Forums are Forever – Part 3: From Runet with Love

Forums are Forever – Part 3: From Runet with Love
Photon Research Team
Read More From Photon Research Team
December 17, 2019 | 24 Min Read

 

The rise of alternative technologies hasn’t spelled the end of forums, which seem to be prospering against all odds. In part 1 and part 2  of this blog series on The Modern Cybercriminal Forum, we discussed evidence around forums’ continued popularity as well as forum users’ resistance to moving away from the forum model.

The third and final installment of this blog series investigates several characteristics of forums that make them ideal for supporting cybercriminal communities.

To access the full, in-depth research report from the team, visit our resources center below:

The Modern Cybercriminal Forum

 

Why forums are still winning the popularity contest

It’s clear that forums aren’t giving up the ghost, so what’s behind their members’ loyalty? The answer lies in several aspects that could apply to even legitimate customer services:

  • A long history and venerable reputation
  • Proof of credibility
  • Guarantees of fair deals

Beyond that, forums also offer an advertising platform and a supportive, knowledgeable community.

 

Longevity breeds respect

The enduring popularity of forums is, to some extent, driven by their history, especially for Russian-speaking threat actors. Many of the prominent Russian-language cybercriminal forums operating today have a long pedigree. The Photon Research Team spotted a post on XSS that mentioned the “pantheon of the firsts,” referring to “the first forums that opened on the Runet in the 2000s,” which the post named as Carder Planet, Web Hack, Zloy, Antichat, Exploit, Maza, and DamageLab. The same user said these forums raised “a whole generation of first-class specialists… a whole generation, a whole life, a whole epoch”. The reputation of these long-established cybercriminal forums—and the prestige associated with being a forum member—is attractive to many threat actors. Linking to a profile on a hallowed forum is an almost failsafe way to prove your credibility and legitimacy.

 

XSS homepage

Figure 1: XSS homepage

 

In the case of DamageLab, the perceived preeminence of the forum led to one of the most surprising developments in the Russian-language cybercrime landscape in recent years. DamageLab was founded in 2004 and grew to be one of the most prominent Russian-language forums. In December 2017, one of DamageLab’s administrators, the Belarusian Sergey Yarets, was arrested in a joint operation of Belarusian, United States, and European police forces for his involvement in the forum and in the Andromeda botnet. Following the arrest of “Ar3s” (Yarets’s username on the forum), the remaining DamageLab administration team decided to close the forum entirely to protect the user base from further investigation by the authorities.

What’s unusual is that, after almost a year (late 2018), the former administrator of the high-profile Exploit purchased a back-up of DamageLab, dating back to late 2015, and reopened the site. The new administrator vowed that the forum would never again work under its old name because it would be “unsafe, unethical, and bad for karma”. They rebranded the site “XSS” and set about restoring, rebuilding, and attracting new members.

 

DamageLab reboot

Figure 2: Message announcing reboot of DamageLab

 

Despite the apparent dangers of operating on a platform associated with an individual known to law-enforcement agencies, the forum has flourished. Membership numbers have grown and the forum now boasts highly skilled threat actors prepared to discuss cutting-edge attack techniques and trade high-value offerings. This success has occurred, in no small part, thanks to the heritage of the forum; many of the older members are still active participants who contribute knowledge and experience.

Even Ar3s, who’s now been released from prison (six months in custody meant his fine was waived),  holds a legacy role on XSS and has recently been appointed as a moderator of Exploit. And the new XSS administrator used the reputation they acquired as the administrator of Exploit to build trust in their new venture. (This individual has also ridden the coattails of their Exploit success to promote other projects, including a marketplace and a Jabber server.) The prestige and longevity of DamageLab outweighed the potential negative implications of restoring a defunct forum; Ar3s’s experiences with the law are often called upon by other forum members and his opinions are highly valued.

Promoting a forum by relying on a site’s previous reputation has even taken place in the English-language cyber community. The hacking forum Hell, which was taken down in a law-enforcement operation in July 2015, reappeared in early 2016 as Hell Reloaded. One of Hell’s original moderators, who created the sequel site, tried to market the new forum and attract new members by relying on the illustrious name of the defunct forum. But many new users remained wary, suspicious that the site was a security services “honeypot”. Hell Reloaded is no longer active.

 

homepage of exploit

Figure 3: Homepage of Exploit, which has operated continuously since 2005

 

A forum like Exploit, which has operated continuously since 2005, attracts users who are aware of the reputation it has built up over many years and the prestige they’ll gain as a member, but are also aware of its demonstrable success in surviving threats that have taken down other forums. Forum users who choose Exploit feel safe that time and energy put into building a brand and customer base on the forum will not be wasted.

These forums’ extraordinary longevity also means that the sites hold invaluable repositories of cybercrime-related content spanning many years. Exploit, for instance, boasts over a million posts containing discussions, advice, guidance, and recommendations. Sites like Hackforums, which has operated since 2009, are attempting to capitalize on their lifespan and significance of information by promoting themselves as educational resources, rather than simply hacking forums (an approach that may also help deflect unwanted attention from the authorities).

 

Trust issues

In terms of basic capability, there’s very little a threat actor can do on a messaging platform that they can’t also achieve on a forum. Several forums have added chat functionalities, enabling users to communicate in groups―as on a messaging platform’s public groups or private channels, or in one-to-one conversations. Many forums also promote the privacy of this feature, ruling that forum administrators do not have the ability to read users’ private messages.

But there’s a major difference between communicating via a messaging service and via a forum: the amount of associated user information. Many messaging services strip away as much data as possible about their users. Often, the only information available is a username, a handle, and maybe an avatar. Some services also allow a short biography. This lack of information is touted as an advantage: Surely, in a world in which staying anonymous is paramount, providing few details to your interlocutor is optimal?

Paradoxically, however, in a world of shadows and anonymity, more information can be the key to success. It’s very difficult to judge whether it’s safe to trust a username and avatar on a messaging service, especially when you can’t see how that user has interacted with other threat actors. Although cybercriminals undoubtedly don’t want to reveal any of their real-life, personal information, for successful transactions they need to present details of their online identities. Forums let them build up entire virtual personas.

A forum member considering interacting for the first time with another user will likely be able to see a history of that user’s previous forum activity. They can judge their credibility accordingly, considering several factors:

  • When did the user join the forum?
  • How many posts have they made?
  • Do they initiate their own threads or just reply to other members’ threads?
  • What have they bought? What have they sold?
  • How involved are they in “forum life”―do they contribute to community threads? Highlight bugs? Suggest ways the forum can improve?
  • How have other forum members reviewed this user’s services? Have they reported any problems?

