McAfee Report Examines Cybercriminal Underground

• McAfee Labs sees 480 new threats per minute in Q3 2018;
• Cryptominers leverage IoT devices; Financial sector sees 20% increase in data breaches

  • McAfee researchers analyze cybercriminal markets and secret forums; reveal tactics, targets
  • New IoT device malware grows 73% in Q3; total IoT malware up 203% in last four quarters
  • Cryptomining malware increases 71%; miners leverage lax security, volume of IoT devices
  • New mobile malware decreases 24%; cybercriminals leverage fake game cheats, dating apps
  • Financial sector data breaches increase 20%; banking Trojans take uncommon approaches
  • Spam botnets spew “sextortion” scams; threaten to reveal victim web browsing habits
  • New ransomware increases 10% in Q3 2018; unique ransomware families continue to decline

McAfee, the device-to-cloud cybersecurity company, released its  McAfee Labs Threats Report: December 2018 ,examining activity in the cybercriminal underground and the evolution of cyber threats in Q3 2018. McAfee Labs saw an average of 480 new threats per minute and a sharp increase in malware targeting IoT devices. The ripple effect of the 2017 take downs of Hansa and AlphaBay dark web markets continued as entrepreneurial cybercriminals took new measures to evade law enforcement.

“Cybercriminals are eager to weaponize vulnerabilities both new and old, and the number of services now available on underground markets has dramatically increased their effectiveness,” said Christiaan Beek, lead scientist at McAfee. “As long as ransoms are paid and relatively easy attacks, such as phishing campaigns, are successful, bad actors will continue to use these techniques. Following up-and-coming trends on the underground markets and hidden forums allow the cybersecurity community to defend against current attacks and stay a step ahead of those in our future.”

Each quarter, McAfee assesses the state of the cyber threat landscape based on in-depth research, investigative analysis, and threat data gathered by the McAfee Global Threat Intelligence cloud from over a billion sensors across multiple threat vectors around the world.

Cybercriminal Underground and Hidden Chat Forums Reveal Trends

The third quarter of 2018 saw the Dream, Wall Street, and Olympus markets clamoring for market share, until the mysterious disappearance of Olympus. In an effort to evade law enforcement and build trust directly with customers, some entrepreneurial cybercriminals have shifted away from using larger markets to sell their goods and have begun creating their own specialized shops. This shift has sparked a new line of business for website designers offering to build hidden marketplaces for aspiring shady business owners.

“Cybercriminals are very opportunistic in nature,” said John Fokker, head of cybercriminal investigations at McAfee. “The cyberthreats we face today once began as conversations on hidden forums and grew into products and services available on underground markets. Additionally, the strong brands we see emerging offer a lot to cybercriminals: higher infection rates, and both operational and financial security. ”

Hacker forums provide an elusive space for cybercriminals to discuss cybercrime-related topics with their peers. McAfee researchers witnessed conversations around the following topics in Q3:

  • Successful Breaches Fuel Markets for Data and Copycat Attacks
    • User Credentials: Due to many recent successful large data breaches, user credentials remain a popular topic. Hacked email accounts are of particular interest to cybercriminals as they are used to restore login credentials for other online services.
    • E-commerce Site Malware: Cybercriminals have shifted their focus from point-of-sale systems to payment platforms located on large e-commerce sites. Cybercriminal groups, such as Magecart, have successfully skimmed thousands of credit card details directly from victim websites, which has fueled demand for both credit card details and the malicious tools that can be used to steal them. Furthermore, as organizations implement additional security measures, cybercriminals are responding accordingly. For example, as organizations add geographic IP location checks for online purchases, the demand for compromised computers from the same zip code as the stolen credit card information increases.
  • Common Entry and Attack Methods Remain Popular
    • Common Vulnerabilities and Exposures (CVE): McAfee researchers witnessed numerous mentions of CVEs in discussions focused on browser exploit kits RIG, Grandsoft and Fallout, and on GandCrab ransomware. The popularity of these topics signals the importance of vulnerability management for organizations around the globe.
    • Remote Desktop Protocol (RDP): Shops offering logins to computer systems worldwide, ranging from the consumer home to medical devices and government systems, remained popular throughout Q3. These shops provide one stop for cybercriminals looking to commit fraud, selling RDP access as well as social security numbers, bank details, and online account access.
    • Ransomware-as-a-Service (RaaS): Ransomware remains popular, evidenced by 45% growth over the last four quarters and strong interest on underground forums for leading RaaS families such as Gandcrab. The number of unique ransomware families has declined since Q4 2017 as partnerships between essential services have increased, for example the partnership between GandCrab ransomware and cryper service NTCrypt seen in Q3. Partnerships and affiliate schemes have bettered the level of service provided to customers and increased infection rates.

