Under the Hood Of Cyber Crime


An excerpt from “2019 Security Report, Welcome to the Future of Cyber Security.” By Check Point Software Technologies LTD.

Welcome to the Future of Cybersecurity. We take a look under the hood of today’s cyber crime world and show how this ecosystem remains a core part of the cyber threat landscape. Whether it is ransomware, banking trojans, keyloggers or cryptojackers, we look at what these malware types are and how they are now more accessible to potential cyber criminals due to Malware-as-a-Service (MaaS) services. This is the age of the democratization of cyber crime.  For the full report just shoot us an email at info@technologyconcepts.com.

Prior to the year 2000, hackers were primarily one-man operations exploiting weaknesses in computer operating systems or networks. In most cases, these computer enthusiasts experimented and explored this new online network and challenged themselves to ‘beat the system.’ In fact, despite being early cyber criminals, rarely was their behavior financially motivated. While there was the potential for financial damage and security risks, the ‘one-man-hacker’ lacked the same motive and intent of the criminal gangs that were soon to follow.

After the Dawn
Not long after, once there were more people, websites and services available online, cyber criminals began to organize themselves and perfect their hacking techniques. Hardened criminal gangs soon realized that internet users saw it as safe, despite the technology being riddled with exploitable gaps and holes. Furthermore, the anonymity of the Internet served as a shield with far less risk of detection. Next, as shops and financial services moved online, vast amounts of financial data were transferred to cyberspace. And where money flows, criminals are never far behind, always on the prowl to steal anything of value.

In short, gangs introduced a professional element to the world of cyber crime. Nowadays we are no longer looking at curious amateurs exploiting weaknesses in computer operation operating systems, but rather organized criminal gangs infiltrating computer networks for financial gain.


Crucial to understanding the new age of cyber crime is the awareness that today’s cyber crime ecosystem is one that reflects and matches the legitimate world of business, albeit completely illegal.
The main roles in this underground economy break down into the following categories:
Programmers – develop malware to extort or steal data from potential victims.
Merchants – trade and sell the victim’s stolen data.
IT Technicians – build and maintain the IT infrastructure (servers, databases, etc.) for criminals.
Hackers – search and find vulnerabilities in systems, applications and networks.
Fraudsters – create and carry out new ways to scam and manipulate potential victims.
Hosting Services – provide hosting services for the criminal’s fraudulent content and sites.
Management – hire and form their cyber crime teams and manage the operation.

A Programmer’s Tool Box
At their disposal, programmers have a variety of malware types they can create. Named by the brilliant, late Israeli computer researcher, Yisrael Radai, malware are software programs with the purposefully malicious intent to act against the requirements of the computer user. The types of malware most commonly seen in the wild fall mainly into the following categories:

Often referred to as ‘keyloggers’, spyware tracks and steals digital information while keeping the victim fully unaware of the situation. It is particularly interested in financial data such as credit card details and online banking login credentials.

A Trojan Horse or Trojan is malware disguised as legitimate software. Users are usually tricked by some form of social engineering to execute a Trojan, whereupon the malware can be used to spy on the end user, steal sensitive data, or gain access to systems.

Dating back to the 1970s, a computer virus is a contagious piece of code that infects software and then spreads from file to file within a system. When infected software or files are shared between computers, or on the Internet, the virus spreads to new hosts.

By locking down data on a victim’s computer, typically by encryption, ransomware demands payment sent to an attacker in order for the encrypted files to be released and computer access restored to the victim.

Botware’s goal is to turn the victim’s computer into a “zombie” and become part of a larger network of devices that await instructions from its controller to launch an attack. A distributed denial-of-service (DDoS) is a key example.

Cryptojackers intrusively use a victim’s computer to mine cryptocurrency and send it back to the attacker. It feeds off the victim’s CPU power and results in the victim’s computer slowing or even crashing.

