Underground Forums: Tactics used by cybercriminals to restrict access
Data breaches are increasing in frequency and severity. Following a data breach, most companies have protocols in place to contain the breach, assess the damage, and tighten their security to ensure the incident is not repeated. While this is a standard process for organizations to go through, would you be surprised to learn that cybercriminals do the exact same thing when their underground forums are revealed or exploited?
As the threat landscape evolves, threat actors and their tactics evolve alongside it. Many cybercriminal operations are now run as efficiently as businesses, and restricted underground forums or marketplaces are used to share tactics, stolen valuable data, or new tools available for cyber-attacks.
Check out our exclusive report on one of these underground markets: “Buying Bad Bots Wholesale: The Genesis Market Report”
Previously, threat intelligence teams and law enforcement agencies were able to go undercover on these underground markets and forums to gain further insight about criminal tactics and warn companies or apprehend cybercriminals before any cyber-attacks could be carried out. As a result of this, threat actors have started to safeguard these dark web forums, much like a business would following a data breach, and are putting obstacles and strict rules in place to make it much more difficult for the authorities or threat intelligence researchers to gain access.
Tactics used by cybercriminals on some of the most heavily restricted underground forums
Underground communities of cybercriminals on the deep web use several tactics to keep law enforcement and threat intelligence researchers out of their underground forums. Below are some of the tactics Netacea’s Threat Research team has come across when trying to gain access to dark web forums.
Providing proof of cybercriminal activity
Some online forums are asking prospective members to provide ‘proof’ of online criminal activity before being granted access to the forum. For example, underground forums for hackers may ask for proof of previous successful hacking attempts, or involvement with previous data breach attempts. Access to these underground forums is only granted following sufficient evidence of such activity.
Length of membership
When law enforcement or threat research teams gain access to these dark web forums, usually they are looking to gather information quickly or are looking for answers with immediate effect. The problem, however, is that many of these underground forums are restricting the level of information members have access to, providing additional access to members who have been active on the forum for a certain timescale, for example two years.
This makes it much more difficult for those attempting to go undercover to gather evidence because they are not able to gain immediate access to all information on the forum. Additionally, many people going undercover on the dark web have several sock puppet accounts or have to change their alias frequently to avoid detection from genuine threat actors – meaning they will never be on the forum long enough to access the desired information.
Member invite codes
Gaining access to additional information is not the only benefit long-standing members of underground forums are given. Individuals who have been members of underground forums for a certain length of time, or who have provided a certain amount of valuable data to the forum, are provided with ‘invite codes’ by the admins. This allows them to share these codes with known accomplices or other cybercriminals to gain instant access to the forum – bypassing other security measures in place.
As with any digital codes – whether they are discount codes or gift cards – sometimes these invite codes are leaked, allowing access to anyone who finds them, including law enforcement or threat intelligence teams. Just like in a business, these dark web forums are often heavily guarded and monitored by admins 24/7; when one of the invite codes is used, admins are usually able to confirm with the member who was initially given the code whether access was granted legitimately, or whether someone has gained access using a leaked code. Admins, like cybersecurity teams within a business, are quick to spot illegitimate access to their forums and can ban or block access to people they believe to be using the forum to gather intelligence rather than use the information for cyber-criminal activity.
This means that any law enforcement agencies, or threat intelligence researchers who do gain access to these dark web forums via leaked invite codes, often do not have access for long periods of time and need to gather information quickly before their access is withdrawn.
Links to these underground forums on the dark web are now being sent as ‘disposable links’. This means that once one person has clicked on the link, the link deactivates, deleting the data or the bridge that connects the link to the forum. Any further attempts to click on the link, even from the original user, will no longer be able to access the online forum.
An example of such a disposable link is ‘Privnote’. To give an example of how these disposable links work, I wrote myself a note and sent myself the link.
When clicking on the link, the Privnote platform made me aware that if I were to view the note it would immediately be destroyed.
By clicking “Yes, show me the note” I was able to see the message I had written to myself.
After closing the window and attempting to click on the link again, I was met with this message:
Privnote is an extremely easy platform to use. The above example highlights the ease at which cybercriminals can create disposable links, covering their digital footprints and stopping law enforcement or threat researchers from gaining access to web forums, even if they happen to come across an access link.
Some underground forums ask prospective members to pay a fee to gain access. These fees are often for extortionate amounts of money – regularly upwards of £3000. For cybercriminals who know they will be making a profit from the information gained on this site, these fees are simply a part of their ‘business expenses’ and prospective members are usually happy to pay the fee knowing they are likely to make more money in return. For those who are using such forums to gather threat intelligence however, this is a huge financial blow, and many will be reluctant to pay this money to people who are known threat actors.
Similar to the disposable links above, cybercriminals can create links that expire after a certain amount of time. The expiration time on these links is usually adjustable. The links could expire after 30 seconds, or even after 30 days – either way the race is on for law enforcement officials and threat research teams to find these links before time runs out.
What impact are the tactics restricting access to underground forums having?
The tactics that threat actors have in place to limit access to their underground forums is causing a lot of problems for law enforcement and threat intelligence. As gaining access to these forums becomes increasingly difficult, cybercriminal activity remains under the radar for longer, meaning new threats or cyber-attacks go unnoticed until it is too late.
Additionally, the increased use of disposable links means that many cybercriminals are no longer leaving an obvious digital footprint. Again, this makes it difficult for law enforcement agencies to keep track of cybercriminals, allowing them to continue engaging in malicious activity whilst evading detection for longer periods of time.
In some ways, cybercriminals might even have an advantage when it comes to safeguarding their forums. Following a breach, companies are restricted in how they deal with the situation due to the policies in place and the requirement for them to abide by the law. Cybercriminals however are not bound by these policies, and have more freedom to do as they please meaning they could potentially evolve and grow at a quicker pace than the companies they are attempting to breach.
Moving forwards, this problem is only going to get more difficult. As those gathering threat intelligence find ways around these tactics, cybercriminals will invent new ways of protecting their underground forums, resulting in an arms race between cybersecurity and cyber-attacks.
web applications with Netacea's
Intent Analytics™ engine