays into the overall security strategy of the organization by delivering the important information from
these email attacks to the security platform. This gives the SOC team a picture of what attacks are coming in and whether any are getting through.
“It provides analysts with information about emails they can use to see if the same URLs discovered
in malicious email tra c are posing a threat elsewhere in the organization,” Bagnall says.
Choosing the Best Email Security Platform
Because an organization can be compromised even if only a single fraudulent email gets through, malicious emails need to be blocked before they get to the user. FireEye Email Security leverages frontline exper- tise that protects against zero-day and unknown threats. Continuously evolving as new tactics
emerge, the platform seamlessly integrates into other solutions and protects the broader environment.
With the exibility to deliver a full secure email gateway or an additional layer that defends against advanced threats, FireEye Email Security is exible and adaptable. Contact us to learn which email security products are right for you.
For more information, go to www. reeye.com/email
Be as Relentless and Innovative as the Enemy
Constant Evolution Key to FireEye’s Success
in 2016 alone.1 With the majority of these crimes originating from email, cybercriminals have created a busi- ness of designing email attacks that trick users into giving away corporate credentials, nances, and assets.
As with any other business, cyber- criminals are constantly innovating and evolving their tactics in hopes of increasing their rate of success and ROI. This has created an environment where it is hard for even the most educated employees to keep up with the threats they face every day in their inbox.
It’s not only employees who are having issues identifying these threats, however. Traditional email security solutions rely on a new attack variant to be seen and a signature to be created before they are able to block it. To bypass these services, cybercrim- inals have begun crafting malware-less threats such as impersonation attacks and delayed phishing attacks.
or URLs, so there is nothing to create a signature for. This enables cybercriminals to send out the same attack to multiple targets with little chance of detection.
Powered by threat intelligence shared across the FireEye ecosystem, FireEye Email Security does not rely solely
on signatures. Instead Email Security employs a combination of behav- ior-based tools, lters, and algorithms that work together to identify di cult-to-detect threats such as W-2 fraud and other malware-less threats.
Unlike impersonation attacks, phishing attacks often do contain URLs, giving the attacker a small window of oppor- tunity for success before the URL is identi ed as malicious and is blocked. To increase the length of concealment for these URLs, cybercriminals are now delaying the launch of the
linked malicious site until after the attack reaches an employee’s inbox. This tactic works, because the email security solution doesn’t perceive the linked site as being dangerous until the malicious aspect is launched.
as they wait in the inbox, enabling Email Security to identify a malicious link no matter how long the attack has been sitting in an employee’s inbox.
The best way for organizations to protect themselves and their assets from such threats is to employ a security company that is as dedicated to stopping these attacks as cybercriminals are in sending them.
Much like the attacks it stops, FireEye Email Security is consistently evolving. Utilizing a combination
of frontline experience, industry-leading threat intelligence, and award-winning innovative
tools , Email Security is able to defend against known as well as unknown attack tactics and techniques that other solutions miss.
That is why Largardére Travel subsidiary Largardére Travel Retail Italy contacted FireEye when it began facing a signi cant amount of spear-phishing and other malicious attacks hidden within its average of 350,000 to 365,000 messages per day.
“We wanted to add an extra layer of security to ensure that we weren’t vulnerable to expensive and poten- tially crippling advanced attacks from spear-phishing, malicious URLs, ransomware, or zero-day exploits,” said Alberto Signor, vice president of information
and communication technologies at Largardére.
After a one-month proof of value that showed that the solution was e ective and easy to manage, the team con rmed that Email Security – Cloud Edition was able to drastically reduce the levels of spear- phishing emails that reached employees. FireEye detected encrypted threats at both the le and text
“Email Security – Cloud Edition helps us protect our business by providing an intelligent solution that monitors and contains the threats, spam, potential viruses, and malware instances we were experiencing,” said Signor.
With its email now secured by Email Security – Cloud Edition, the IT team was able to contain
the email-borne threats that too often impacted employees using standard Microsoft O ce 365 tools. Having this kind of threat prevention enables the company’s 1,500 employees to work securely and with the con dence that their email messages no longer had any potential to in ict damage.
FireEye o ers both Email Security – Cloud Edition and Email Security – Server Edition to t any organization’s email security needs.
FireEye is the intelligence-led security company. Working as a seamless, scalable extension
of customer security operations, FireEye
o ers a single platform that blends innovative security technologies, nation-state grade threat intelligence and world-renowned Mandiant® consulting. With this approach, FireEye eliminates the complexity and burden of cyber security
for organizations struggling to prepare for, prevent and respond to cyber attacks.
601 McCarthy Blvd. Milpitas, CA 95035 408.321.6300/877.FIREEYE (347.3393) info@FireEye.com
© 2018 FireEye, Inc. All rights reserved. FireEye is a registered trademark of FireEye, Inc. All other brands, products, or service names are or may be trademarks or service marks of their respective owners.
Protecting Against Account Takeover Based Email Attacks
The onslaught of targeted email attacks such as Business Email Compromise, spear phishing, and ransomware continue uninterrupted, costing organizations of all types and sizes billions of real dollars lost1. Cybercriminals know that employees are the weak link in an organization and need only to convince these targets that
they are someone who should be trusted to achieve success. In terms of methods used to deceive employees, email spoo ng and display name deception have been the “go-to” techniques. However,
Security leaders charged with reducing this risk need to factor in yet another form of email-based identity deception tactic. According to recent Agari research, there has been a 126% increase of targeted email attacks that exploits Account Takeovers (ATO).
