Highlight from Cybersixgill’s State of the Cybercrime Underground 2023 Report

Introduction

According to Cybersixgill, each day they collect approximately 10 million intelligence data from the deep, dark, and clear web. Thereby, tracking the pulse of the underground and monitoring evolving changes over time as threat actors adapt new tactics, tools, and procedures in leveraging new opportunities and obstacles in the cyber threat landscape.

Topics addressed include: Trends in credit card fraud, Cryptocurrency observations, The use of messaging platforms in the underground, How AI developments are impacting the barriers of entry to cybercrime, The evolution of initial access broker markets, The rise of cybercriminal “as-a-service” activities, Ransomware trends.

Credit card fraud

Credit card fraud is one of the most concerning threats emanating from the cybercriminal underground. Threat actors have transacted millions of compromised cards in the deep, and dark web’s “carding” markets. However, the following activities have significantly reduced credit card fraud incidents:

• Improved Authentication & Fraud Prevention
• Real-Time Fraud Detection
• Improved Security on e-Commerce Sites
• Law Enforcement Crackdown

Prices of Credit Cards

The prices of compromised credit cards remained reasonably consistent. The average monthly price of cards with CVV (used in online purchases) ticked up from $11.89 in 2021 to $12.21 in 2022. Meanwhile, the average price of dumps (used to produce physical clones) declined from $15.86 to $14.32.

Compromised Credit Cards by Country

The US has always been the undisputed leader in compromised cards, its share dropped from 58% in 2021 to 49% of all cards in 2022. This could be attributed to better measures in fraud prevention and detection by US card issuers. However, in a year in which the number of cards decreased across the board, the number of cards from the United Kingdom rose, from 880,106 in 2021 to 986,396 in 2022.

Cryptocurrency – a tool and a target for cybercrime

Over the past few years, cryptocurrency is no longer a tool, but a target for cybercriminals. Creating new opportunities for financial fraud through crypto-jacking, digital takeovers, crypto-mining, and siphoning digital assets from crypto exchanges. Many consumers don’t monitor their accounts as a result of the plummet of digital wallets, leading to account takeover attacks. The proliferation of stolen wallets and crypto exchange accounts across deep and dark web marketplaces also presented new opportunities for crypto-enabled cash-out schemes to launder or move illicit funds.

Deep Web vs Dark web platforms

Unlike in the past where most threat actors carry out their operations on the dark web alone, in recent times, cybercriminals leverage encrypted messaging platforms including Telegram, Discord, QQ, etc. to collaborate and communicate, trade tools, stolen data, and services. These encrypted messaging platforms provide additional features to cybercriminals such as built-in automated functionalities, turning the apps into an out-of-the-box C2.

The democratization of AI

At the launch of ChatGPT late last year, cyber criminals were excited about ChatGPT’s promise as a force multiplier for cybercrimes. Following the launch, deep and dark web malicious threat actors meeting hubs were inundated with posts discussing various ‘get rich quick’ schemes monetizing the outputs from ChatGPT. TAs claimed their ChatGPT-enabled techniques could fetch $500 per day through schemes such as:

• Fraudulently obtained freelance work
• Scripts to automate commands for manipulated dice-rolling, gambling, and betting on line casinos and sports betting platforms
• Cheating in online video games to accumulate in-game currency
• False-click generation on affiliate marketing links

Initial Access Brokers (IAB) Markets

As ransomware actors seek to reduce the downtime of obtaining initial access, they have decided to outsource it. This has made Initial Access Brokers capitalize on the high demand for outsourced access, creating a lucrative new market within the underground economy. The IAB market gained relevance as initial access is one of the most time-consuming components of the attack chain, requiring time, energy, and resources to:

• Evade a network’s outer defense successfully
• Infiltrate vulnerable entry vectors
• Extend access through lateral movement and privilege escalation
• Gain access to the entire enterprise system

Ransomware as a service

In the cybercrime enterprise, threat actors monetize their expertise, selling prepackaged, off-the-shelf kits and as-a-service offerings for different stages of the attack chain. Ransomware-as-a-service has made its operation accessible and profitable to a wider range of cybercriminals and democratised access to high-quality malware and infrastructure.

Ransomware trends

In 2022 the largest three ransomware groups (REvil, Lockbit and ALPHV) accounted for 55% of all ransomware attacks, which is a significant increase from the 39% accounted for by the largest three groups in 2021.