Illogically, trust is even more important in the cybercriminal underground than in everyday life. When there’s no information available on an individual’s real identity, threat actors can rely only on trust when making decisions. Should they send hundreds of dollars to a vendor in the hope of receiving what they’ve ordered? Reviewing a user’s past activity on a forum can help determine whether they’re a credible forum member, an inexperienced threat actor, or—even worse—a scammer, researcher, or law-enforcement official.

Forums promote countless tools and systems that can aid their members in making such assessments. Many English-language cracking forums have “leecher” or “lurker” ratings to highlight users who don’t contribute to forum life, resulting in a ban during the frequent member culls. And most forums operate a system for members to award positive or negative reputation points to a user. This can either reflect the results of a transaction or an opinion on the user’s contribution to a thread. Negative points can lead to a ban on some forums, so it’s in members’ interests to try to ensure their score is as high as possible, and they value this opportunity; Exploit removed its reputation system following a site redesign, prompting many users to clamor for its restoration.

 

CrackedTO announcement

Figure 4: CrackedTO announcement of leecher banning

 

There are a host of other ways to boost member trust. Some forums that focus heavily on the sale of goods and services will close a thread temporarily after it begins, so that moderators can verify the vendor’s claims. Many forums operate a status system for users with a long tenure and high post count to move up through the ranks of the site; users with a higher rank are automatically afforded greater respect. On some forums, users can only attain a certain rank by being vouched for by other forum members―a sure sign of legitimacy. Still other forums allow users to pay to increase their status, because making such a payment would be undesirable or impossible for some law-enforcement officials, and for individuals looking to just scam other users.

The Photon Research Team has found that strict forum rules and conventions also help build a picture of an individual. A user who contributes to forum life and answers other users’ questions is more likely to be genuine. Substantive answers and posts also indicate a user’s knowledge and experience. Users who only ask, or leave inconsequential replies, are likely to be inexperienced amateurs. Many forums rule that posts must contain meaningful content, and allow negative reputation points to be awarded for so-called empty posts.

 

“Free” advertising

A good reputation and positive user feedback can also be invaluable to a threat actor marketing goods or services. Whether promoting offerings on other forums or updating existing advertising threads, linking to a high-scoring forum profile or appreciative reviews from other forum users is one of the only ways threat actors can try to convince other members to enter into a transaction. Sometimes they even try to use positive reviews to distract attention from problems they’re experiencing. The founder of the recently established MagBo shells shop, “mrbo”, used a thread containing positive reviews on the Russian-language cybercriminal forum Antichat to promote their site on XSS, despite admitting in the same post that they had been banned from Exploit.

 

mrbo banned user profile

Figure 5: mrbo’s banned user profile

 

Forums’ utility as advertising platforms represents another advantage over alternative technologies. Very few threat actors can operate successfully on alternative platforms alone, finding that forum membership widens the user base to which they can advertise their goods and services. In a November 2019 discussion on the English-language cracking forum CrackedTO, many users admitted that they had fewer than 50 “friends” on the messaging platform Discord, indicating that the level of exposure on a messaging app is often much lower than on a forum.

It’s common for a threat actor to use the same username across discrete forums, establishing a marketing persona, and to extend that “brand” to alternative channels. The prolific travel fraudster “Sergik00”, who’s offered fraudulent airline tickets and hotel bookings on forums for almost four years, directs interested buyers to their Telegram channels to make orders. We’ve even seen them work their Telegram handle into custom advertising graphics included in their threads. Crucially, however, Sergik00 has maintained a footprint across a wide variety of cybercriminal forums and included positive customer feedback in their dedicated threads, building their brand across multiple sites.

 

travel offerings dark web

Figure 6: Serggik00’s travel offerings

 

Similarly, the operators of the carding scheme Project13 use Telegram in a variety of ways—with separate European and United States accounts to deal with user orders and a Telegram bot to field user queries. But even with this extensive Telegram infrastructure, they still maintain active advertising threads on numerous Russian-language forums. Even the notorious carding AVC Joker’s Stash updates multiple dedicated forum threads each time they upload a large set of new card details to their site.

 

dark web monitoring guide

 

The ease of arbitration

Another shortfall cybercriminals see in using alternative platforms is the high risk of falling victim to fraud, and having no recourse if they do. If a threat actor operating exclusively on Discord or Wickr refuses to sell another user a data set after the deal is made, there’s not much the buyer—or anyone else—can do about it. The injured party doesn’t even have a place to air their anger. But Russian-language cybercriminal forums have built-in justice systems designed to settle disputes, ensure parties stick to the terms of an agreement, and punish wrongdoers.

In general, most forums have a well-used arbitration section, in which users can create threads when they feel deceived by another forum member. Such disputes usually revolve around one party failing to pay the agreed price in a transaction, failing to deliver goods by an agreed deadline, or providing goods that fall short of their description.

 

exploit arbitration section

Figure 7: Exploit arbitration section

 

The claimant initiating an arbitration thread should provide all contact details the defendant has used (e.g. Jabber IDs), any other usernames by which they are known, and the logs of one-on-one conversations detailing the full negotiations between the two parties. Forums usually have templates for arbitration claims that participants must use. The forum arbiter can then read through the conversation logs and call upon the defendant to provide their version of events or evidence of their innocence. Other forum members will also supplement the discussion; sometimes these users have also been wronged by the defendant, but sometimes they’re contributing out of a sense of community spirit.

Eventually the forum arbiter comes to a decision, usually giving the defendant a chance to pay back any money owed, if they’re judged to be guilty. If the defendant fails to make this payment, or if their crimes are considered too egregious, the forum arbiter will ban them from the site. The defendant’s name will then be placed on a blacklist as a warning to other forum members not to interact with their username. Resolved arbitration cases in which the defendant was not banned are also kept as “public” record. This means forum users considering transacting with an unfamiliar vendor can see any arbitration cases involving that vendor.

On some forums, the justice system is even more involved. Verified, a high-profile Russian-language cybercriminal forum specializing in carding, runs a compensation system whereby wronged parties can recoup some of their losses. The user who scammed them may have deposited funds with Verified, and their victim(s) can apply to receive those funds. In most cases, guilty defendants have more than one victim; once all users have made claims against them, a member of the forum team steps in to dole out funds proportionally, according to the users’ claims. In most cases, the wronged parties are owed much more than the funds deposited by the fraudster in the forum, but at least they receive some form of compensation.