Prior to 2017, concerns over ATO-based email attacks were virtually non-existent. However, in early 2017, the Google Docs ATO Worm Attack2 brought a spotlight to the problem when it struck over a million users in only a few hours. Most recently, a new Osterman Survey3 found that 44% of organizations were victims of targeted email attacks launched via a compromised account in the past 12 months.
As these attacks continue to rise, organizations should be evaluating whether their existing email
security controls can analyze, detect, and block ATO-based email attacks. This report discussed a
typical ATO-based email attack ow, why they are e ective, and why organizations should be placing
a high priority on stopping these attacks in 2018 and beyond. Finally, the paper will introduce the latest Agari Enterprise Protect release and explain how its core Agari Identity IntelligenceTM technology has been enhanced to stop ATO-based email attacks.
WHAT DOES A TYPICAL ATO-BASED EMAIL ATTACK LOOK LIKE?
Percentage Increas in # of Attacks
An Account Takeover (ATO)-based email attack is the process of gaining unauthorized access to a trusted email account, and using this compromise to launch subsequent email attacks for nancial gain or to execute a data breach. Since ATO-based attacks originate from email accounts of trusted senders, traditional security controls cannot detect such attacks. Moreover, given the pre-existing trust relationships, launching a targeted attack such as a Business Email Compromise from such an account, increases the likelihood that the attack will succeed. Account Takeover-based email attacks rely on leveraging a compromised account or endpoint as a launchpad for a targeted email attack such as Business Email Compromise. To achieve this goal, cybercriminals follow the below process:
1 | www.agari.com
user account by launching a spear phishing or malware based email attack. Alternatively, with the proliferation of data breaches, he may simply purchase email account credentials from the dark web at a reasonable price:
› Step 3: Conduct Internal Reconnaissance
The attacker conducts internal reconnaissance to determine how the compromised account can be exploited. For example, the attacker may use a set of manual or automated scripts, to determine the following:
Does the compromised account or
user credentials give direct access to
monetizable data, either locally or on
Can the victim’s contacts be exploited to
achieve the final mission of financial fraud
or data exfiltration?
Can the victim’s contacts be exploited to
compromise other high value accounts?
Additionally the attacker may lay dormant, observing email communication between the original account owner and their contacts with plans to eventually hijack the conversation.
The attacker establishes persistent control of the account without alerting the victim or any security personnel. For example, the attacker may implement the following:
1. Create audit rules to delete his own malicious email activity.
2. Set up
silently monitor user communication.
3. Augment password change processes to maintain password control.
The longer the attacker controls the account, the more information can be gathered, and higher degree of mission success.
› Step 4: ATO-based Attack
If the attacker determines that assets can be retrieved directly from the account he will immediately move to Step 5. Else, the attacker will launch a targeted email attack against the contact list of the controlled account. The type of targeted email attack will be dependent
on the previous reconnaissance and could consist of a Business Email Compromise to extract funds or a spear phishing campaign to gain a deeper foothold into the organization.
Depending on the targeted email attack, the attacker will move to exfiltrate the sensitive information or funds,
or repeat the ATO process if user accounts
credentials were requested.
WHY ARE ATO-BASED EMAIL ATTACKS SO EFFECTIVE?
Based on internal research, Agari has seen a 126% increase month-over-month in early 2018 alone. The data was observed from Agari Enterprise Protect, an advanced email threat solution that lters email tra c after it has been scanned by a Secure Email Gateway (SEG). As part of the analysis Agari analyzed over 1400 messages considered untrusted, over a two month period.
The reasons are due to 2 distinct adversary advantages:
1. Legitimate or established email accounts do not need to leverage impersonation techniques such as domain spoo ng or display name deception to bypass email security controls.
2. Previously established trust relationships between the original user and their contact, makes targeting and convincing the contact to give up sensitive data or release funds, a signi cantly easier task.
However, not all ATO-based email attacks are the same and the e ectiveness will depend on the type of compromised account used in the attack. According to the same research Agari determined that there are 4 account types used in ATO-based attacks.
3 | www.agari.com
Note: No Insider business account-based attacks were observed during the observation timeframe
As attackers become more adept at identifying and compromising speci c employees to target their own organizations, the e ectiveness of ATO-based email attacks and real dollars lost associated with these attack will be sure to rise.
HOW CAN I PROTECT MY ORGANIZATION AGAINST THESE ATTACKS?
ATO-based email attack protection should be added to the email security layer and integrate machine learning models to detect attacks originating from all 4 compromised account types.
Consider the following example:
Fig 2. Describes an example ATO-based email attack.
4 | www.agari.com
At rst glance, the email does not look malicious. In fact, the email originates from an account of a real user, the recipient is a known contact, the subject matter in the communication is relevant, and the communication between Todd and Steve is expected. There is no way Steve could know that this email is from a cybercriminal using Todd’s compromised account. Additionally traditional security controls predicated on rst detecting occurence of bad behavior cannot detect such attacks: after all, this email originates from a legitimate user account of trusted senders.
To detect this attack a next generation solution integrating Machine Learning models to analyze three key elements of an email communication: Identity, Behavior, and Trust must be considered. Imagine a solution that can integrate the following:
1. Identity Mapping: This process would help determine a perceived identity of the sender. In the simplest view, the process could use the following identity markers to map the message to a previously-established identity or organization.
