A new report from Flashpoint shows the evolutions of the criminals' communication strategies, tactics and tools. The research found that cyber-criminals are highly collaborative, much more so than the organisations they are targeting.
The study tracked the communication strategies and preferences of cyber-criminals and actors across Russian, Spanish, French, Arabic, Chinese, Persian/Farsi and English-language cyber-crime communities and how they've evolved from 2012 to 2016.
Regardless of their language, skills, location or affiliation, cyber-criminals tend to share a strong desire to reap the benefits of cross-community collaboration, information sharing and even mentorship.
Skype is by far the most frequently mentioned messenger across the analysed cyber-crime communities. Microsoft's bundling of Skype with its devices likely played a significant role in the popularity of the application. Other messengers evaluated in the study include ICQ, Jabber, PGP, AOL Instant Messenger, Telegram, WeChat, QQ, WhatsApp and Kik.
Skype use was highest across the English language criminal underground from 2012 to 2016, but more recently it has surrendered control to Jabber, ICQ and Kik Messenger.
Leroy Terrelonge III, director of Middle East, Africa and the Americas research at Flashpoint compiled the report and told SC Media UK why Skype would be so popular even among elite cyber-criminals. A couple possible reasons are, “The network effect — criminals don't want to have to download a different platform for every person they interact with and sometimes must resort to the lowest common denominator to enable communication. Given Skype is ubiquitous, it is a good stand-in.” Also, “the cyber-criminal community contains people who are technologically sophisticated and others who are ‘talented' criminals but may not be the most adept at using technology. Those who are less tech savvy may not be as aware about the importance of using secure communications and may be unfamiliar with them.”
When choosing a messaging service, cyber-criminals are influenced by a combination of factors that can include ease of use, the dominant communication medium for the country and/or language group and security and/or anonymity concerns.
Cyber-criminals across the language communities moved from discussing messaging services with fewer encryption and anonymity protections to more sophisticated applications with these protections built in. Jabber, Telegram and WhatsApp services have become more popular in underground forum discussions over the past few years.
The shift in interest of encrypted communication may be explained by various factors including:
Revelations of NSA surveillance
The proliferation of encrypted communications apps following Edward Snowden's leaks
Information sharing by connectors in more sophisticated underground communities who have transferred their knowledge of secure communication practices to less-sophisticated communities
Russian-speaking cyber-criminals are known for their prowess and considered the most innovative and sophisticated actors in the global cyber-crime ecosystem. Actors from other language communities often imitate Russian cyber-criminals to attempt raising their own levels of competency.
The report also noted that cyber-criminals are consumers too, meaning they're not all savvy shoppers. We think cyber-criminals are supposed to be sophisticated in terms of the tools they use, however many use platforms based on convenience and follow the general public.
Terrelonge noted one observation in the findings which was contrary to his intuition. “Given their complicity in criminal behaviour and their relative technical sophistication compared to the general public, I expected that cyber-criminals would have already been using/discussing the most secure forms of communication already in 2012. Instead, they appear to have been affected just as much as the general public and migrated to secure platforms when these issues became mainstream and apps that made it easy were introduced.”