 

verified compensation section

Figure 8: Verified compensation section

 

In one extraordinary example of forum justice, observed on the Russian-language Antichat, a user applied for paid coding work on a project organizing “cryptoattacks”. Despite passing the interview tests and being promised work and payment by the project organizer, the user never received any funds. When complaining about this injustice on the forum, the user explained that they needed the money to pay for their father’s cancer medication. Other forum members also claimed to have been deceived by the project organizer, and shared their own correspondence. Ultimately, the Antichat administrators banned the project organizer and arranged a “whip around” among forum members, to raise funds for the medical treatment. As a result, the forum transferred USD 700 to the defendant. This kind of help from a supportive community does not exist on platforms other than forums.

 

sum sent to user for medical treatment dark web forum

Figure 9: Announcement of sum sent to user for medical treatment, with subsequent message of thanks

 

Sense of community

The previous case is just one example of the sense of community spirit that prevails on cybercriminal forums and contributes to their continued persistence. The forum community even celebrates together: Members wish each other a happy birthday or send New Year’s greetings, and Exploit even celebrated Halloween.

 

exploit halloween banner

Figure 10: Exploit Halloween banner

 

By contrast, messaging services, marketplaces, and AVCs are almost exclusively platforms for buying and selling goods and services, and this doesn’t satisfy all users. The Photon Research Team has observed users on CrackedTO bemoaning the transactional nature of Discord, for example. Forums offer a place to conduct transactions but come with the added bonus of the knowledge and skills of an entire user base, arguably enhancing trading. On a forum, a threat actor can open up discussions with specific vendors, to ask for details of other goods the vendor offers, or inquire about the geographies/systems that can be targeted; in a marketplace, that threat actor can only send limited queries about a specific listing. Several well-known marketplaces, including Rapture, Empire, Olympus, and HYDRA, have even run forums alongside their main marketplace offering, to facilitate further discussions and reap the benefits of a forum community.

A good example of cybercriminal forums’ community-mindedness lies in the discussions on most major Russian-language forums about law-enforcement activity. In dedicated sections their users discuss the fate of fellow members who’ve fallen foul of the police or intelligence services, sharing as many details about their story as they can find, so the community can learn from that user’s mistakes. Users often post news articles about cybercriminals’ arrests, forensically examining the details of the case to work out how they were caught.

For example, a discussion arose on Exploit about the case of hacker Roman Seleznev, who was sentenced to 37 years’ imprisonment for credit-card fraud in 2016.  One user said Seleznev was aware of Western intelligence agencies’ interest in him but chose to travel abroad for a vacation anyway. He was caught “while passing through passport control at an airport in a country without an extradition agreement with the United States”, the forum user said. The user also said officials discovered Seleznev’s real-life identity because he used the same email address his wife used for social media as a back-up email address that received malware logs. When Exploit users moved on to discuss the danger of Russian-speaking cybercriminals travelling abroad, one forum member remarked darkly, “Russian resorts are better than American prisons.”

Even more striking is the propensity of forum members who have had brushes with the law to return to the forum, then share the details of their experience with the community. XSS user “maza-in”—the supposed creator of the “Anubis” banking trojan—was arrested in early 2019, but that didn’t mark the end of their forum activity. maza-in’s arrest had followed an investigation by an unspecified Russian security force, and in August 2019 XSS users posted links to local news websites in Stavropol, Russia, saying maza-in was due to appear before Stavropol military court with an unnamed accomplice. In October 2019 maza-in reappeared on XSS with a new username (appending “1” to the end of their previous moniker) to provide details about the circumstances of their arrest.

 

maza-in1 post example arrest

Figure 11: maza-in1’s post recounting the story of their arrest

 

maza-in1 wondered whether their “excessive self-confidence” had “destroyed” them, adding that they had been “ruined” by “a careless attitude to security”. They explained that they had registered an email account using a “white” IP address (i.e. legitimate and not shielded by VPN technology) and then used that email address to sign up to Exploit. maza-in1 allegedly had no intention of engaging in cybercrime when they registered on Exploit, so they didn’t consider the security implications of using the email address. maza-in1 stated that their former partner, “cccalypse”, had not been arrested because they were so “paranoid” about monitoring their anonymity.

Ultimately maza-in1 was sentenced to 18 months’ imprisonment on probation, confiscation of documents, and a fine of RUB 120,000 (USD 1,872). They claimed that they were “saved” from a harsher sentence for not having targeted countries in the Commonwealth of Independent States and there being no identifiable “injured party”. Although some XSS users were suspicious of maza-in1’s return, the community was generally welcoming, valuing the insight into the criminal justice system and the small mistakes that could lead to capture. Cybercriminals can’t find such continual insight anywhere online except a forum.

 

 

Airing doubts about alternative technologies

A key concern for cybercriminals when choosing where and how to operate is security, and how easy it is to maintain absolute anonymity. Relying on new technologies and messaging services for security—no matter how ostensibly secure they are—inherently means trusting those platforms’ operators not to compromise their users’ anonymity, either deliberately or inadvertently.

Consider Telegram, which has come under sustained pressure from the Russian authorities to share the app’s encryption keys with the security services. A Moscow court even banned Telegram in April 2018, although Russia-based users continue to use the app via VPNs. Telegram creator Pavel Durov left Russia in 2014 following repeated clashes over his other project, the social network VKontakte. Although Durov regularly asserts that he’ll never give in to the Russian government’s demands, it’s possible to imagine circumstances arising that could compel him to agree.

 

exploit users discuss whatsapp

Figure 12: Exploit users discuss WhatsApp

 

Not only are cybercriminals subject to the behavior of messaging app operators, but the services may have vulnerabilities that can put user security at risk. Commercial spyware, such as Pegasus, has exploited a vulnerability in WhatsApp to infect user devices and intercept communications. The infection was triggered after a WhatsApp call to the target’s phone, which allegedly didn’t require the user to answer the call. Pegasus can also remove any trace of the infection from the device’s communication logs. Users on Exploit have repeatedly discussed the security of WhatsApp; in one example thread from May 2019, a long discussion was prompted by Pavel Durov’s own comments that WhatsApp would “never be safe”.

Reflecting on the reliability of messaging apps, a Torum user said (verbatim): “I know peoples that have been busted cause to wickr, snapchat and whatsapp. Telegram has been cracked by feds too a year or two ago (I remember a big seized of terrorist weapons thanks to Telegram).” Another forum user warned on Verified: “don’t use whats[app]/viber, the FBI have already downloaded conversations from there. telegram at your own risk.”

In general, conversations about operational security and anonymity are common on cybercriminal forums: In the same thread on Torum as mentioned above, another user wrote, “The only chat app that is 100% safe is SkyEcc but it’s about $800/mo.” In a different thread on a similar topic, a member claimed: “With high level of resources, any centralized messaging service can potentially be compromised. I am not saying it is easy, but it is still a possibility that should be considered.”