Likelihood of Identity Class: Finance Executive Todd Koslowsky ZYX Employee
Fig 3. Based on the mapping, the perceived identity is derived as Todd Koslowsky, CFO of ZYX Inc.
2. Behavioral Analytics: Given the perceived identity, the message could then be evaluated for anomalies relative to the expected sender behavior. Feature classes associated with the behavior could include but not be limited to the following:
5 | www.agari.com
Referring back to the example, a simple analysis of one factor would be to determine whether the timeframe that the email was sent is typical of the normal user behavior. Note that the email was sent at 3:00 AM in the morning, Todd Koslowsky never sends email at that time and could be an ATO indicator.
3. Trust Modeling: Finally, to further ensure accuracy as the identity of the sender is con rmed and behaviors relative to that identity tracked, the next phase would be to determine whether the communication from the sender is expected by the recipient. This modeling is a critical component to determining whether the recipient would actually open and take the requested action within the message. Sources of this modeling could include:
Adding the dimension of Trust, the analysis could be further expanded. For example, based on historical communication, Todd and Steve’s communication is expected but the signi cant delays in Todd’s responses are not. Given Todd sent the email at 3:00 AM where the last communication was at 2:00 PM in the previous day, could indicate that an attacker is attempting to hijack the conversation.
Taking these inputs from each dimension, a nal score could determine whether the attack is indeed an ATO and allow organizations to enforce policies to block this attack before it makes it into the end-user’s inbox.
6 | www.agari.com
A NEW APPROACH: AGARI ENTERPRISE PROTECT
Agari Enterprise Protect leverages Agari Identity IntelligenceTM), an advanced arti cial intelligence and machine learning system that ingests data telemetry from more than two trillion emails per year to model email senders’ and recipients’ identity characteristics, behavioral norms, and personal, organizational, and industry-level relationships.
Agari has integrated updates to its core Agari Identity Intelligence machine learning algorithms to model ATO-based behavior. When a message is received it is subjected to the following phases of analysis and scoring:
1. Identity Mapping – Determines the perceived identity of the sender, mapping the sender to a previously-established sender/organization or a broader classi cation.
2. Behavioral Analytics – Given the derived identity, the message is evaluated for anomalies relative to the expected sender behavior such as whether the sender has ever interacted with the recipient, whether the content or structure of the message sent by the sender is expected, or whether the frequency and timing of when the message sent is normal. Any anomalies are obviously perceived to be suspicious.
3. Trust Modeling – Finally the nal phase determines if communication from the sender is expected by the recipient. The closer the relationship, the less tolerance for anomalous behavior because of the greater impact of the attack. Ultimately the system models interaction - how often the sender/recipient interact or if the responsiveness and timing of responsiveness between the two are normal.
4. Identity Intelligence Scoring – The nal Identity Intelligence Score of a message is a combination of the features and indicators of the 3 phases that determines whether the attack is indeed originating from a Account Takeover-based compromised account.
To support this modeling, Agari has leveraged the elasticity enabled by its cloud-native architecture to drive over 300 million daily model updates, allowing the system to maintain a real-time understanding of this type of email behavioral pattern.
Agari Enterprise Protect is the rst to model the four types of account takeover behavior: stranger email, employee webmail, trusted third, and insider business accounts.
› How Agari Enterprise Works
Agari Enterprise Protect deploys as a lightweight sensor either on-premises or in the cloud to integrate with the existing Secure Email Gateway (SEG). Working as the last line of defense, Agari EP receives all messages considered clean by the SEG and analyzes the messages for the existence of ATO threat signals. Upon con rmation that the message is a malicious ATO email, security operations teams can con gure policies to immediately block or quarantine the message. Finally, email forensic information can also be extracted via email alerts or API for further incident investigations including assisting in recovering or taking down the compromised account.
7 | www.agari.com
The right strategy to protect against Account Takeover-based email attacks is at the email gateway and existing security solutions should be evaluated to meet the following:
CYBER THREAT ANALYSIS
Russian and Chinese
By Winnona DeSombre and Dan Byrnes
This report will be of greatest interest to organizations seeking to understand the criminal underground to better monitor industry- and company-specific threats, as well as to those investigating the Russian or Chinese criminal undergrounds.
When researchers primarily focus on items being sold on dark web markets, many gloss over the various types of communities that reside within the forums themselves, either focusing solely on Russian hacking collectives or not talking about forum members at all. This can cause readers to assume that the “hacker community” is an amorphous collective of individuals transcending borders and cultures. Quite the opposite — each country’s hackers are unique, with their own codes of conduct, forums, motives, and payment methods. Recorded Future has actively analyzed underground markets and forums tailored to Russian and Chinese audiences over the past year and has discovered a number of differences in content hosted on forums, as well as differences in forum organization and conduct.
Both Russian and Chinese forums host a wide variety of
international content. While it is uncommon for Russian
forums to advertise data dumps from Russian companies,
data dumps and malware originating from Chinese companies
are usually only found on Chinese forums.
Chinese speakers are active on Chinese, English, and Russian
forums, while few to no Russian or English speakers use
Although current Chinese posts on non-Chinese forums are
tailored to Chinese buyers, Recorded Future assesses with
low confidence that Chinese buyers are beginning to bring
services, data, and malware once unique to Chinese forums to
a more international audience.
