Observing the criminal ecosystem on the dark web provides valuable elements for identifying trends in the threat landscape and trying to counter them.
For example, according to the recent “Kaspersky Security Bulletin (KSB)” report published by Kaspersky, a significant increase in extortion phenomena last year was accompanied by intense cyber criminal activity on the dark web. The security company’s experts have analyzed emerging trends on the dark web trying to identify the activities that will monopolize the criminal underground in the coming months.
The first element to emerge is the increase in forums, leak sites and ransom negotiation portals used by ransomware groups. In 2022, around 386 monthly blog posts were published on public platforms and the dark web while last year that number rose to 476 with a peak in November (634 posts).
Figure 1 – Number of ransomware blog posts in 2023. Source: Kaspersky Digital Footprint Intelligence
The increase in extortion activity has therefore corresponded to a greater availability of personal and sensitive information, such as personal and company credentials, in the main criminal forums. This information is usually obtained either following the compromise of a web platform or by infecting systems with malicious codes known as information-stealers.
In recent months, the increase in availability of info stealers has been observed in the main hacking forums on the dark web as well as portals created specifically by the authors of these malware. These threats are offered with a malware-as-a-service (MaaS) model where authors offer the possibility to rent their malware for a few hundred euros and sometimes you can even purchase the source code to create your own version of the malware. information stealer. In this context it is easy to imagine an increase in the availability of these tools on the dark web with obvious risks for individuals and companies.
In many forums on the dark web it is possible to purchase the logs of information stealers such as Redline because within these files it is possible to find a lot of information stolen from users, including access credentials to various services.
Again according to Kaspersky, the posts offering the logs of the well-known Redline stealer have even tripled, going from a monthly average of 370 in 2022 to 1,200 in 2023.
Italy is among the countries most affected by credit card data theft by Pierluigi Paganini 17 April 2023
Another area of concern is the growth in demand for crypto-draining services. A crypto drainer is a malicious application that allows the rapid and automatic transfer of cryptocurrencies from victims’ wallets to those of criminals. This increase is mainly attributable to the growing interest in crypto assets such as cryptocurrencies and NFTs.
A related phenomenon is the proliferation of cryptocurrency laundering services, known as mixers or tumblers. Through these services it is possible to hinder the investigations of law enforcement agencies and cyber security companies.
Malware, as highlighted by the latest annual report from the European cyber security agency ENISA, represents the main threat to companies, government organizations and citizens. For this reason, services and components to make these malware more evasive are multiplying within criminal forums on the dark web.
Stolen credit cards, PayPal accounts and cryptocurrency exchanges: the dark web price list by Pierluigi Paganini 31 May 2021
The dark web continues to be one of the places on the Internet where it is possible to find credentials from the numerous data breaches that now occur around the world on a daily basis. These credentials are essential for attackers who use them to launch attacks against companies and users.
According to the “SOCRadar 2023 End-of-Year Report” published by the SOCRadar company, the number of conversations on major dark web forums containing the phrases “Data Sharing” and “Data Selling” has increased over the past year. These topics monopolized the discussions, representing 54.99% and 39.65% respectively. This attention reflects the thriving black market for data and is representative of the increased commercialization of personal and business information in major marketplaces on the dark web.
Figure 2 – Analysis of topics discussed in dark web forums The analysis of mentions of posts on the Dark Web revealed the specific interest of malicious actors in information useful for targeting organizations operating in the IT and Telco, Finance, Insurance, Banking, and Public Administration.
The data highlights a higher risk of cyber attacks for companies operating in these sectors and highlights the importance of adopting suitable cybersecurity strategies.
Malicious actors often offer or seek compromised credentials for some of the most popular cloud-based Software-as-a-Service (SaaS) solutions. This allows them to gain broad access with a particular set of usernames and passwords. According to a study conducted by IBM, Microsoft Outlook was clearly the most cited SaaS solution in dark web discussions, followed by WordPress and Zoom.
“Understanding the type of cloud access threat actors are selling can help us understand how they were able to compromise accounts.” reads IBM’s “X-Force Cloud Threat Landscape Report 2023”. Observation of the dark web is therefore crucial for detecting and responding to security threats as well as understanding criminal trends.
Safe on the Internet The roots of attacks on the energy sector are rooted in the Dark Web by Pierluigi Paganini 19 May 2023