 

torum discussion on app safety

Figure 13: Torum discussions of app safety

 

If we judge by these frequent conversations, many forum users seem to see an innate disadvantage in messaging apps. This is because the safety of the teams running the app services doesn’t depend on the apps remaining secure; on a forum, the administrator is, in most jurisdictions, committing a criminal act by running their platform. They have a vested interest in keeping the forum as secure as possible and maintaining their own anonymity and that of their members. Understandably, the teams behind forums take this responsibility seriously.

The now-defunct English-language forum KickAss prioritized security to such an extent that forum users were disadvantaged. In late 2018 the administrator removed all time and date stamps from posts, probably to thwart police forces’ efforts to collate intelligence for their enquiries. But the side effect is that it also made the forum much more inconvenient for its members to use. The CrackedTO forum also employed this tactic, as did the English-language Carding Forum―which also went so far as to expunge all user IP address information from forum logs (to impede investigations if the log database were seized).

A final downside to using legitimate messaging services is the risk that the companies behind them will not tolerate criminal activity. In one discussion on CrackedTO, users noted that they had been subject to regular bans on Discord for breaking that platform’s rules on permitted activities.

 

The future of cybercriminal forums: Is there an end to the trend?

Despite the age—and ostensible outdatedness—of the forum model and technology, cybercriminal forum administrators show every sign of striving to ensure these platforms remain popular in years to come. They’re acknowledging the primary concerns of their users, as described above: security, trust, and anonymity.

Three major site updates, all recorded in October 2019, demonstrate forums’ future-looking stance. Firstly, XSS introduced two-factor authentication (2FA). The forum administrator said the move was intended to increase the security of users’ accounts and minimize the risk of such compromises as “brute-force cracking attacks, [unauthorized] password retrieval, and interceptions by other services”.

 

XSS 2FA announcement

Figure 14: XSS 2FA announcement

 

Next, the English-language forum Dread introduced a “Canary” feature, aimed at updating forum members of the status of Dread’s administrator and their control of the forum. These weekly updates, conducted via a personalized, cryptographically signed message from the administrator, were likely introduced following that individual’s September 2019 disappearance from the forum, which threw the community into disarray. The Canary feature demonstrates a clear intent to sustain the credibility of the forum, eliminate the potential for a law-enforcement takeover, and avoid a takeover by someone masquerading as the legitimate administrator.

 

canary announcement message

Figure 15: Canary announcement message

 

Lastly, Verified introduced a free version of registration that allows users limited access to the forum’s escrow system. Many forums run escrow services, in which a third-party guarantor ensures that both buyer and seller receive what they expect from a transaction. Making use of this function provides added reassurance to sellers that they are dealing with a credible buyer rather than a scammer, researcher, or security service representative, all of whom would be reluctant to commit funds in this way. Verified offering their escrow system to users for free―rather than requiring a full Verified membership―extends the forum’s reach even beyond the bounds of the site.

 

verified free registration announcement

Figure 16: Verified free registration announcement

 

We’ve also seen cases of forum users taking it upon themselves to bolster their security, rather than relying on directives from forum administrators. In recent months both English- and Russian-language forum users have started taking advantage of escrow services when transactions have barely even been initiated. Interested buyers usually contact vendors to request more details about their advertisement, such as screenshots of internal system access that prove that the offering is legitimate. But recently many vendors have begun insisting that buyers place money in a forum escrow service before they send any additional details.

The drive to pioneer new features and site improvements, to adapt to a changing security landscape, suggests that the threat actors running cybercriminal forums recognize the necessity to provide value for their users. Even long-established forums see the need to innovate; Exploit recently embarked on an entire site redesign. Forum members themselves take an active role in suggesting improvements or changing the way they use forums. With this continuous push for improvement, and a host of features and benefits simply not obtainable from other types of technologies, it’s highly unlikely that cybercriminal forums’ popularity will diminish in the coming years. Instead, the symbiotic relationship between alternative technologies and forums—in which the former can’t thrive without the latter—will flourish.

 

Thanks for reading our 3-part series on The Modern Cybercriminal Forum. If you’re interested in learning more about how we help with monitoring the dark web for our clients, check out the link below.

Access Our Threat Intel In Test Drive

Test Drive SearchLight Free for 7 Days
Try It Now

Connect with us

Related Posts

With the Empire falling, who will take over the throne?

With the Empire falling, who will take over the throne?

September 16, 2020 | 10 Min Read

With the Empire falling, who will take over...
Not another ransomware blog: Initial access brokers and their role

Not another ransomware blog: Initial access brokers and their role

September 9, 2020 | 5 Min Read

It’s hard to get very far in cyber threat...
Cyber espionage: How to not get spooked by nation-state actors

Cyber espionage: How to not get spooked by nation-state actors

September 8, 2020 | 8 Min Read

In all the years I’ve worked in the...
Dread takes on the spammers – who will come out on top?

Dread takes on the spammers – who will come out on top?

August 28, 2020 | 9 Min Read

Spamming is an irritating and sometimes...
Fall of the behemoth: Cybercriminal underground rocked by Empire’s apparent exit scam

Fall of the behemoth: Cybercriminal underground rocked by Empire’s apparent exit scam

August 27, 2020 | 10 Min Read

Summer is generally a relatively quiet time...
“ALEXA, WHO IS THE NUMBER ONE CYBERCRIMINAL FORUM TO RULE THEM ALL?”

“ALEXA, WHO IS THE NUMBER ONE CYBERCRIMINAL FORUM TO RULE THEM ALL?”