Russian forums will likely continue to provide content to a
wide set of buyers on the internet in order to generate as
much revenue as possible.
Russian forums are more tailored to business transactions,
while Chinese forums instead focus on building the Chinese
hacking community. Both communities sell goods and services
for regional users, although this is far more prevalent on
Hacktivism originating from China as a result of politically
sensitive international events has continued even after the
dissolution of the original patriotic hacking groups and is
likely to continue in the future.
Russian Forums — Thief Spirit
Chinese and Russian hacker groups, while emerging from similarly authoritarian countries, have very different origin stories and operate in different ways. Russian-speaking cybercriminals hold one thing above all else: money. Although sophisticated cybercrime is a trademark of the former Soviet Bloc, the financially-motivated cyber underground has much of its roots in the United States.
In 2000, the underground forum Counterfeit Library emerged as one of the first carding and fraud forums for English speakers.1 Russian speakers, upon discovering Counterfeit Library, wanted their own version, and responded with the “Odessa Summit.” This summit brought together a group of around 20 of the most premier Ukrainian fraudsters, who later became the founders of the Russian-language “Carders Alliance,” or simply CarderPlanet.2 CarderPlanet implemented a hierarchy of moderators and vetted all vendors before allowing them to sell any dumps, CVVs, fulls,3 SSNs, eBay accounts, magnetic stripe encoders, or skimmers — all the staple products of the carder community.
Following the lead set by CarderPlanet, the English-speaking world responded with ShadowCrew, another carding forum catered to
1 Poulsen, K. Kingpin. Broadway Books. 2011.
3 Personally identifiable information used for financial fraud.
During these early years in the formation of the cybercriminal underground, much of the activity surrounding credit card fraud, phishing, spamming, and the like was conducted by Americans. This is evidenced by the number of big busts and takedowns, such as Operation Firewall, Operation Shrouded Horizon, and the DarkMarket takedown, which dismantled many of the serious Western carder communities.
In Eastern Europe, technology use spread more slowly, and it took more time for internet connectivity and the personal computer to become ubiquitous in the republics and federations of the former USSR. The well-educated and underpaid citizens of these countries turned to crime against the West because they had the technical skills and needed the money. This is evidenced in the explosion of the types of scams, fraud, and malware launched by Russians in the early 2000s. For example, “Webmaster” forums such as Crutop and Master-X emerged with a focus on driving traffic to countless niche porn sites. Rogue pharmaceutical affiliate
4 Poulsen, K. Kingpin. Broadway Books. 2011. 5 Ibid.
Russian forums leave very little room for socializing or camaraderie. These sites are places of business, not bastions for community. Respect and trust are built on successful financial transactions, and the reliable, consistent forum members rise to the top of their trade, while those with lesser consistency are given poor ratings. Members with poor ratings or bad reviews often end up on the forum’s blacklist and can be sentenced to a role as a “kidala” or “ripper,” meaning an individual who rips off others. There are no apprentices in this corner of the dark web, and few Russian forum members are willing to teach anyone anything without clear financial benefit.
Despite being focused on business, successful members offer useful tools and good customer service. Carders who deal in bulk and provide good customer service, such as refunding declined credit cards in a timely manner, are preferred and rewarded with loyal buyers for as long as the supply lasts. Sellers of trojans and spam services give out holiday discounts, and bulletproof hosters pay referral bonuses to any existing customers who send them new business. These actors operate with the financial wit of the major corporations they themselves so often target.
There have been multiple instances of Russian hackers engaged in patriotic, vigilante activity, such as the cyberattacks against Estonia, Georgia, and others deemed personae non gratae by the Russian Federation. According to a study by Arbor Networks titled “Politically Motivated Distributed Denial of Service Attacks,” the pro- Kremlin youth group Nashi was allegedly involved in a DDoS attack against Estonia after a Soviet monument was removed.6 There was also a DDoS bash script made publicly available on the Russian blogging site LiveJournal whose function was to ping flood a list of Estonian IPs, allowing the less technical actors to get into the fight. The study also found that during the brief Russo-Georgian war, a DDoS attack was launched in sync with Russian tanks from various BlackEnergy-based botnets. One source claims that the spammer, Peter Levashov (Severa), sent out spam messages slandering the Kremlin and Mikhail Prokhorov, and recruited hackers to the “Civil Anti-Terror” community, which targeted Islamist and Chechen- separatist websites.7 Other, more verifiable accounts of Kremlin- backed hackers include Karim Baratov and Alexsey Belan, who were recruited by the FSB to orchestrate the Yahoo breach beginning in 2014.
6 Nazario, Joes. Politically Motivated Denial of Service Attacks. 2008.
7 Shnygina, Anna. “'It’s our time to serve the Motherland’ How Russia’s war in Georgia sparked Moscow’s modern-day recruitment of criminal hackers.“ 2018.
Unlike Russia’s underground hacking community, many of China’s first hackers rallied around patriotism.8 Much of this sentiment originated from China’s national determination to never relive its “century of humiliation” from the late 1800s and early 1900s, during which it was coerced by other great powers into unequal treaties, concessions, and a forced opium trade.
