The Cyber Underground: Facilitating and Monetizing Cyber Attacks

According to recent reports and surveys, data breaches are on the rise over the past year. There was a surge to over 2,100 confirmed breaches in 2014 impacting organizations in 61 countries. One major U.S. newspaper published over 700 articles on the topic during the year, while that same newspaper only published 125 articles during the previous year. This drastic increase in attack activity is partially due to the use of the cyber underground by attackers to collaborate, innovate, and monetize their attacks – the cyber underground is providing the technical proficiency to enable cyber attacks and the place where attackers are making money after a successful breach. Due to the widespread use and presence of online marketplaces to traffic in stolen data, data breaches have proven especially profitable for the attackers. Many members of private industry monitor activity on the underground to protect their brand and customers, but this initiative introduces a separate risk to your organization.

In addition to collaboration on tools and methods, cyber threat actors sell services that support cyber attacks, launder money, and traffic in stolen data including payment card information and compromised website credentials. This collaboration and innovation drives the emerging nature of the cyber threat landscape and the increasing sophistication of attack tools. Experts generally agree that cyber threat actors will continue to innovate and advance attack methods, leveraging the specialization available in the cyber underground.

Data Breaches on the Rise as Cyber Attacker Profits Soar

February 2016

The Cyber Underground: What is it?

Consisting of over 800 independent websites, the cyber underground is where cyber attackers of all skill levels go to facilitate their criminal activity. The individual websites that make up the underground can be very easy or quite difficult to access. Some are available on the open internet by doing basic research and others are highly exclusive, vetted communities or require the use of software tools to even access the website. Cyber actors go to the underground to purchase attack tools, troubleshoot their own tools, and sell data that is often stolen in cyber attacks. A host of illicit goods are available on the cyber underground including drugs, fake identification, and sensitive personal information.

© 2016 Citigroup Inc. Citi and Citi with Arc Design are registered service marks of Citigroup Inc.

The following cyber underground services currently pose the most significant threat to private industry, although there are many other services offered in the cyber underground that could pose a more significant threat to a specific enterprise, depending upon the industry type.

• The trafficking of compromised credentials – sale of website usernames and passwords (email, retail, etc) and valuable payment card numbers used to facilitate fraud

• Services provided by sophisticated coders – services that make malicious software (viruses, exploit kits, botnets) effective and more difficult to detect

• Global cashout services – services to help move money between criminals

How Much Is This Data Worth?

The price of data and services sold in the cyber underground fluctuates drastically, with a noted dependence on availability of data and the effectiveness of emerging fraud methods. The following represents a rough estimate of the recent value as generally captured in a group of openly available research as of late 2015:

• Payment card data: $1 - $20 per card• Crypting services: $50 - $150• Counterfeit identification: $100 - $400• Access to 1,000 compromised computers to use in your own cyber attack: $4 - $190• Distributed Denial of Service attack leasing: $3 - $5 per hour• Services to send spam emails to 1 million email addresses: $70 - $150

Global Law Enforcement Regularly Disrupt Cyber Underground Sites

Law enforcement agencies often work collaboratively to mitigate threats that emerge in the cyber underground by seizing the servers that host the websites and arresting the actors. In July 2015, the FBI led a coalition of international law enforcement partners in seizing the most sophisticated cyber underground marketplace, Darkode. The marketplace specialized in the sale of botnets, which is malware designed to takeover and control victim computers. Although the takedown was significant in terms of its size, just twelve days after the seizure of Darkode servers, the marketplace resurfaced at another web location presumably offering the same services from some of the actors who were not arrested. Previous underground marketplaces disrupted by law enforcement include: Silk Road, Carderprofit, and DarkMarket.

© 2016 Citigroup Inc. Citi and Citi with Arc Design are registered service marks of Citigroup Inc.

© 2016 Citigroup Inc. Citi and Citi with Arc Design are registered service marks of Citigroup Inc.

Of the hundreds of cyber underground sites that operate globally there are several concentrations in Europe, Asia, and Latin America focused on providing regional services, yet still maintain global participation. Analysis suggests that developments in these underground markets are fueled regionally by their linguistic, cultural, legal, and technological environments. Specialized services are a consistent trend – actors segment their operations to focus on the skills where they enjoy competitive advantage, along with a presumed lower exposure to law enforcement.

Cyber researchers largely agree that the following emerging trends highlight the ever evolving nature of the cyber underground:

• A sustained demand in underground marketplaces for the compromise and trafficking of entire databases containing personally identifiable information (PII)

• The technical ability of actors is advancing to circumvent new security methods for payment cards

• The volume of counterfeit document trafficking is increasing

The underground will continue to innovate as long as cyber attacks and data breaches prove profitable, with cybercriminals likely progressing to more targeted and deliberate attack methods. Automation is also a concern for victims and organizations on the defense - as actors increasingly automate each stage of a cyber attack, immediate detection necessary to prevent loss of funds becomes more difficult.

Private industry often monitors activity on the underground for the presence of their corporate or customer data and to detect cyber attacks. Private industry action often involves alerting when underground sites feature corporate data, reporting on new attack techniques, and monitoring for infringements on intellectual property. Many private companies often face tough decisions to strike a proper balance between monitoring underground activity on their own, which comes with the risk of unknowingly becoming a party to illegal activity, and using third-party vendors who specialize in this type of monitoring but may not have access to all sites where corporate information is trafficked. Engaging with information sharing groups to ensure the maximum level of coverage is key for gaining insights into the cyber underground activity targeting across all industries.