August 26, 2020 | 12 Min Read

In June 2020, the administrator of the...
RECAP: Discussing the evolution and trends of cybercrime with Geoff White

RECAP: Discussing the evolution and trends of cybercrime with Geoff White

August 25, 2020 | 8 Min Read

In late July 2020, Digital Shadows had the...
Dark Web Forums – The new kid on the block

Dark Web Forums – The new kid on the block

August 18, 2020 | 12 Min Read

Introducing DWF There’s a new kid on...
Optiv CTIE 2020: COVID-19, cybercrime, and third-party risk

Optiv CTIE 2020: COVID-19, cybercrime, and third-party risk

August 17, 2020 | 10 Min Read

Optiv recently released their 2020 Cyber...
Escrow systems on cybercriminal forums: The Good, the Bad and the Ugly

Escrow systems on cybercriminal forums: The Good, the Bad and the Ugly

August 11, 2020 | 15 Min Read

Just a few short months ago, the...
Saving the SOC from overload by operationalizing digital risk protection

Saving the SOC from overload by operationalizing digital risk protection

August 5, 2020 | 4 Min Read

As you may have seen last week, the latest...
The story of Nulled: Old dog, new tricks

The story of Nulled: Old dog, new tricks

August 4, 2020 | 9 Min Read

It is often said that old dogs have a hard...
Dark Web Travel Agencies Revisited: The Impact of Coronavirus on the Shadow Travel Industry

Dark Web Travel Agencies Revisited: The Impact of Coronavirus on the Shadow Travel Industry

July 29, 2020 | 10 Min Read

Back in February, Digital Shadows published...
Account takeover: Expanding on impact

Account takeover: Expanding on impact

July 27, 2020 | 7 Min Read

Digital Shadows has collected over 15 billion...
Ransomware Trends in Q2: How Threat Intelligence Helps

Ransomware Trends in Q2: How Threat Intelligence Helps

July 22, 2020 | 8 Min Read

If you’re anything like me, it can be a...
The Rise of OpenBullet: A Deep Dive in the Attacker’s ATO toolkit

The Rise of OpenBullet: A Deep Dive in the Attacker’s ATO toolkit

July 20, 2020 | 9 Min Read

Account takeover (ATO) has become a serious...
Abracadabra! – CryptBB demystifying the illusion of the private forum

Abracadabra! – CryptBB demystifying the illusion of the private forum

July 15, 2020 | 8 Min Read

You wouldn’t usually associate cybercriminal...
SearchLight’s Credential Validation: Only Focus on What Matters

SearchLight’s Credential Validation: Only Focus on What Matters

July 14, 2020 | 4 Min Read

Of the many use cases associated with threat...
Tax Fraud in 2020: Down But Not Out

Tax Fraud in 2020: Down But Not Out

July 13, 2020 | 4 Min Read

After a three month extension, tomorrow marks...
From Exposure to Takeover: Part 1. Beg, borrow, and steal your way in

From Exposure to Takeover: Part 1. Beg, borrow, and steal your way in

July 7, 2020 | 9 Min Read

Account Takeover: Why criminals can’t...
Digital Risk Reporting Best Practices: Top 10 Ways to Build Killer Reports in SearchLight

Digital Risk Reporting Best Practices: Top 10 Ways to Build Killer Reports in SearchLight

June 30, 2020 | 4 Min Read

We all have those days or that time of the...
Multiple vs. Exclusive Sales on the Dark Web: What’s in a sale?

Multiple vs. Exclusive Sales on the Dark Web: What’s in a sale?

June 29, 2020 | 9 Min Read

When going out on a shopping spree, you would...
Introducing Nulledflix – Nulled forum’s own streaming service

Introducing Nulledflix – Nulled forum’s own streaming service

June 23, 2020 | 8 Min Read

Lockdowns implemented during the COVID-19...
Torigon Forum: A sad case of all show and no go

Torigon Forum: A sad case of all show and no go

June 23, 2020 | 11 Min Read

When we review the ideal template for a...
Ensuring order in the underground: Recruiting moderators on cybercriminal forums

Ensuring order in the underground: Recruiting moderators on cybercriminal forums

June 18, 2020 | 10 Min Read

While there have been many predictable...
Security Threat Intel Products and Services: Mapping SearchLight

Security Threat Intel Products and Services: Mapping SearchLight

June 10, 2020 | 6 Min Read

For those of you who have not yet seen, Gartner...
New DDoS protection tool advertised on the dark web

New DDoS protection tool advertised on the dark web

June 9, 2020 | 7 Min Read

This blog examines a newly launched DDoS...
3 Phishing Trends Organizations Should Watch Out For

3 Phishing Trends Organizations Should Watch Out For

May 20, 2020 | 16 Min Read

It’s only May, and is it just me, or has this...
The 2020 Verizon Data Breach Investigations Report: One CISO’s View

The 2020 Verizon Data Breach Investigations Report: One CISO’s View

May 19, 2020 | 6 Min Read

Sadly, Marvel’s Black Widow release date was...
A NEW DECADE OF CYBER THREATS: LOOKING BACK AT THE TRENDING CYBER TOPICS OF Q1 2020

A NEW DECADE OF CYBER THREATS: LOOKING BACK AT THE TRENDING CYBER TOPICS OF Q1 2020

May 14, 2020 | 10 Min Read

Q1 2020 was packed full of significant...
BitBazaar Market: Deception and Manipulation on the Dark Web

BitBazaar Market: Deception and Manipulation on the Dark Web

May 12, 2020 | 8 Min Read

It's a BitBazaar that they thought they...
Competitions on English-language cybercriminal forums: A stagnant competition model?

Competitions on English-language cybercriminal forums: A stagnant competition model?

May 5, 2020 | 9 Min Read

Russian-language cybercriminal forums aren’t...
Charitable Endeavors on Cybercriminal Forums

Charitable Endeavors on Cybercriminal Forums

April 28, 2020 | 12 Min Read

One heart-warming aspect of modern society is...
Nulled: The modern cybercriminal forum to go mobile….?

Nulled: The modern cybercriminal forum to go mobile….?

April 22, 2020 | 9 Min Read

What’s more threatening than the thought of a...
What ‘The Wire’ can teach us about cybersecurity

What ‘The Wire’ can teach us about cybersecurity

April 21, 2020 | 12 Min Read

In the current era of self-isolation, remote...
Zoom Security and Privacy Issues: Week in Review

Zoom Security and Privacy Issues: Week in Review

April 17, 2020 | 10 Min Read

In the last month, you’ve likely been hearing...
Recon: Dark web reconnaissance made to look easy

Recon: Dark web reconnaissance made to look easy

April 3, 2020 | 4 Min Read

Just as the rest of us enjoy the ease of...
Coronavirus as a double-edged sword for cybercriminals: Desperation or opportunity?

Coronavirus as a double-edged sword for cybercriminals: Desperation or opportunity?