China’s first hacker groups emerged in the late 1990s, triggered by anti-Chinese riots in Indonesia. Chinese netizens expressed outrage at the international community for treating their fellow citizens with contempt and set up discussion boards, social media groups, and bulletin board systems to plan defacements against Indonesian government websites. Many of these boards evolved into the first Chinese hacking groups: the Green Army, China Eagle Union, and Hongke (or Honker) Union. These groups all contributed to early internet defacements, DDoS attacks, and credential thefts targeting the U.S. and other Chinese adversaries. One such attack was in May of 2001, when the Hongke Union famously DDoSed the White House site and targeted websites of U.S. businesses in retaliation for the collision between a U.S. spy plane and a Chinese fighter jet off of Hainan Island that occurred a month earlier.
While all three of these original groups have either shut themselves down, splintered, or faded away, this initial wave of cyber patriotism enabled a robust government-hacker relationship in China. Individuals have been recruited into government positions from Chinese technical forums, and many famous old-school hackers now run large cybersecurity and technology firms in China’s flourishing cybersecurity market while maintaining excellent business relationships with the Chinese government. Numerous Chinese cybercriminals have also admitted to contracting their services to national intelligence agencies and military organizations like the Ministry of State Security or the People’s Liberation Army.
Although many have also been turned into security news forums, patriotic hacking sites do still exist. Historically, Chinese hacktivist activity tends to increase noticeably whenever geopolitically sensitive events occur in the East Asian region. Chinese hacktivist groups
A new hacktivist group, 1937CN, initially compromised websites in Vietnam in May 2014 after Vietnamese outrage over a Chinese oil rig deployed in Vietnamese territorial waters. After primarily defacing websites in the Philippines in late 2015, 1937CN famously compromised the check-in systems at multiple major Vietnamese airports in July 2016, exposing the personal data of approximately 411,000 passengers in the process. This was allegedly a patriotic response to Vietnam’s relocation of missile launchers to disputed islands in the South China Sea.
It is difficult to determine how independently these hackers are acting. Malware found during the 1937CN’s Vietnamese airport compromise has been linked to wider, possibly state-sponsored cyberespionage campaigns against Vietnamese organizations. However, the group also seems to contain elements of hacktivism. 1937CN has a Zone-H web defacement account, various social media accounts linked to their website, and even a promotional video consisting of multiple hooded individuals wearing Guy Fawkes masks, uploaded to a popular video-sharing site in July 2017.9 Additionally, the Chinese government took down 1937CN’s website in March 2017, which it has done in the past to websites of other Chinese hacker groups that too aggressively pursue perceived slights to China’s reputation.
Chinese forum members feel an overwhelming sense of community online. The term “geek spirit” (极 客精神) is used to denote forum culture and refers to groups of technical individuals who hope to
9 While also known as the symbol of international hacking collective Anonymous, the Guy Fawkes mask was popularized by 2005 film V for Vendetta, widely thought to be banned in China until 2012.
This required social interaction with other forum members builds community; comments within forums range from slang praising the tools written by advertisers, to messages thanking the seller outright. In addition, Chinese hackers advertise applications for apprenticeship programs on similar forums, where a more experienced hacker will teach an apprentice for a fee, dividing work among members based on skill level. Potential hackers will also ask for tutelage to get more involved in the community. This willingness to teach and social engagement is in stark contrast to the norms on Russian language forums that we detailed above.
Organization of Russian Underground Forums
The social dynamics within the Russian criminal forums are fairly compartmentalized and professional. This is exemplified by the fact that Russian fraudsters and Russian hackers largely operate on different forums. Fraud and carding forums are focused on the sale of stolen financial information, while hacking forums have more of a focus on malware, exploits, and other technical tools. Among general hacking forums, three main tiers of forums have evolved: open, semi-private, and closed. Open forums are largely available to all users, requiring only a functional email account for registration. Semi-private communities have some threshold for entry, such as a $50 registration fee or proof of membership on other boards. The administrators of more prestigious “closed” forums require those applying for membership to prove the authenticity of the illicit services they offer and/or require current forum members to vouch for them. Other forums like Exploit require users to have a certain number of posts to see more sensitive content.
Historically, these forums have been accessible on the clearnet, but many have adopted Tor mirrors as both a backup and a separate means of access for those without virtual private networks (VPNs). The forum administrators for Verified moved to Tor entirely in 2018 due to difficulties staying online on the clearnet, cycling through
Russian fraudsters and hackers do not rely on the traditional banking system to facilitate payments. Some of the original digital currency systems, like the now defunct E-gold, ePassporte, and Liberty Reserve, required little more than a valid email address to transfer stolen money into usable bank accounts and debit cards. For well over a decade, WebMoney was the go-to method of payment used on the Russian forums, but Recorded Future has since observed a substantial decline in its use since the rise in cryptocurrency. Presently, Bitcoin, Monero, and other cryptocurrencies have been widely adopted in the Russian underground forums, and a cottage industry of cashout services have cropped up to exchange those coins into dollars or rubles. Money laundering operations like Fethard and ChronoPay are also used on top of cryptocurrencies, as the operations utilize an ever-changing network of banks and front companies to cover the final destination of currency used in illicit transactions.
