NAFCU Services Blog

Jan 29, 2020

Cybercriminals Are Operating in the Open, Not Just Trolling the Dark Web

By Matthew Heath, Sr. Threat Intelligence Analyst, Worldpay from FIS

While the dark web is a valuable tool for cybercriminals to conduct business, many other portions of the internet are leveraged for the same purpose. Cybercriminals use critical modern data networks to share information, collect data, and sell their wares, but there’s a lot more to it.

We monitored and broke down a cybercriminal’s activity, and found that they traversed the internet, deep web, and dark web nearly continuously throughout their day. Upon further investigation, we found the bulk of their time was spent on the internet (39%) and deep web (43%); just the remaining 18% was spent on the dark web.

A Day in the Life of a Cybercriminal

Consider the three most common pillars of the criminal underground: dark web forums, messaging applications, and black market shops. It’s interesting to find that they operate relatively out in the open. These pillars span the networks but rely heavily on the deep web and dark web.

Forums include message boards in which cybercriminals share information, strategies, and tools. They also use these to market their wares to other users. This advertising may lead to discussions in messaging applications in order to work out business deals or focus on discussing additional, detailed tradecraft. It may also lead potential customers to black market shops to trade applications (malware), goods (data, credit cards, usernames/passwords, etc.), or other illicit content (i.e. drugs, contracts, etc.).

What is particularly interesting is the high-quality customer service many of these black market shops provide via messaging applications for troubleshooting issues with purchases and supporting their customers. These practices are not so different than what can be found in legitimate business practices.

Where are these cybercriminals? Many are operating in countries that don’t have extradition agreements with the United States. Historically, these have been users in the former Soviet Bloc, with increasing cybercrime activity in China, Iran, and Vietnam. While these attackers may not be sponsored by their governments, many of these governments have no reason to stop such attacks that have the potential of destabilizing the American economy.

Businesses have leveraged technology and changed their practices to help curb the negative effects of these crimes. For example, more than 60% of the credit unions polled during our webinar stated that they reissue compromised cards to support newer technologies such as EMV; and half of respondents stated that EMV changed their reissue strategy.

Companies and partners are taking more active roles in monitoring the dark web or offering services to protect consumers from cybercriminals. As we move further into the digital age, continue working with your security departments to monitor the web for potential exploits against not only your organization, but also your partners. Identify the tactics being used and adjust accordingly. It’s highly likely that future fintech solutions will develop from cooperation across the industry instead of multiple individual companies, because criminals will continue to evolve, making continuous defensive improvements costly.

Credit unions’ dark web efforts should focus on the tactics and tools cybercriminals use, because locating them is mostly useless and bringing them to justice futile. Instead, reverse engineer their methods to create defensive and proactive solutions.

About the Author