April 2, 2020 | 9 Min Read

The ongoing COVID-19 (aka coronavirus) pandemic...
COVID-19: Companies and Verticals At Risk For Cyber Attacks

COVID-19: Companies and Verticals At Risk For Cyber Attacks

March 26, 2020 | 8 Min Read

  In our recent blog, How cybercriminals...
COVID-19: Dark Web Reactions

COVID-19: Dark Web Reactions

March 19, 2020 | 5 Min Read

  Digital Shadows has been researching...
Apollon Dark Web Marketplace: Exit Scams and DDoS Campaigns

Apollon Dark Web Marketplace: Exit Scams and DDoS Campaigns

March 17, 2020 | 8 Min Read

  Imagine logging on to your favorite...
How One Cybercriminal Forum is Helping to Address Suicide Awareness

How One Cybercriminal Forum is Helping to Address Suicide Awareness

March 10, 2020 | 4 Min Read

  The world can be a stressful place...
Dark Web Search Engine Kilos: Tipping the Scales in Favor of Cybercrime

Dark Web Search Engine Kilos: Tipping the Scales in Favor of Cybercrime

March 5, 2020 | 7 Min Read

  With the recent indictment of Larry...
FBI IC3 2019: Cybercrime results in over $3.5 billion in reported losses

FBI IC3 2019: Cybercrime results in over $3.5 billion in reported losses

March 3, 2020 | 8 Min Read

  On February 11th, we were treated to an...
The Ecosystem of Phishing: From Minnows to Marlins

The Ecosystem of Phishing: From Minnows to Marlins

February 20, 2020 | 31 Min Read

YOU JUST WON $1,000. CLICK HERE TO CLAIM YOUR...
Cybercriminal Forums on Valentine’s Day – A nice night to “Netflix and steal”…

Cybercriminal Forums on Valentine’s Day – A nice night to “Netflix and steal”…

February 17, 2020 | 6 Min Read

  It's the night before Valentine's Day,...
Dark web travel agencies: Take a trip on the dark side

Dark web travel agencies: Take a trip on the dark side

February 4, 2020 | 11 Min Read

For at least the last two years, an ecosystem of...
How the Cybercriminal Underground Mirrors the Real World

How the Cybercriminal Underground Mirrors the Real World

January 21, 2020 | 7 Min Read

Mirror, Mirror, on the wall. Who’s the best...
Cryptonite: Ransomware’s answer to Superman…

Cryptonite: Ransomware’s answer to Superman…

January 14, 2020 | 4 Min Read

  Update: It appears that the Cryptonite...
The Closure of Market.ms: A Cybercriminal Marketplace Ahead of Its Time

The Closure of Market.ms: A Cybercriminal Marketplace Ahead of Its Time

December 18, 2019 | 9 Min Read

In the world of “what could have been,” the...
2020 Cybersecurity Forecasts: 5 trends and predictions for the new year

2020 Cybersecurity Forecasts: 5 trends and predictions for the new year

December 18, 2019 | 10 Min Read

  If all the holiday fuss isn’t...
Forums are Forever – Part 2: Shaken, but not Stirred

Forums are Forever – Part 2: Shaken, but not Stirred

December 10, 2019 | 5 Min Read

  Cybercriminal forums continue to thrive...
Forums are Forever – Part 1: Cybercrime Never Dies

Forums are Forever – Part 1: Cybercrime Never Dies

December 4, 2019 | 10 Min Read

If one could predict the future back in the late...
Probiv: The missing pieces to a cybercriminal’s puzzle

Probiv: The missing pieces to a cybercriminal’s puzzle

November 26, 2019 | 10 Min Read

A husband wants to find out who owns the unknown...
Black Friday Deals on the Dark Web: A cybercriminal shopper’s paradise

Black Friday Deals on the Dark Web: A cybercriminal shopper’s paradise

November 21, 2019 | 10 Min Read

  Black Friday. You love it, you hate it,...
DarkMarket’s Feminist Flight Towards Equality and the Curious Case of Canaries

DarkMarket’s Feminist Flight Towards Equality and the Curious Case of Canaries

November 19, 2019 | 4 Min Read

  In late August, Dark Fail (a Tor onion...
VoIP security concerns: Here to stay, here to exploit

VoIP security concerns: Here to stay, here to exploit

November 14, 2019 | 4 Min Read

  VoIP, or Voice over Internet Protocol,...
Understanding the Different Cybercriminal Platforms: AVCs, Marketplaces, and Forums

Understanding the Different Cybercriminal Platforms: AVCs, Marketplaces, and Forums

October 31, 2019 | 6 Min Read

  With the recent breach that targeted...
Cybercriminal credit card stores: Is Brian out of the club?

Cybercriminal credit card stores: Is Brian out of the club?

October 31, 2019 | 8 Min Read

  If you’re an avid follower of Digital...
Honeypots: Tracking Attacks Against Misconfigured or Exposed Services

Honeypots: Tracking Attacks Against Misconfigured or Exposed Services

October 17, 2019 | 9 Min Read

Honeypots can be useful tools for gathering...
Typosquatting and the 2020 U.S. Presidential election: Cyberspace as the new political battleground

Typosquatting and the 2020 U.S. Presidential election: Cyberspace as the new political battleground

October 16, 2019 | 15 Min Read

Typosquatting. It’s a phrase most of us know in...
Cybercriminal Forum Developments: Escrow Services

Cybercriminal Forum Developments: Escrow Services

October 15, 2019 | 5 Min Read

Financial transactions made on cybercriminal...
Dark Web Overdrive: The Criminal Marketplace Understood Through Cyberpunk Fiction

Dark Web Overdrive: The Criminal Marketplace Understood Through Cyberpunk Fiction

October 9, 2019 | 5 Min Read

In 1984, science fiction writer William Gibson...
Top Threat Intelligence Podcasts to Add to Your Playlist

Top Threat Intelligence Podcasts to Add to Your Playlist

October 3, 2019 | 4 Min Read

Looking for some new threat intelligence podcasts...
Domain Squatting: The Phisher-man’s Friend

Domain Squatting: The Phisher-man’s Friend

October 1, 2019 | 8 Min Read

In the past we have talked about the internal...
Singapore Cyber Threat Landscape report (H1 2019)

Singapore Cyber Threat Landscape report (H1 2019)

September 26, 2019 | 7 Min Read

Despite being the second smallest country in...
Nemty Ransomware: Slow and Steady Wins the Race?

Nemty Ransomware: Slow and Steady Wins the Race?