Russian cyber outlaws must abide by an unwritten law if they desire to remain in front of their computer screens instead of a judge at the Moscow City Court: do not target citizens of the Commonwealth of Independent States. While Eastern Bloc cybercriminals have been known to test their malware on the domestic population before turning their cyber weapons toward Western targets, offenders who do more than just testing are quickly arrested. Dmitry “Paunch” Fedotov used his Blackhole exploit kit to spread multiple forms of malware internationally, but was only arrested when
Organization of Chinese Underground Forums
Chinese hacker groups are organized in notably different ways to their Russian counterparts, partially due to China’s strict censorship regime. The Golden Shield Project, or what would later become known as the “Great Firewall of China,” has been run by China’s Ministry of Public Security since 2000. The project was initially conceptualized to promote the adoption of advanced technology to strengthen central police control, responsiveness, and crime combating capacity. However, much of the project evolved over time to focus on content-filtering for Chinese individuals through IP blocking, IP address misdirection, and data filtering as internet adoption spread quickly throughout China.
The Great Firewall blocks websites, apps, social media, emails, messages, VPNs, and other internet content determined by the Chinese state to be inappropriate or offensive. For Chinese hackers, this often makes searching for foreign hacking content or illegal content for sale difficult. Additionally, the Great Firewall has multiple methods to identify outgoing Tor connections and shut down use of the Tor network, where many underground forums and marketplaces reside. One of the only consistent ways to “跳 墙,“ or jump the Great Firewall, is for Chinese citizens to use a VPN.
However, as of 2017, China’s Ministry of Industry and Information Technology (MIIT) requires VPN providers in China to be licensed by Chinese officials, and has subsequently shut down many VPNs it claimed to be “unauthorized.” This further stunts the ability of Chinese hackers to anonymously search the web or find international hacking sources. Because jumping the Great Firewall is so difficult, far fewer Chinese forums or marketplaces are hosted
In addition to these online communities, many hackers heavily utilize invite-only chat groups or forums within Chinese social media apps QQ, Baidu, and WeChat. However, native Chinese chat groups and forums are also heavily censored and occasionally shut down by the Chinese government. The government has shut down multiple hacking and fraud sites in the past for various legal reasons. Some QQ groups still advertised on dark web sites are no longer accessible, and searches for Tieba bars that housed known hacker activity also show up as banned. Furthermore, because the Chinese government has historically driven hacking activity through both formal and informal channels, many Chinese forum members are fully aware of the consequences of acting outside that informal agreement and usually stay away from targeting systems within their homeland.
Chinese forums are also usually not as compartmentalized as their Russian counterparts, and are more community focused rather than business focused. Fraudsters and exploit writers will often use the same forums (albeit advertising their wares in different channels within the forum) and Chinese marketplaces dedicated to specific items like drugs or pornography will also contain a “hacker” section. Additionally, many underground forums for erotic content will also advertise “cracked web cameras” — cameras in bathrooms or bedrooms that have been broken into by amateur hackers. Member accounts on many forums have also been somewhat gamified: Chinese accounts are sometimes associated with levels — numbers correlated with how often an account logs onto a forum, the number of sales posts from an account, and whether the account has ever violated any forum rules. Chinese forums can encourage users to interact and share more online. This is similar to Russian forums, which require a user to surpass a set number of forum posts in
Menu of drug website with a section for “hackers” next to sections for mushrooms and LSD.
In general, Chinese forums and marketplaces are organized similarly to the three tiers (open, semi-private, and closed) of Russian forums. As with Russian forums, the quality and complexity of the products sold on the more open forums are usually not as good as products on their closed counterparts. This is usually due to the difference in vendor sophistication and reliability. Forums in both languages also contain an administrator-verified “blacklist” section, where individuals can post proof that a vendor has provided a faulty or deliberately false product or service. This usually provides a good enough deterrent against unreliable vendors. The forums with higher barriers to entry usually result in more experienced vendor membership simply by having a vetting process. While most vetting processes are explicit — paying a forum admin, proving access to other forums, or having an existing forum member sponsor the new member — some Chinese forums also have implicit vetting processes. For example, many Chinese hacker QQ group and WeChat group numbers are advertised on semi-private forums, meaning that one must have been pre-vetted by a different forum prior to gaining access to the group itself.
Another implicit vetting process a Chinese forum can employ is to simply host the forum on Tor. Many Chinese forums hosted on Tor only require an email for registration, but all Chinese users must be able to jump the Chinese firewall and understand how to find the forum in order to register. This likely contributes to why most users of these forums are more technical than users on the Chinese clearnet.
Malware on Russian forums has rapidly evolved, but forum tradecraft has largely stayed the same. Ransomware, loaders, trojans, exploit kits, installs, spam bots, web traffic, forged documents, money mules, bank accounts, and credit cards are all still present and accounted for — they just look a bit different. For example, rogue antivirus has evolved into scareware, then from scareware to lockers, from lockers back to scareware, and finally, from scareware to ransomware. Each type has its own flavor, but all render a victim’s computer useless until hackers are paid to go away. The exploit kits Blackhole, Phoenix, and Nuclear have all come and gone, championed today by Rig, Magnitude, and Grandsoft. One of the few significant differences in tradecraft today is that malware is more likely to be dropped from weaponized Word macros than the once-dominant exploit kits.
ZeuS persists to this day across Russian malware forums as a trojan blueprint, despite its takedown in 2014. The leak of its source code was used to build a plethora of banking trojans like SpyEye, Dridex, and Carberp, and its lineage still survives to this day as Tinba and others. While banking trojans are certainly still in play, groups like FIN7 cut out the middleman and target banks directly. Although their top three members are in jail, Recorded Future believes the remaining members of Combi Security have potentially learned enough from their former managers to pose a threat to financial institutions in days to come.
