A growing community of private and highly-vetted cybercrime forums is redefining the very meaning of “targeted attacks.” These bid-and-ask forums match crooks who are looking for access to specific data, resources or systems within major corporations with hired muscle who are up to the task or who already have access to those resources.
A good example of this until recently could be found at a secretive online forum called “Enigma,” a now-defunct community that was built as kind of eBay for data breach targets. Vetted users on Enigma were either bidders or buyers — posting requests for data from or access to specific corporate targets, or answering such requests with a bid to provide the requested data. The forum, operating on the open Web for months until recently, was apparently scuttled when the forum administrators (rightly) feared that the community had been infiltrated by spies.
The screen shot below shows several bids on Enigma from March through June 2015, requesting data and services related to HSBC UK, Citibank, Air Berlin and Bank of America:
One particularly active member, shown in the screen shot above and the one below using the nickname “Demander,” posts on Jan. 10, 2015 that he is looking for credentials from Cisco and that the request is urgent (it’s unclear from the posting whether he’s looking for access to Cisco Corp. or simply to a specific Cisco router). Demander also was searching for services related to Bank of America ATMs and unspecified data or services from Wells Fargo.
Much of the information about Enigma comes from Noam Jolles, a senior intelligence expert at Diskin Advanced Technologies. The employees at Jolles’ firm are all former members of Shin Bet, a.k.a. the Israel Security Agency/General Security Service — Israel’s counterespionage and counterterrorism agency, and similar to the British MI5 or the American FBI. The firm’s namesake comes from its founder, Yuval Diskin, who headed Shin Bet from 2005 to 2011.
“On Enigma, members post a bid and call on people to attack certain targets or that they are looking for certain databases for which they are willing to pay,” Jolles said. “And people are answering it and offering their merchandise.”
Those bids can take many forms, Jolles said, from requests to commit a specific cyberattack to bids for access to certain Web servers or internal corporate networks.
“I even saw bids regarding names of people who could serve as insiders,” she said. “Lists of people who might be susceptible to being recruited or extorted.”
Many experts believe the breach that exposed tens of millions user accounts at AshleyMadison.com — an infidelity site that promises to hook up cheating spouses — originated from or was at least assisted by an insider at the company. Interestingly, on June 25, 2015 — three weeks before news of the breach broke — a member on a related secret data-trading forum called the “Gentlemen’s Club” solicits “data and service” related to AshleyMadison, saying “Don’t waste time if you don’t know what I’m talking about. Big job opportunity.”
Cybercrime forums like Enigma vet new users and require non-refundable deposits of virtual currency (such as Bitcoin). More importantly, they have strict rules: If the forum administrators notice you’re not trading with others on the forum, you’ll soon be expelled from the community. This policy means that users who are not actively involved in illicit activities — such as buying or selling access to hacked resources — aren’t allowed to remain on the board for long.
BLURRING GEOGRAPHIC BOUNDARIES
In some respects, the above-mentioned forums — as exclusive as they appear to be — are a logical extension of cybercrime forum activity that has been maturing for more than a decade.
As I wrote in my book, Spam Nation: The Inside Story of Organized Cyber Crime — From Global Epidemic to Your Front Door, “crime forums almost universally help lower the barriers to entry for would-be cybercriminals. Crime forums offer crooks with disparate skills a place to market and test their services and wares, and in turn to buy ill-gotten goods and services from others.”
The interesting twist with forums like Enigma is that they focus on connecting miscreants seeking specific information or access with those who can be hired to execute a hack or supply the sought-after information from a corpus of already-compromised data. Based on her interaction with other buyers and sellers on these forums, Jolles said a great many of the requests for services seem to be people hiring others to conduct spear-phishing attacks — those that target certain key individuals within companies and organizations.
“What strikes me the most about these forums is the obvious use of spear-phishing attacks, the raw demand for people who know how to map targets for phishing, and the fact that so many people are apparently willing to pay for it,” Jolles said. “It surprises me how much people are willing to pay for good fraudsters and good social engineering experts who are hooking the the bait for phishing.”
Jolles believes Enigma and similar bid-and-ask forums are helping to blur international and geographic boundaries between attackers responsible for stealing the data and those who seek to use it for illicit means.
“We have seen an attack be committed by an Eastern European gang, for example, and the [stolen] database will eventually get to China,” Jolles said. “In this data-trading arena, the boundaries are getting warped within it. I can be a state-level buyer, while the attackers will be eastern European criminals.”
ASK FOR THE SAMURAI
Jolles said she began digging deeper into these forums in a bid to answer the question of what happens to what she calls the “missing databases.” Avivah Litan, a fraud analyst with Gartner Inc., wrote about Jolles’ research in July 2015, and explained it this way:
“Where has all the stolen data gone and how is it being used?
We have all been bombarded by weekly, if not daily reports of breaches and theft of sensitive personal information at organizations such as Anthem, JP Morgan Chase and OPM. Yet, despite the ongoing onslaught of reported breaches (and we have to assume that only the sloppy hackers get caught and that the reported breaches are just a fraction of the total breach pie) – we have not seen widespread identity theft or personal damage inflicted from these breaches.
Have any of you heard of direct negative impacts from these thefts amongst your friends, family, or acquaintances? I certainly have not.
Jolles said a good example of a cybercriminal actor who helps to blur the typical geographic lines in cybercrime is a mysterious mass-purchaser of stolen data known to many on Enigma and other such forums by a number of nicknames, including “King,” but most commonly “The Samurai.”
“According to what I can understand so far, this was a nickname was given to him and not one he picked himself,” Jolles said. “He is looking for any kind of large volumes of stolen data. Of course, I am getting my information from people who are actually trading with him, not me trading with him directly. But they all say he will buy it and pay immediately, and that he is from China.”
What other clues are there that The Samurai could be affiliated with a state-sponsored actor? Jolles said this actor pays immediately for good, verifiable databases, and generally doesn’t haggle over the price.
“People think he’s Chinese, that he’s government because the way he pays,” Jolles said. “He pays immediately and he’s not negotiating.”
The Samurai may be just some guy in a trailer park in the middle of America, or an identity adopted by a group of individuals, for all I know. Alternatively, he could be something of a modern-day Keyser Söze, a sort of virtual boogeyman who gains mythical status among investigators and criminals alike.
Nevertheless, new forums like The Gentlemen’s Club and Enigma are notable because they’re changing the face of targeted attacks, building crucial bridges between far-flung opportunistic hackers, hired guns and those wishing to harness those resources.