As Threat Actors Continuously Adapt their TTPs in Today's Threat Landscape, So Must You
Earlier this year, threat researchers at Cybersixgill released the annual report, The State of the Cybercrime Underground. The research stems from an analysis of Cybersixgill's collected intelligence items throughout 2022, gathered from the deep, dark and clear web. The report examines the continuous evolution of threat actors' tactics, tools, and procedures (TTPs) in the Digital Age – and how organizations can adapt to reduce risk and maintain business resilience.
This article summarizes a few of the report's findings, including trends in credit card fraud, observations about cryptocurrency, AI developments and how they're lowering barriers to entry to cybercrime, and the rise of cybercriminal "as-a-service" activities. Further below, I also discuss the need for a new security approach, combining attack surface management (ASM) and cyber threat intelligence (CTI) to combat threat actors' ever-changing methods. The full Cybersixgill report is available here.
1 — Credit card fraud is (mostly) on the decline
Credit card fraud has been a common and frequent threat used by underground cybercriminals for many years. But several recent developments are slowing the tide and significantly reducing credit card fraud incidents. More recently, we've seen a significant decline in compromised credit cards for sale on illicit underground markets. For example, in 2019, dark web markets listed approximately 140 million compromised cards for sale. The number declined to around 102 million in 2020 and plummeted again by another 60% to almost 42 million cards in 2021. Finally, in 2022, this total plunged again to only 9 million cards. The significant decline in credit card fraud is due mainly to the following:
- Improvements in authentication and fraud prevention – Banks and financial institutions are using advanced authentication and "passwordless" methods that make it harder to compromise a card, such as biometric authentication (e.g., fingerprints and face recognition), as well as PINs, EMV chips, and multi-factor authentication (MFA).
- Real-time fraud detection – Implemented primarily by credit card companies, real-time fraud detection systems that use machine learning algorithms to analyze user behavior, spending patterns, and geolocation data can identify anomalies or suspicious activity. Once a transaction is flagged as suspicious, the issuer might demand additional types of verification, such as asking a security question or sending an SMS verification, making it more challenging for fraudsters to use stolen cards.
- E-commerce security improvements – Since 2021, e-commerce sites have been using more robust security measures, such as two-factor authentication (2FA), address verification systems, and secure payment systems adhering to PCI DSS, making it harder for cybercriminal threat actors to steal credit card data from consumers.
2 — Cryptocurrency: a tool and a target
A hallmark of cryptocurrency is that it's decentralized, allowing users anonymity and privacy. No surprise, then, that cryptocurrencies are the payment method of choice for cybercriminals to purchase illicit goods and services, launder proceeds from cyber attacks, and receive ransomware payments. As cryptocurrency has gained broader adoption for legitimate purposes, it's also become a target for threat actors, presenting new opportunities for "crypto-jacking," digital wallet takeovers, crypto-mining, and siphoning digital assets from crypto exchanges.
Even with the fallout from the 2022 crypto crash, crypto's value among cybercriminals has only increased. As revealed in our report, we saw a 79% increase in crypto account takeover attacks in 2022. (Ultimately, cybercriminals use crypto to move money, not make money. While transactions on the underground are consummated in cryptocurrency, prices are listed in dollar value.) Yet, threat actors may ultimately abandon cryptocurrencies if investors continue to pull out due to the market's volatility, as fewer crypto users make it easier for law enforcement to track illicit transactions and for legislators to enforce stricter regulation. We are continuing to watch this space to see how it evolves.
3 — Democratization of AI
In less than a year since it first arrived on the scene, cybercriminals continue to show great enthusiasm for ChatGPT - as well as other newly released AI tools - and its promise as a force multiplier for cybercrime. With its ability to emulate human language for social engineering and even automate the development of malware code, with the right prompts and guidance, threat actors can streamline the entire attack chain. ChatGPT allows novice and less sophisticated cybercriminals to carry out malicious acts faster, with relative ease. As discussed in our report, AI technology is making cybercrime more accessible and lowering the barrier of entry by enabling threat actors to quickly write malicious code and perform other "pre-ransomware" preparatory activities.
4 — Commercializing Cybercrime with As-a-Service Offerings
The as-a-service business model is increasing, given its ability to help cybercriminals commercialize their expertise and scale operations. By purchasing sophisticated hackers' services, infrastructures, or tools, threat actors can outsource the groundwork required to launch a cyberattack with minimal effort. Especially concerning is the continued rise of Ransomware-as-a-Service (RaaS). The RaaS business model operates much like a modern business, whereby ransomware developers and operators lease out their ransomware technology and infrastructure to a network of lesser skilled 'affiliates' for distribution in return for a cut of the ransom extortion profits, thereby scaling their operations. This as-a-service offering makes the extortion business accessible and profitable to a larger pool of cybercriminals – driving the rapid increase in ransomware attacks year over year.
ASM and CTI: A Powerful Cyber Weapon Against Underground Cybercrime
Every connected asset within an organization's sprawling attack surface presents cybercriminals with a potential entry point for attack. Today, protecting the expanding organizational attack surface with cyber threat intelligence alone to evaluate exposure is a near impossible task. The modern attack surface is increasingly external, extending beyond the known network perimeter to include a vast ecosystem of unknown assets from cloud-based resources, connected IPs, SaaS applications, and third party supply chains. As a result, most organizations suffer from major blindspots into their complete attacker-exposed IT environment, while struggling with overwhelming quantities of cyber threat intelligence data. To effectively defend against cyber threats, security teams need complete visibility into their unique attack surface and real-time insight into their threat exposure.
Embedded with our native, market leading Cyber Threat Intelligence (CTI), Cybersixgill's Attack Surface Management (ASM) solution eliminates visibility blindspots by automating the discovery of the unseen. With this combined solution, we continuously discover, map, scope and classify unknown networked assets that could expose your organization to risk, monitoring your complete asset inventory in real-time across the deep, dark and clear web. The integration of ASM refines our market-leading threat intelligence to focus on each organization's specific attack surface, delivering the earliest possible warnings of emerging threats targeting their business. With full visibility into organizational threat exposure, security teams can confidently prioritize their efforts and resources where they are needed most, dramatically accelerating Mean Time to Remediate (MTTR).
Given the ever-expanding threat landscape of the Digital Age, the ability to identify the highest priority risks facing their organization and focus their efforts accordingly offers tremendous benefits to resource-constrained security teams.
For more information, please download The State of the Cybercrime Underground.
To schedule a demo, visit https://cybersixgill.com/book-a-demo.
Note: This article was expertly written and contributed by Delilah Schwartz, Security Strategist at Cybersixgill.