Just as legitimate businesses have had to make major adjustments to the realities of COVID-19, the cybercriminal underground economy has also had to stay nimble. Indeed, a new dark web report from Digital Shadows’ Photo Research Team shows that some hacking forum members are in a struggle to keep their cybercriminal operations afloat, while others see new opportunities to scam the public.
Among the hardest hit cybercriminal operations are travel- and event-related fraud, bank fraud schemes that require a drop network of money mules, and “carded goods” scams that rely on Amazon warehousing services for distribution, the Digital Shadows report states.
But on the bright side for cybercriminals, a drastic increase in online browsing and shopping activity opens the door to online carding schemes and malware distribution. Separate research from TransUnion — released late last March — appears to back up this notion. In a press release, the company noted a 23 percent increase in global e-commerce transactions in the week following the World Health Organization’s March 11 COVID-19 pandemic declaration. And in a TransUnion survey of 1,068 American adults, 22 percent of respondents said they were targeted by digital fraud related to COVID-19.
The reason travel and event fraud is foundering isn’t particularly hard to deduce: few people are traveling and large gatherings like sporting events and concerts have been cancelled.
While examining Verified, a Russian-language cybercrime forum, observed a user who complained in a post that “people are afraid of flying and the borders are closed.” Another said “everything is closed for 2 weeks” — a rather optimistic projection. And a third user who said he’s engaged in travel and hotel fraud since 2012 said he was “without earnings for an indefinite period” on a thread he titled “find a job for an old man.”
Meanwhile, bank fraud schemes are suffering either because money mules or drop workers — whose job it is to collect funds that are fraudulently deposited into attacker-controlled accounts — have placed themselves in quarantine, or because the bank branch location they would normally visit is closed. One Verified forum member said that drop workers in Spain and Italy were afraid to leave the house.”
Finally, some cybercriminals engaging in carded goods schemes — buying merchandise using stolen credit card data and then selling them online at a reduced price — are noting that they are enable to abuse Amazon to advance their schemes because the Fulfillment by Amazon is only accepting household staples, medical supplies and other high-demand products until at least April 5. Digital Shadows says one Verified forum user grumbled that he or she was “forced to stop buying all illiquid assets” and was experiencing delivery issues due to “the panic over the coronavirus…”
On the flip side, a forum user reportedly said that the likely rise in online card transactions due to COVID-19 would been a boon to online carding — the trafficking of credit card, bank account and other personal info online — because “the greater the volume and diversity of transactions, the more difficult it is to attribute fraud.”
And a member of the Russian- and English-language carding forum Club2CRD cybercriminals predicted that rampant internet use will also help cybercriminals who specialize in rerouting internet traffic to malicious domains to infect victims with malware.
Indeed, it was recently reported that malicious actors have been hijacking home routers from D-Link and Linksys and changing their DNS configurations in order to redirect Windows computer users to malicious content, in the form of a fake alert from the World Health organization. The alert instructs readers to download a supposed COVID-19 information app that in reality is the information-stealing malware known as Oksi.
The Digital Shadows report also notes that some underground vendors have swapped out their usual black-market merchandise with coronavirus medical supplies and equipment or fake cures.
Earlier this week cyber experts at Armor also noted this same trend in its own dark web report.
“Like organized crime groups, cyber underground criminals, who typically sell drugs such as heroin, cocaine, methadone, and marijuana, are now profiting from the coronavirus pandemic. In the past week, these scammers have started selling Chloroquine, N95 masks, surgical masks for exorbitant prices,” Armor stated in its blog post report.
Armor found that the vendors were selling surgical masks and N95 respirators with a 400 to 500 percent markup, and selling test kits for $39 to $44 even though the FDA has not approved at-home test kits.
“Browsing messages and offerings on cybercriminal forums and marketplaces shows that coronavirus truly is proving to be a double-edged sword for threat actors,” the Digital Shadows report concludes. “Some enterprising cybercriminals may be relishing the increased earning opportunities that the current crisis will bring them, while others will be aghast at the thought of the swift destruction of the business models and reputations that have taken years to develop.”