This is how cyber crooks meet and plot their scams

Web forums and some more standard communications services are being used by online criminals to organize their activities.
Written by Danny Palmer, Senior Writer

Cybercriminals communicate using one of the most common instant messaging tools.

Image: iStock

The world of cybercrime increasingly resembles the standard business world, made up of many illegal schemes that depend on groups of specialists working across various projects.

Those teams might include malware developers, spammers, botnet masters, payment card specialists, and more. The traditional meeting place for these has been, and continues to be, online messaging boards or web forums.

"In many ways, these forums are the beating heart of the cybercrime economy," said Leroy Terrelonge, senior intelligence analyst at Flashpoint, which has published a study on how cybercriminals communicate.

Once criminals have met they often then move their communications outside of the forum for a number of reasons -- even if the forums have native private messaging platforms.

One reason for that is criminals can never be quite sure exactly who is controlling the forum, and as these boards are often taken down, moving the conversation to another channel means they are better able to maintain access to logs of their previous communications.

While these communities might be viewed as advanced and stealthy, deploying secretive messaging and using encrypted tools to communicate with one another, members are often just like any other average internet user or enterprise employee, turning to freely available and simple tools in order to help get the job done.

Indeed, Flashpoint's four-year analysis of the evolution of cybercriminal communications strategies, tactics, and the tools reveals that Skype -- the Microsoft-owned instant messaging and video calling app embedded into many Windows products -- is the most commonly used communications tool among cybercriminals.

Researchers conducted the study by monitoring mentions of social media platforms and messaging tools in various underground forums, particularly those made by those interested in financially-motivated cybercrime.

Skype accounted for almost two-thirds of instant-messaging services mentioned in English-speaking forums during 2016 and for around one-third of mentions in Russian and Arabic-speaking online communities, and about 15 percent of them in Spanish outlets. Skype also features as one of the top five messaging services mentioned in the French, Persian, and Chinese language groups.

Terrelonge said Microsoft's bundling of Skype with its devices has likely played a large role in the application's popularity.

But Skype isn't the only tool in town and there are other social media platforms which are commonly used across the globe -- with one in particular featuring regularly across almost all the language groups: Jabber, an open-source platform which has been incorporated social networking, instant messaging, VoIP, file transfer services and more.

Cybercriminals are increasingly drawn to Jabber because, much like Skype, it's free, while the decentralized, open-source nature of the technology means it's easy for anyone to run a Jabber server.

ICQ -- the instant messaging service which has existed since 1996 -- also features heavily, accounting for around one in five mentions of social media platforms on Russian forums and over half of mentions in Spanish-speaking communities.

The service has expanded on its humble roots to incorporate video messaging and is now owned by Russian group Mail.Ru; ICQ is a popular communications platform in Russia and Eastern Europe.

"The service's heavy use in the cybercrime ecosystem is likely due to the prominence of Russian-speakers in financially-motivated cybercrime activity, as well as the desire for speakers of other language communities to interact with and learn from these actors," says the report.

ICQ barely registers as a messaging tool in much of the world, but Flashpoint notes a rise in ICQ use across the four-year period of the analysis which it attributes to Russian influence in the underground -- especially as the technology doesn't offer end-to-end encryption like other platforms do.

"Given that there is no security rationale for increased mentions of ICQ the most plausible explanation is criminals' desire to model themselves more closely to Russian-speaking criminals or adopt the technology to facilitate communication with Russian-speaking actors," says the report.

No matter what the chosen tools of a cybercriminal group might be, they're ultimately deploying them for the same reasons as a regular business deploys collaboration tools.

"Regardless of their language, skills, location, or affiliation, cybercriminal groups tend to share a strong desire to reap the benefits of cross-community collaboration, information sharing, and even mentorship. Such activities necessitate consistent access to reliable means of communication," says Flashpoint.


Editorial standards