Because the release of source code can increase the number of vendors selling the same or derivative malware like ZeuS’s descendants, malware source code is carefully guarded by its authors. Malicious programs on the underground, like banking trojans and loaders, are sold in the form of “builds,” which are similar to individual software licenses. For example, Smokebot, sold by the actor SmokeLdr, costs $400 per license, with the option to purchase additional modules, such as a form-grabber for $300 and a cryptominer for $100. There are even terms of agreement stating that each build (license) is only for one individual and is not to be resold. Rebuilds of Smokebot, or modification of the configuration file, are an additional $10 each, and are necessary if the customer
Partnerkas, or affiliate programs, are also employed by malware authors to maximize their revenue from a single piece of software. This method is used by ransomware strains like Cerber, operated by the threat actor crbr, who distributes builds of Cerber to the affiliates, or actors participating in the partnerka. These affiliates then spread Cerber themselves through vectors like spam or malvertising, and in return, earn a percentage of every ransom paid. A partnerka setup like this one allows crbr to focus primarily on the development of Cerber and its infrastructure, while outsourcing all the distribution to third parties without sharing the source code with anyone else.
Dealing in fraud often means dealing in bulk quantities of information. The Target and Home Depot attackers absconded with the data of 40 and 56 million payment cards, respectively. Selling this many cards on forums or over Jabber chats would be a herculean labor, requiring a large support staff operating around the clock. To solve this problem, automated vending sites (also referred to as “carding shops”) like Rescator, Trump’s Dumps, and Joker’s Stash were created to allow carders to order the specific types and quantities of credit and debit card data without any human interaction at all. These have a layout similar to Amazon or Ebay, where buyers can point and click on what they want, add it to their cart, and check out within a matter of minutes. Without carding sites such as these, it would be extremely difficult to monetize the massive amounts of data stolen from mega breaches.
Other fraud-related services require a much more personal touch. Criminals of all sorts often require fake identification in the form of driver’s licenses, IDs, and passports, all of which can be found on Russian forums. The actor vengativo offers one such service, claiming
Miscellaneous: Bulletproof Hosting and VPNs
Criminal forums, Jabber servers, banking trojans, and other criminal operations all could not exist without hosting, and those individuals who use these services could not use them securely without some sort of network anonymity. Thus, bulletproof hosting — hosting services operating in jurisdictions that large tech companies and federal law enforcement have no influence over — form the backbone of the criminal underground. Actors like Whost, who has been in business for over a decade, offers servers in Beirut, Lebanon for as little as $100 per month. The fast-flux hosting services operated by actors like Yalishanda make takedown efforts against malware extremely difficult, allowing infrastructure like CnC domains to be constantly cycled through ever-changing series of IP addresses. Additionally, VPNs allowing actors to hide their true IPs are sold on Russian forums. Actors like FirstVPN offer a variety of VPN configurations with servers available in 24 different countries for untraceable network activity. These different autonomous services comprise a sort of dark web ISP, upon which the criminal underground is built.
Content in Chinese Underground Forums and Marketplaces
Common categories within Chinese malware forums include DDoS tools, remote access trojans, antivirus evasion techniques, and penetration testing. Certain forums will also contain sections for cracked software and will have areas for individuals to hire hackers. In addition to selling malware and other tools, individuals will share programming and hacking tutorials on these same forums, occasionally offering or asking for teaching or mentorship services.
Many lower-tier or open Chinese forums contain advertisements either for malware created by foreign vendors, or open source tools. However, the same forums often also contain malware unique to these Chinese communities. Much of this malware originates from newer hackers who wish to receive criticism of malware they write themselves and usually only have access to lower-level forums. Forum posts under the original advertisement will often contain reviews of custom malware and suggestions on how the malware author can improve. Because of this, individuals will often release multiple builds of their product, similar to users on Russian forums. However, unlike their Russian counterparts, many Chinese malware authors will offer up their source code for a small fee in order to receive feedback from other members to incorporate into newer editions. Cracked software is also often advertised on Chinese forums and is usually tailored to the East Asian market. For example, Xunlei Download Manager, YangCong Math, and the Baidu Wangpan cloud service are all products primarily consumed by Chinese speakers, and cracked versions of their software are readily found on underground Chinese forums.
While Chinese forums will advertise credit card data and personal information belonging to international users of large multinational corporations, many posts will also contain equal amounts of data belonging to China’s unique domestic technology industry. For example, Taobao and Alipay accounts are almost as prevalent as a set of Visa card numbers on certain forums. Most data belonging to these companies consist of East Asian user accounts.
Furthermore, some of this data is only found on Chinese forums, as is the case of a data dump from 51job, Inc. from June 2018. The dump of 2.45 million accounts from the major Chinese job board and provider of integrated human resource services was found by Recorded Future on DeepWebChinese on June 14, 2018. Recorded Future did not detect any other reference to the data dump on any non-Chinese forums. Similarly, Chinese delivery service SF Express also suffered a data breach in July 2018, the content of which has only shown up on Chinese dark web marketplaces as of late August 2018.
