Threat Spotlight: “Legal” Cybercrime Activities

Executive Overview

We often generalize threat actors as the “attackers” and cyber practitioners as the “defenders.” This simplification can work for many purposes, but what if we’re missing key relationships because of it?

Not all activities related to cybercrime require secrecy or direct malicious intent, so cybercriminals utilize a vast network of contractors to develop websites, translate text, and perform other common tasks that don’t fall under the traditional purview of “crime.” In fact, there are completely legal and popular public internet marketing forums that have users connected to cybercrime. 

We talked to researchers: Masarah Paquet-Clouston (Criminology Professor at University of Montreal), Serge-Olivier Paquette (Lead Data Scientist at Secureworks), and Sebastián García (Assistant Professor at Czech Technical University in Prague), who along with Maria José Erquiaga (Security Research Engineer at Cisco), studied the overlooked relationship between a public legal internet marketing forum and cybercrime activities. 

They examined several individual freelancers who were not directly orchestrating cybercrime, but participated in various aspects of the operation, specifically in developing websites (that then spread botnets). This task was not necessarily completely criminal, but the larger purpose of the website was for cybercrime and the freelancers profited off of the devices the website infected.

In the first study to formally quantify how (legal) internet marketing public forum users can have ties to cybercrime activities (as “crossover users”), the researchers addressed the question: Should cybercrime participation consider online spaces beyond those that are cybercrime branded?

The researchers accessed Flare’s database of cybercriminal activities on the dark & clear web for their research. 

Keep reading for the highlights and make sure to read Entanglement: cybercrime connections of a public forum population to learn more about the research.

Research Recap

The research focuses on a case study of three freelancers who both use a public internet marketing forum and are involved in cybercrime. The researchers knew that they were involved in cybercrime through leaked chat logs, and also were active on an internet marketing forum but never mentioned cybercrime there. 

The researchers found it fascinating that they knew these freelancers were involved in cybercrime but never discussed their cybercrime activities directly on the internet marketing forum (even though they were exchanging products and services related to their cybercrime business). They sought out additional context for this situation and for larger trends of crossover users, who are part of the public forum population that have ties with cybercrime forums.

These three freelancers developed websites advertising access to “cracked” or “modded” Android applications (APKs). Modded APKs provide better functionalities or paid features for free. However, when website visitors thought they were downloading modded APKs, they were actually downloading the Trojan botnet, which infected almost 800,000 Russian phones and had access to millions of euros. The three freelancers profited from each malicious APK that website visitors installed. 

The freelancers frequented a Russian and English speaking platform for internet marketing. This website advertises itself as “website allowing users to discuss issues related to creating and promoting websites on the internet. The forum brings together experts in all areas of online advertising and allows you to receive both free knowledge and find mutually beneficial contacts and partners.” The topics of discussion include search engine optimization (SEO), site monetization advice, and more. Many platform users also conduct business directly. 

More recent studies with researchers Paquet-Clouston and García involving interviews with cybersecurity experts further back up the presence of a “periphery workforce” of freelancers who (inadvertently) support cybercrime (this research is not affiliated with Flare). Learn more by reading: On the dynamics behind profit-driven cybercrime from contextual factors to perceived group structures, and the workforce at the periphery.

(Unintentional) Involvement in Cybercrime

Individuals in countries with scarce IT opportunities can end up unintentionally participating in cybercrime as they search for work on online forums. Unaware of the broader context of their tasks, these individuals may unknowingly contribute to phishing attacks or the spread of botnets.

Many of these freelancers are not actively trying to harm specific targets, but are simply trying to make a living. Instead of viewing these individuals as adversaries, by understanding their decision-making processes and offering legitimate alternatives, there may be ways to prevent their inadvertent participation in cybercrime. This shift in perspective could lead to new policies and effective ways to reduce cybercrime.

Difference Between People Involved in Cybercrime and Not

A recurring theme in the researchers’ understanding of cybercrime, is the difficulty in identifying and categorizing those involved. Despite efforts, it’s been challenging to distinguish the characteristics of malicious actors. This could imply a larger number of individuals are involved in cybercrime or it could mean that those participating are just “ordinary” people, leading normal lives outside their activities in the cybercrime sphere.

The inability to differentiate these individuals may lead to the unintentional stigmatization of people who are not inherently cybercriminals. The discovery that many participants in cybercrime activities might be inadvertently involved, without nefarious intent, has sparked a reconsideration of how we label and approach these actors. This realization challenges traditional perceptions of who is involved in cybercrime and necessitates a more nuanced approach to tackling the issue.

How Flare Can Help

Flare monitors billions of data points across the clear & dark web, and illicit Telegram channels, over the course of several years. We cover our customers’ high-risk exposure to mitigate it before threat actors can get to them. 

The researchers stated that their academic API access to Flare was “instrumental,” and supported their goal of finding the “best data available.” Flare was “not only the opportunity but also the obvious choice.”

Request a demo to see how Flare can support the scale of monitoring your organization’s sensitive information.

Share This Article

Related Content