February 23, 2017
One of the strange features of cybercrime is how much of it is public.
A quick search will turn up forums and sites where stolen goods, credit cards and data are openly traded.
But a glance into those places may not give you much idea about what is going on.
“Everyone can join as long as you speak Russian,” said Anton, a malware researcher at security firm SentinelOne, who has inhabited this underground world for more than 20 years.
“By Russian I mean the USSR, so there is Ukrainians, there is Kazakhstan, there is Belarus. The Romanians are doing all the dirty work like spam and maintenance so they are not really involved in developing malware,” he said. “But, today, is it mainly Russian? Yes.”
Those vibrant underground marketplaces have a long history and Anton adds that he tracks the malware makers to gain insights into what they might do next.
“I was there from the very early stages,” Anton told the BBC. “I guess I started at about the age of 12, when there was not much online community.
“Instead it was many channels where hackers exchanged information and exploits and kind of stuff like that,” he said.
In those early days few wanted to break the law, he said.
“Back then there was not much money involved at all,” he said. “It was only about sharing knowledge, sharing information, sharing various scripts or downloading warez – which is pirated content.”
Analysis
Tony Rowan, chief security consultant at SentinelOne, which employs Anton to log what happens on crime forums and dark web marketplaces.
“It gives us an insight into the directions these communities are taking.
“We have to monitor these to understand what they are doing, the success they are having and what they are about to do next.
“You have to be prepared rather than just sit back and wait for it to happen to you. It’s essential for us to have this kind of contact because without it we are blind.”
Rick Holland, strategy head at security firm Digital Shadows which tracks online hacker groups
“There’s a lot of criminality going on on the open web, particularly when you get into the Russian federation. They do not need to be on the dark web. Some are quite brazen and quite public whereas others have a much higher level of operational security.
“If we are tracking a criminal location and we find chatter about our clients that can be of value,” he said. “In the longer term it’s what’s coming over the horizon. What are they dialling up next?
“It’s not trivial to do something like that, it’s definitely not easy to do although I think there’s definitely value in working out what they are doing.”
The underground changed after the millennium turned and e-commerce took off. Forums popped up that talked about how to cash in via spam, phishing, malware and web attacks.
There was another big shift in 2007-08, said Anton, as the criminals sought a way to fleece people that gave better returns than the cruder techniques. The first wave, which started the modern era of cybercrime, used fake anti-virus software.
“They installed some really, really poorly written software on your machine,” he said, explaining the scam. “It looked like anti-virus but it actually does nothing.
“It tells you: ‘We just scanned your PC and we have found many problems. You need to fix it now, you need to buy this software. It only costs $35-40 (£28-32)’,” he said.
This worked better than earlier scams, said Anton, but it took a lot of effort to catch people out and get them to pay.
Often, he said, when people paid via a credit card they reversed the transaction once they found out they had been tricked. Conversion rates, meaning the number of victims who handed over cash, stayed low.
“This meant they must do something better, something more scary.”
Frightened people pay up, said Anton, adding that this drove the next evolution: lockers.
“What they do is they attack your browser and put up a big page on your main desktop, saying you were found with illegal child pornography or something very, very scary,” he said.