September 19, 2019 | 3 Min Read

As we outlined recently, ransomware is a key...
Your Data at Risk: FBI Cyber Division Shares Top Emerging Cyber Threats to Your Enterprise

Your Data at Risk: FBI Cyber Division Shares Top Emerging Cyber Threats to Your Enterprise

September 17, 2019 | 8 Min Read

Data breaches are not slowing down. Nobody...
Dark Web Monitoring: The Good, The Bad, and The Ugly

Dark Web Monitoring: The Good, The Bad, and The Ugly

September 11, 2019 | 20 Min Read

Dark Web Monitoring Overview Gaining access to...
Envoy on a Mission to Bring Stability to the Criminal Underground

Envoy on a Mission to Bring Stability to the Criminal Underground

September 4, 2019 | 3 Min Read

Recent Turbulence in the Underground From the...
Emotet Returns: How To Track Its Updates

Emotet Returns: How To Track Its Updates

August 26, 2019 | 5 Min Read

What is Emotet? Emotet started life as a banking...
The Nouns of Black Hat: People, Places, and Things From Summer Camp 2019

The Nouns of Black Hat: People, Places, and Things From Summer Camp 2019

August 19, 2019 | 6 Min Read

Black Hat and DEFCON are a wrap! Digital Shadows...
Fresh blow for dark web markets: Nightmare market in disarray

Fresh blow for dark web markets: Nightmare market in disarray

August 13, 2019 | 5 Min Read

Over the past three weeks, Digital Shadows has...
Capital One Breach: What we know and what you can do

Capital One Breach: What we know and what you can do

July 31, 2019 | 5 Min Read

Monday blues. It’s a thing. It’s when you...
The Account Takeover Kill Chain: A Five Step Analysis

The Account Takeover Kill Chain: A Five Step Analysis

July 30, 2019 | 17 Min Read

It’s no secret that credential exposure is a...
A Growing Enigma: New AVC on the Block

A Growing Enigma: New AVC on the Block

July 19, 2019 | 3 Min Read

This week, in a ground breaking announcement, the...
Facebook’s Libra Cryptocurrency: Cybercriminals tipping the scales in their favor

Facebook’s Libra Cryptocurrency: Cybercriminals tipping the scales in their favor

June 27, 2019 | 8 Min Read

The announcements of Facebook’s new...
BlueKeep: Cutting through the hype to prepare your organization

BlueKeep: Cutting through the hype to prepare your organization

May 24, 2019 | 8 Min Read

Over the last week we have all been tuning into...
FBI IC3: Cybercrime Surges in 2018, Causing $2.7 Billion in Losses

FBI IC3: Cybercrime Surges in 2018, Causing $2.7 Billion in Losses

April 23, 2019 | 4 Min Read

This week, the Federal Bureau of Investigation...
Easing into the extortion game

Easing into the extortion game

April 3, 2019 | 4 Min Read

One of the main ideas which flowed through...
Predator: Modeling the attacker’s mindset

Predator: Modeling the attacker’s mindset

April 2, 2019 | 6 Min Read

Author: Richard Gold  The phrases...
Cyber Risks and High-frequency Trading: Conversation with an Insider

Cyber Risks and High-frequency Trading: Conversation with an Insider

March 26, 2019 | 4 Min Read

Research from the Carnegie Endowment for...
Dark Web Typosquatting: Scammers v. Tor

Dark Web Typosquatting: Scammers v. Tor

March 21, 2019 | 7 Min Read

Time and time again, we see how the cybercriminal...
Purple Teaming with Vectr, Cobalt Strike, and MITRE ATT&CK™

Purple Teaming with Vectr, Cobalt Strike, and MITRE ATT&CK™

March 6, 2019 | 7 Min Read

Authors: Simon Hall, Isidoros...
Extortion Exposed: Sextortion, thedarkoverlord, and SamSam

Extortion Exposed: Sextortion, thedarkoverlord, and SamSam

February 21, 2019 | 3 Min Read

In our most recent research, A Tale of Epic...
Photon Research Team Shines Light On Digital Risks

Photon Research Team Shines Light On Digital Risks

February 13, 2019 | 2 Min Read

I’m very excited to announce the launch of the...
SANS DFIR Cyber Threat Intelligence Summit 2019 – Extracting More Value from Your CTI Program

SANS DFIR Cyber Threat Intelligence Summit 2019 – Extracting More Value from Your CTI Program

February 5, 2019 | 7 Min Read

We were fortunate to attend the 2019 SANS DFIR...
Security Practitioner’s Guide to Email Spoofing and Risk Reduction

Security Practitioner’s Guide to Email Spoofing and Risk Reduction

January 24, 2019 | 13 Min Read

In our previous extended blog, Tackling Phishing:...
Powering Investigations with Nuix Software: The Case of thedarkoverlord and the 9/11 Files

Powering Investigations with Nuix Software: The Case of thedarkoverlord and the 9/11 Files

January 22, 2019 | 6 Min Read

The Panama Papers in 2016 highlighted the...
Thedarkoverlord runs out of Steem

Thedarkoverlord runs out of Steem

January 16, 2019 | 6 Min Read

On 31 December 2018, the notorious extortion...
TV License and Vehicle Tax Fraud: New Year, Same Old Scams

TV License and Vehicle Tax Fraud: New Year, Same Old Scams

January 8, 2019 | 4 Min Read

Over the last week we’ve been tracking several...
Cyber Threats to Watch in 2019: Key Takeaways from our webinar with the FBI Cyber Squad

Cyber Threats to Watch in 2019: Key Takeaways from our webinar with the FBI Cyber Squad

December 20, 2018 | 5 Min Read

As 2018 comes to a close, Digital Shadows...
Bomb Threat Emails: Extortion Gets Physical

Bomb Threat Emails: Extortion Gets Physical

December 14, 2018 | 4 Min Read

We’ve seen yet another change in tactics for...
Tackling Phishing: The Most Popular Phishing Techniques and What You Can Do About It

Tackling Phishing: The Most Popular Phishing Techniques and What You Can Do About It

December 12, 2018 | 8 Min Read

Overall, the infosec community has done a...
2019 Cyber Security Forecasts: Six Things on the Horizon

2019 Cyber Security Forecasts: Six Things on the Horizon

December 5, 2018 | 9 Min Read

The new year is upon us! 2018 brought us Spectre...
Threat Actors Use of Cobalt Strike: Why Defense is Offense’s Child

Threat Actors Use of Cobalt Strike: Why Defense is Offense’s Child

November 29, 2018 | 5 Min Read

I’m a big fan of the Cobalt Strike threat...
Mapping the ASD Essential 8 to the Mitre ATT&CK™ framework

Mapping the ASD Essential 8 to the Mitre ATT&CK™ framework

November 27, 2018 | 3 Min Read

Australian Signals Directorate Essential 8 The...
Black Friday and Cybercrime: Retail’s Frankenstein Monster

Black Friday and Cybercrime: Retail’s Frankenstein Monster

November 20, 2018 | 5 Min Read

With every year that passes, Black Friday seems...
Sextortion 2.0: A New Lure

Sextortion 2.0: A New Lure

November 20, 2018 | 4 Min Read

Back in September we released a blog about the...
A Look Back at the ENISA Cyber Threat Intelligence-EU Workshop 2018

A Look Back at the ENISA Cyber Threat Intelligence-EU Workshop 2018

November 13, 2018 | 5 Min Read

I recently attended the ENISA (European Union...
To Pay or Not to Pay: A Large Retailer Responds to DDoS Extortion

To Pay or Not to Pay: A Large Retailer Responds to DDoS Extortion

November 8, 2018 | 3 Min Read

Fans of The Sopranos or Goodfellas are...
81,000 Hacked Facebook Accounts for Sale: 5 Things to Know

81,000 Hacked Facebook Accounts for Sale: 5 Things to Know

November 2, 2018 | 5 Min Read

This morning, the British Broadcasting...
The Dark Web: Marketers’ Trick or Threat Intelligence Treat?

