Cybersecurity company CyberInt has been shortlisted for a Security Serious Unsung Hero award in the Security Avengers category
In an era where cybercriminals plan and orchestrate attacks in the anonymous recesses of the Dark Web, effective threat intelligence has to become increasingly pro-active and investigative.
To enable enterprises to extend their security perimeters to encompass the Dark Web forums where organised criminal gangs (OCGs) hide, CyberInt has assembled a unique team of cyber sleuths comprised of ex-CISOs, ex-8200 Israeli Intelligence Corps and white-hat hackers spread across Israel, New York, London, Singapore, and Manila in order to keep a watch on developing threats and threat actors around the globe. Their work involves infiltrating the encrypted forums where OCGs, black-hat developers and hackers congregate.
This can frequently lead to the arrest of criminals who have become adept at the skills needed to break into even the most highly defended enterprise networks. For example, earlier this summer, as a result of a co-ordinated investigation with leading cyber security vendor CheckPoint, CyberInt led Brazilian authorities to alleged cybercriminal Douglas Arrial, who allegedly created a DIY phishing kit he was selling on the Dark Web. The initial attack was automatically detected by CyberInt’s Argos™ digital risk protection platform, which drives real-time detection of cyber threats via its unique artificial intelligence and machine learning algorithms.
Once the attack was detected, the CyberInt analyst team performed deep-dive investigations on behalf of a major Brazilian supermarket chain – the attack was targeting the chain’s customers to obtain their credentials and personal information. Cyberint’s international team of analysts swiftly discovered a part of the code referring to a Douglas Zedn. They then traced it back to his digital identity, including his Twitter handle. Arrial used the same profile for both his personal and “professional” activities, so the team were was able to trace the attacks directly to Arrial before informing the authorities.
“Whenever our research teams find something critical, our policy is to notify law enforcement and the relevant enterprises – customers or not – to make sure we can prevent other people from being victimized,” says CyberInt CEO Amir Ofek. “It is always exciting to see our cyber activities come to life and help lead to suspected cybercriminals’ arrests.”
This kind of investigation also frequently exposes the latest techniques and tools being developed by cybercriminals – allowing enterprises to secure their networks effectively. The [A]pache phishing kit allegedly developed by Arrial, for example, makes it easy for even those cybercriminals with limited technical ability to carry out highly effective and sophisticated attacks. At $100-$300, the cost of the [A]pache phishing kit is higher than that generally charged for more standard phishing kits. But [A]pache’s next-generation product provides threat actors with a full suite of tools with which to carry out attacks. For instance, it offers cybercriminals an entire back-office interface with which they can create convincing fake online retail product pages for their fraudulent marketing campaigns.
The global cost of cybercrime is now estimated reached as much as $600 billion a year, roughly 0.8 per cent of global GDP, according to a report titled “Economic Impact of Cybercrime — No Slowing Down,” by McAfee and the Center for Strategic and International Studies (CSIS).
This has effectively transformed cybercrime from a fringe criminal activity into a burgeoning new global industry. As such it has started to create a whole raft of support services such as help desks and malware-as-a-service to help OCGs carry out their attacks with maximum effectiveness.
These highly supported and increasingly professional cybercrimes can range from phishing attacks supported by [A]pache-level kits to carefully planned ransomware attacks compromising the target organisation’s entire database and supported by criminal but highly professional software-as-a service products.
Earlier this year, CyberInt’s investigators also discovered that existing hacker groups never previously found to be associated with or sponsored by governments have started to use sophisticated tools and techniques formerly exclusively deployed by nation states such as Russia and China. For example, OCGs have been found to be utilising Saturn ransomware, a highly-sophisticated software that can be distributed via phishing or email as a Ransomware-as-a-Service (RaaS), which is now available on the Dark Web for free. Other former nation-state techniques now becoming more common in purely criminal circles include “watering hole” attacks exploiting weaknesses in the defences of third parties such as the target organisation’s suppliers, sub-contractors, partners, and clients. These types of attacks are not always aimed at short-term financial gain but are also ideally-suited for the intellectual property theft and corporate espionage for which they were originally designed.
“These new types of attacks, which started to appear in the latter half of 2017, can be particularly dangerous for corporates as this new breed of OCGs are in it for the long game and will sit within a compromised IT system, carrying out repeated fraud, siphoning off cash and carrying out cyber-espionage,” says Jason Hill, lead research analyst at cyber-security firm CyberInt.
Even major corporations are often totally unaware of the resources cybercriminals now have to hand to help them break into the most heavily secured corporate networks. For instance, for months prior to the major Tesco Bank attack where cybercriminals took £25million from customer accounts, hackers were openly referring to Tesco Bank as a “cash milking cow” and “easy to cash out” in posts on Dark Web forums.
Cyberint’s team of analysts found these early indications of an attack while carrying out a probe of hidden web pages. They discovered that the cybercriminals were discussing the potential uses of a tool that tested thousands of login and password combinations, allowing access to Tesco accounts.
Monitoring the development of this fast-growing criminal underworld hiding in the shadows of the Dark Web is now essential not only in cyber security terms; it is rapidly becoming crucial to corporate survival as Twenty-First Century enterprises cannot afford to allow cybercriminals easy access to their most sensitive data without a potentially fatal loss of customer and investor confidence.