Cybercrime comes in many different forms, most of which are financially oriented. Scammers, scammers, and malware operators are the most visible, but there are several other profiles in the cybercrime economy that play an important and very discreet role: Traffickers People.
A new one Reports from Sekoia shed light on traffickers’ activities.
What is Traffer?
Traffers – from Russian “Траффер,” also known as “worker” – are cybercriminals responsible for redirecting Internet users’ network traffic to the malicious content they operate, most of which is malicious software.
UNDERSTAND: Mobile device privacy policy (TechRepublic Premium)
Traffickers are often organized into groups and infiltrate websites to drive traffic and direct visitors to malicious content. They can also build websites that serve the same purpose. As revealed by Sekoia researchers who have been following Russian-speaking cybercrime forums, the scammer’s ecosystem is built from both highly skilled and new profiles, making it become a good entry point for beginners in the field of cybercrime.
In particular, the underground forum “lolz Guru” shows the continuous new creation of sales people groups, each month in 2022 sees between five and 22 new groups of sellers (Picture A).
Picture A
Once created, a traffer group can grow and reorganize, merge with other groups, or start from scratch, which makes it difficult to gauge the lifespan of traffer groups. One admin of such a group pointed out that it took him $3,000 to create a sales team of 600 people before selling it. A shipping group called “Moon Team” was valued at $2,300 in May 2022.
The typical organization for such a group is quite simple: One or several administrators of the group lead the traffickers but also handle the malware licensing and analysis and sale of logs made by the traffickers. sell collect (Figure BUG).
Figure BUG
What is the traffer group method?
The biggest activity from scammers includes redirecting Internet users to malware, 90% of which includes information stealers. Information stolen by malware could be valid credentials for online services, mailboxes, crypto wallets, or credit card information. All those things are called logs.
The administrators of the group sell those logs to other cybercriminals, who exploit this data for financial gain.
Administrators are also responsible for dealing with the malware they need, purchasing licenses for the malware developers, and distributing it to the team.
Administrators also provide their team members with a set of tools containing various resources:
- Constantly updated malware files (also known as “malware builds”) are ready to use.
- A crypter tool or service, needed to encrypt or obfuscate malware files.
- User manual and guide for traffickers.
- Search engine optimization services to improve the visibility and number of connections to their infrastructure.
- A Telegram channel for easy communication between team members.
- Telegram bots to automate tasks, such as sharing new malware files and generating statistics.
- A dedicated log analysis service to ensure logs sold by administrators are valid.
Once recruited, the scammers can obtain malware files and distribute them via redirection from compromised websites. They get paid based on the quality and quantity of information they gather from the malware they deploy.
Traffers are often challenged in competitions organized by administrators. Winners receive extra cash and access to the pro version of the membership. This access allows them to use a second family of malware, get better services and bonuses.
Each carrier uses their own delivery chain as long as it complies with the group’s requirements.
According to Sekoia, common distribution methods include websites masquerading as blogs or software installation pages and sending password-protected archives to avoid detection. Those experienced service providers seem to have a very good knowledge of the advertising platforms and manage to increase the promotion of their websites through such services. The disadvantage of this distribution method for attackers is that it often hits multiple victims and is therefore more quickly detected than other distribution methods.
Chain of infection 911
Most of the human trafficking groups overseen by Sekoia are actually exploiting a method called “911” in underground forums.
It includes using stolen YouTube accounts to distribute links to malware controlled by traffickers. Fraudsters use this account to upload videos that lure visitors to download the file, disable Windows Defender, and execute it. In most cases, the video is about jailbreaking software. The video explains how to proceed and provides links to tools to install jailbreaking software, generate license keys, or cheat on various video games. Once executed, those files infect the computer with malware.
Malware is often hosted on legitimate file services like Mega, Mediafire, OneDrive, Discord, or GitHub. In most cases, it’s a password-protected archive containing stealing malware (SIZE).
SIZE
What malware do the scammers use?
As observed by Sekoia, the most used information-stealing malware by scammers are Redline, Meta, Raccoon, Vidar, and Private Stealer.
Redline malware is considered to be the most effective thief, as it can access credentials from web browsers, crypto wallets, local system data, and some applications.
Redline also allows admins to easily track smuggler activity by associating a unique botnet name in samples distributed by traffickers. Stolen data coming from the use of Redline is sold in many markets. Meta is a new malware and is advertised as an updated version of Redline, becoming the malware of choice for some smuggling groups.
How to protect yourself from scammers
This threat has a lot to do with malware and can target individuals as well as companies. Deploy security solutions and anti-virus solutions on all corporate terminals and servers. The operating system and all software also need to be updated and patched to prevent them from being infected by exploiting a common vulnerability.
Users should be trained to detect phishing threats and avoid any use of jailbreaking software or tools. Multi-factor authentication should be used whenever possible. A crook checking the validity of a stolen login might just drop it if it’s unusable without a second authentication channel.
Disclosure: I work for Trend Micro, but the views expressed in this article are mine.