Q3 2018 Threats Activity

Cryptomining and IoT. IoT devices such as cameras or video recorders have not typically been used for cryptomining because they lack the CPU power of desktop and laptop computers. However, cybercriminals have taken notice of the growing volume and lax security of many IoT devices and have begun to focus on them, harnessing thousands of devices to create a mining super-computer. New malware targeting IoT devices grew 72%, with total malware growing 203% in the last four quarters. New coinmining malware grew nearly 55%, with total malware growing 4,467% in the last four quarters.

Fileless malware. New JavaScript malware grew 45%, while new PowerShell malware grew 24%.

Security incidents. McAfee Labs counted 215 publicly disclosed security incidents, a decrease of 12% from Q2. 44% of all publicly disclosed security incidents took place in the Americas, followed by 17% in Europe and 13% in Asia-Pacific.

Vertical industry targets. Disclosed incidents targeting financial institutions rose 20%, as McAfee researchers observed an increase in spam campaigns leveraging uncommon file types, an effort to increase chances of evading basic email protections. McAfee researchers also observed banking malware include two-factor operations in web injects to evade two-factor authentication. These tactics follow a broad effort on the part of financial institutions to increase security in recent years.

Disclosed incidents targeting health care remained stagnant, public sector decreased 2%, and education sector decreased 14%.

Regional Targets. McAfee researchers observed a new malware family, CamuBot, targeting Brazil in Q3. CamuBot attempts to camouflage itself as a security module required by the financial institutions it targets. Although organized cyber gangs in Brazil are very active in targeting their own population, their campaigns have been crude in the past. With CamuBot, Brazilian cybercriminals appear to have learned from their peers, adapting their malware to be more sophisticated and comparable to that on other continents.

Disclosed incidents targeting the Americas fell 18%, Asia-Pacific fell 22%, and Europe increased 38%.

Attack vectors. Malware led disclosed attack vectors, followed by account hijacking, leaks, unauthorized access, and vulnerabilities.

Ransomware. GandCrab, one of the most active families of the quarter, increased its required ransom payment to US$2,400 from $1,000. Exploit kits, the delivery vehicles for many cyberattacks, added support for vulnerabilities and ransomware. New ransomware samples grew 10%, and total ransomware samples grew 45% over the last four quarters.

Mobile malware. New mobile malware decreased by 24%. Despite the downward trend, some unusual mobile threats appeared, including a fake Fortnite “cheat” app and a fake dating app. Targeting members of the Israel Defense Forces, the latter app allowed access to device location, contact list, and camera and had the ability to listen to phone calls.

Malware overall. New malware samples increased by 53%. The total number of malware samples grew 34% in the past four quarters.

Mac malware. New Mac OS malware samples increased by 9%. Total Mac OS malware grew 51% over the last four quarters.

Macro malware. New macro malware increased by 32%, growing 24% over the last four quarters.

Spam campaigns. 53% of spam botnet traffic in Q3 was driven by Gamut, the top spam-producing botnet spewing “sextortion” scams, which demand payment and threaten to reveal victim browsing habits.