Recorded Future assesses with medium confidence that domestic data dumps are not shared beyond domestic Chinese marketplaces due to linguistic and cultural barriers. Not only is there little language crossover between forums, but the act of taking advantage of a Chinese account or personal information requires knowledge of Chinese services. China’s technology industry is largely tailored to
Aside from providing opportunities to make money through cybercrime and identity theft, Chinese vendors will advertise forged documents for sale, most of which are tailored to a Chinese audience. Foreign diploma forgeries are incredibly popular. Paste sites and forums of all languages show Chinese advertisements for diploma creation services to fool family and friends. Many vendors even claim that their diplomas fool state-owned corporations, which check credentials through the Chinese Ministry of Education. Other common forgery services found include forged foreign passports and Chinese business licenses. Vendors play into the concept of “mian-zi” in China to attract clientele by claiming that these diplomas, passports, and business licenses will provide better career opportunities and respect from family members. Like Chinese hackers, Chinese fraudsters will also openly sell their tools and tutorials alongside their wares.
What Is Mian-Zi?
The concept of “mian-zi,” or “face,” can be described as gaining and retaining respect or prestige from peers. Much of China’s culture revolves around this concept, especially
when pertaining to family and business. “Losing face” can be such a fear for individuals in China that they would rather deceive others than be honest about their shortcomings. For example, many women going back to their hometowns over Chinese New Year would prefer to rent fake boyfriends to show off to their parents rather than admit that they are single, and young Chinese businessmen have realized that purchasing a fake diploma is an easy way to beef up a resume before looking for a job.
Miscellaneous: Weapons, Pornography, VPNs
Compared to other hacker forums, Chinese marketplaces advertise a wide variety of miscellaneous wares that are uniquely tailored to Chinese and other East Asian buyers. Although the possession of many of these items are completely legal in other countries, they are illegal in mainland China.
For example, only a small amount of the pornographic content shared in Chinese marketplaces would be considered illegal outside
As for weaponry, large knives are commonly found on Chinese dark web marketplaces. This is likely the result of national regulation controlling the sale of knives with blades larger than 5.9 inches, due to knife attacks within the country in 2008, 2011, and 2014 attributed to Uighur separatists.
Although the sale of VPNs is not a uniquely Chinese forum characteristic, the massive number of VPNs for sale on Chinese forums is notable. Mentions of VPN access shared or sold on Chinese underground forums have steadily increased since January 2017, when the Ministry of Industry and Information Technology announced that it now requires VPN providers to be licensed by Chinese officials. The activity rose even more rapidly once China’s official ban against VPNs came into effect in March 2018
Interactions Between Chinese and Russian Hackers in Forums
Analysis of select underground forums in Recorded Future demonstrates that Russian forums consist of primarily English and Russian posts with some Chinese overlap. The Chinese posts indicate that Chinese vendors are communicating with Chinese buyers on foreign forums. Additionally, many Chinese posts within Russian or English forums are fraud services tailored to Chinese audiences, like the fake diploma sales mentioned above.
In contrast, Chinese forums consist almost entirely of Chinese language posts, with most English posts on the forums consisting of numbers, code, or simple words. Thus, it is probable that while some Chinese vendors and buyers are on Russian and English forums, very few non-Chinese vendors advertise on Chinese forums. The lack of Russian or English speakers on Chinese forums could be due to a language barrier that exists between Chinese and Russian hackers. Chinese is among one of the hardest languages to learn and only a handful of Russians speak foreign languages at all.
The hacker cultures of China and Russia each have their own unique genesis and have evolved to take advantage of their respective regional circumstances. Understanding the differences within these communities is essential to grasping the respective threats they currently pose and the manner in which these threats may evolve.
Recorded Future assesses with high confidence that the Russian underground will follow the money above all else. Predominantly, these forums have catered to the former Soviet Bloc, but they also have a unique appeal to the international community, as the databases and credit cards sold on them come from victims throughout the world. The exploit kits and bulletproof hosting are open to most anyone with enough Bitcoin. In fact, a number of sales threads on Russian forums are posted in both English and Russian, demonstrating a willingness to expand into other markets. This cross-cultural endeavor is reminiscent of the original fraudster forums and could once again bring the English-speaking hacker communities closer to their Russian comrades. Anyone with enough background in English — a mandatory language to study in China — could find their way into some of these Russian forums and access the extensive criminal arsenal therein. This may result in the exchange of tactics and tools across English, Chinese, and Russian-speaking criminal groups, whose target bases will suffer from potentially new methods of attack.
The members of the Russian-language cyber underground pose a global threat due to their sophistication and diverse criminal operations. Regardless of their location, every financial institution, social network, and ISP should take note that they and their customers are or could be a target, and ensure that their systems are continually patched against commonly known vulnerabilities.
Recorded Future also assesses with medium confidence that China’s determination to shut down Tor and VPN access to its citizens in a crusade toward a “clean and righteous internet” will cause Chinese markets and hacker forums to shut down. Increasing numbers of Chinese dark web vendors will peddle their wares on foreign sites as a result, thereby increasing foreign access to previously unique regional malware and hard-to-get data. If no drift occurs
For now, companies doing business in China or the wider East Asian region should monitor Chinese hacking forums and marketplaces for credential leaks and operations targeting company infrastructure, due to the variety of East Asia-specific data, specifically on these sets of forums. Additionally, companies with offices within East Asia should ensure that their infrastructure is secured against malware developed within Chinese forums, and monitor politically sensitive regional events that might spur Chinese patriotic hacktivism.
Recorded Future arms security teams with the only complete threat intelligence solution powered by patented machine learning to lower risk. Our technology automatically collects and analyzes information from an unrivaled breadth of sources and provides invaluable context in real time and packaged for human analysis or integration with security technologies.