In today’s cyber crime landscape, cyber criminals are no longer the ones with the direct technical capabilities for creating the malware that’s used in attacks. Nor are they necessarily the ones who need any know-how in distributing the attack. In fact, very little knowledge is required.

Instead, all a cyber criminal needs is access to the underground communication channels that act as the main marketplace for this ecosystem. There they will manage to “order” a malware or even a direct attack against a chosen target. This is the democratization of cyber crime.

The Dark Web
Making up a large chunk of the internet, the Dark Web is a hive of illicit activity. From illegal guns and drug dealing to Malware-as-a-Service (MaaS) programs, buyers and sellers use this medium to trade and exchange knowledge and products.

Hacking forums on the Dark Web have long been a popular platform and an important means of communication among cyber criminals. It allows them to publish job offers, market their products and consult with one another.

After all, large operations and campaigns cannot be carried out by one person and necessitate the recruitment of a team to share the workload. In other cases, these forums serve as places where malware and tools crafted for malignant reasons can be traded or sold to affiliates and generate revenue without the developer being directly involved in an attack.
The services offered online include malware kits, stolen data or even a package that contains a malware ready for distribution and a comprehensive management panel which allows unskilled hackers to easily track and control their infection rates and revenues. The different Malware-as-a-Services available include the infamous AZORult, FileLocker and Kraken ransomware that made headlines over the past year. The authors of GandCrab ransomware even offer technical support and tutorial videos for their product.

However, the takedown of Dark Web marketplaces such as the Hansa Market and Alpha Bay in 2017 spawned the next stage in the cyber game of cat and mouse. Threat actors soon shifted to new channels to evade authorities. In fact, they quickly transitioned to the increasingly popular and highly secure mobile messaging app, Telegram, to pursue their trade.

Communication Channels
Telegram’s hosted chat groups, known as ‘channels’, are used to broadcast messages to an unlimited number of subscribers, and, while their entire messaging history can be viewed, any response to the public messages is held privately. The discretion these channels provide goes a long way to help conceal a cyber criminal’s identity and conversations.

Any threat actor with a shady skill, service, or product to offer or buy can enjoy private, end-to-end, encrypted chats instead of exposed threads in online forums. If in the past several steps were required to ensure an anonymous connection to Tor, the Dark Web browser, today any Telegram user can easily join channels with a single tap on their phone and start to receive notifications of clandestine conversations or offers while keeping their identity completely hidden.
This has allowed for much easier completion of the first stage in organizing an attack – connecting with those who can help put it all together.

One region in which these shady channels are flourishing is Russia and some have already attracted thousands of subscribers. Such examples are ‘Dark Jobs’, ‘Dark Work’ and ‘Black Markets’, to name a few. In addition, some channels, such as an Iranian channel which goes by the name of ‘AmirHack’, can contain up to 100,000 members.

These channels are not restricted to just recruiters and job-hunters. They also run advertisements for the sale of stolen documents or hacking tools. This is especially worrying, considering the accessibility of the channels and the promise of high salaries made to those who might otherwise refrain from carrying out such activities.

As a result, this poses a risk of growth in cyber crime rates as these positions are not only openly marketed but they are also available to inexperienced users, making dangerous tools available to anyone.

Hacking Tools and Services
“Wanted for a dark project: Cryptor running on all systems from Windows XP to 10. Bypassing the top AV especially Avast and Defender”.

Next Generation Phishing Kits
One of the most advanced phishing kits, the ‘[A]pache Next Generation Advanced Phishing Kit’, is another example of how easily accessible, and yet highly damaging, tools are promoted and sold on the Dark Web.  Allowing any aspiring cybercriminal with very little knowledge to run a professional phishing campaign, the notorious [A]pache Phishing Kit instructs those looking to steal credit card details by luring potential victims to fake shopping sites.  At $100-$300, the cost of buying this advanced Phishing Kit was higher than more standard phishing kits. Standard kits usually retail at $20-$50, though some are even free. However, those provide login pages and prompts for personal and financial information. [A]pache’s next generation phishing kit, however, provided threat actors with a full suite of tools to carry out their attack. These included an entire back-office interface with which they could create convincing fake retail product pages and manage their campaign.

In order to convincingly persuade their victims that they’re shopping at a genuine site, cyber criminals also need a domain that’s similar to the targeted brand, for example, www.walmart-shopping.com. Those can be provided as well by illegitimate hosting services on the Dark Web. Once registered, a threat actor is ready to deploy the kit to a PHP and MySQL supported web host, log in to the kit’s admin panel and begin configuring their campaign. It’s really as simple as that.  To simplify this set up process further, [A]pache made a simple user interface within the admin panel where the threat actor could paste the product URL of the legitimate retailer and the product information would automatically be imported to the phishing page. Cyber criminals could then view their ‘products’ and change the original prices.

Bots for Rent
In 2018, the Malware-as-a-Service industry offered additional services.
Some of the year’s most prominent malware distributors, giant multi-purposed botnets, now offer their most valuable resources, their bots, for rent. This allows any actor to take part in high-scale global campaigns. For example, Emotet, originally a massive banking malware targeting European banking customers, has shifted its focus and now offers global packing and distribution services, leveraging its self-propagation capabilities. Ramnit, another prominent banking malware, demonstrated similar behavior with a single affiliate campaign, ‘Black’, which caused approximately 100,000 infections.

Ransomware Goes Agile
Due to the lack of knowledge required, as well as the ease of access and low cost of underground services, cyber criminals are more commonplace. Promoted on Dark Web hacking forums, the GandCrab Ransomware-as-a-Service affiliate program serves as a good example of how amateurs can now profit from the ransomware extortion business as well.

This model is very profitable for the malware authors and allows them to focus on malware development, while delegating the delivery stage to multiple distributors who buy or rent the product as part of an affiliation program.

As a partnership program, GandCrab lets its users keep up to 60% of the ransom revenues collected from victims, while its developers keep up to 40%. In exchange for these fees, the buyers receive the tools to initiate an attack and GandCrab’s creators offer support and updates to the ransomware itself. This essentially adds another incentive for affiliates to choose their Ransomware-as-a-Service over competing suppliers. According to our research, GandCrab has dozens of active affiliates (80+), the largest of which distributes over 700 different malware during any given month. As a result, within just two months GandCrab had infected over 50,000 victims and claimed an estimated $300-600K in ransom payments.

The Accessibility of Cyber Crime
As illustrated in our journey into today’s world of cyber crime, hiring services, accessing malware, and anonymously selling stolen data has never been easier. It has led to the proliferation of amateurs wanting to get in on the action. From a disgruntled employee to a bored teenager, anyone with a little capital and motivation can become a threat actor.
The convenience of encrypted channels like Telegram allows threat actors and those who wish to take part in cyber crime to communicate in a more secure manner. Sadly, although popular messaging applications have improved the security of user information over the years, they are also being abused by those fleeing from prying eyes, and the law.

In addition, Malware-as-a-Service provides everything a cyber criminal needs to get started and threatens modern organizations in two ways. It creates a demand for better, easier-to-use malicious programs, as malware developers seek to distinguish themselves from any competition. This leads to significant strides in the accessibility and sophistication of malware threats.

Furthermore, Malware-as-a-Service vastly increases the number of individual threats, as it empowers those who would not otherwise have the technical skills to create their own malicious programs. This effectively allows just about anyone to launch a cyber attack.

As a result, and together with the range of services and products now available in today’s cyber crime ecosystem, there is a myriad of opportunities to carry out cyber attacks. While the number of cyber criminals seems to be rising due to the low technical barrier to entry, the number of cyber attacks on both organizations and individuals is growing accordingly.

To find out how to mitigate your corporate risk just contact us for a security consultation.  We partner with Check Point and other security software companies to find the best solution for you.  Check Point’s technology is reshaping the security landscape, and helping companies and individuals secure and manage their most critical data.