The Dark Web: Marketers’ Trick or Threat Intelligence Treat?

October 31, 2018 | 5 Min Read

At this time of the year, you can’t go anywhere...
Bank Discovers Customer Credit Card Numbers Traded Online

Bank Discovers Customer Credit Card Numbers Traded Online

October 23, 2018 | 3 Min Read

Payment card fraud costs banks and merchants...
12.5 Million Email Archives Exposed: Lowering the Barriers for BEC

12.5 Million Email Archives Exposed: Lowering the Barriers for BEC

October 18, 2018 | 4 Min Read

Digital Shadows’ latest research report, Pst!...
33,000 Accounting Inbox Credentials Exposed Online: BEC Made Easy

33,000 Accounting Inbox Credentials Exposed Online: BEC Made Easy

October 9, 2018 | 4 Min Read

Last week, I wrote about how cybercriminals are...
Business Email Compromise: When You Don’t Need to Phish

Business Email Compromise: When You Don’t Need to Phish

October 4, 2018 | 4 Min Read

According to the FBI, Business Email Compromise...
Cybercriminal Marketplaces: Olympus Has Fallen

Cybercriminal Marketplaces: Olympus Has Fallen

September 28, 2018 | 5 Min Read

The Olympus cybercriminal marketplace has been...
Thedarkoverlord Out to KickAss and Cash Out Their Data

Thedarkoverlord Out to KickAss and Cash Out Their Data

September 27, 2018 | 5 Min Read

A user claiming to be the notorious darkoverlord...
The 2017 FSB indictment and Mitre ATT&CK™

The 2017 FSB indictment and Mitre ATT&CK™

September 20, 2018 | 11 Min Read

On  February 28th, 2017 the US Department of...
Airline Discovers Trove of Frequent Flyer Accounts Compromised and Posted for Sale Online

Airline Discovers Trove of Frequent Flyer Accounts Compromised and Posted for Sale Online

September 14, 2018 | 3 Min Read

Reward program fraud has been rising in recent...
MITRE ATT&CK™ and the North Korean Regime-Backed Programmer

MITRE ATT&CK™ and the North Korean Regime-Backed Programmer

September 13, 2018 | 18 Min Read

On 6th September the US Department of Justice...
Sextortion – When Persistent Phishing Pays Off

Sextortion – When Persistent Phishing Pays Off

September 6, 2018 | 4 Min Read

You may have heard of a recent surge in...
Online Risks to Fortnite Users

Online Risks to Fortnite Users

September 4, 2018 | 5 Min Read

With an enticing array of viral dance moves,...
Online Cybercrime Courses: Back to School Season

Online Cybercrime Courses: Back to School Season

August 23, 2018 | 4 Min Read

It’s that time of year again. Summer is drawing...
Mitre ATT&CK™ and the FIN7 Indictment: Lessons for Organizations

Mitre ATT&CK™ and the FIN7 Indictment: Lessons for Organizations

August 22, 2018 | 12 Min Read

On August 1, 2018, the US Department of Justice...
Five Threats to Financial Services: Part Five, Hacktivism

Five Threats to Financial Services: Part Five, Hacktivism

August 15, 2018 | 5 Min Read

OK, so it’s not a sexy as insider threats,...
Five Threats to Financial Services: Part Four, Payment Card Fraud

Five Threats to Financial Services: Part Four, Payment Card Fraud

August 14, 2018 | 6 Min Read

Payment card information is the lifeblood of the...
Digital Shadows Contributes to Insider Threat Research

Digital Shadows Contributes to Insider Threat Research

August 9, 2018 | 5 Min Read

On July 30, Forrester published its latest...
Five Threats to Financial Services: Phishing Campaigns

Five Threats to Financial Services: Phishing Campaigns

August 8, 2018 | 7 Min Read

In our last blog, we highlighted how banking...
FIN7: Arrests and Developments

FIN7: Arrests and Developments

August 2, 2018 | 6 Min Read

Three alleged members of FIN7 arrested On August...
Security Spotlight Series: Dr. Richard Gold

Security Spotlight Series: Dr. Richard Gold

July 31, 2018 | 4 Min Read

Organizations rely on Digital Shadows to be an...
Cyber Threats to ERP Applications: Threat Landscape

Cyber Threats to ERP Applications: Threat Landscape

July 24, 2018 | 4 Min Read

What are ERP Applications? Organizations rely on...
Five Threats to Financial Services: Banking Trojans

Five Threats to Financial Services: Banking Trojans

July 19, 2018 | 5 Min Read

A couple of weeks ago, we learned about a new...
Mitre ATT&CK™ and the Mueller GRU Indictment: Lessons for Organizations

Mitre ATT&CK™ and the Mueller GRU Indictment: Lessons for Organizations

July 17, 2018 | 10 Min Read

A recent indictment revealed how the GRU...
Alleged Carbanak Files and Source Code Leaked: Digital Shadows’ Initial Findings

Alleged Carbanak Files and Source Code Leaked: Digital Shadows’ Initial Findings

July 11, 2018 | 6 Min Read

Digital Shadows’ Russian-speaking security team...
Security Analyst Spotlight Series: Harrison Van Riper

Security Analyst Spotlight Series: Harrison Van Riper

July 10, 2018 | 6 Min Read

Organizations rely on our cyber intelligence...
How Cybercriminals are Using Messaging Platforms

How Cybercriminals are Using Messaging Platforms

June 21, 2018 | 4 Min Read

Alternative Ways Criminals Transact Online: A...
Five Threats to Financial Services: Part One, Insiders

Five Threats to Financial Services: Part One, Insiders

June 19, 2018 | 5 Min Read

The sensitive and financial data held by banks...
Security Analyst Spotlight Series: Rafael Amado

Security Analyst Spotlight Series: Rafael Amado

June 14, 2018 | 9 Min Read

Organizations rely on Digital Shadows to be an...
How Cybercriminals are using Blockchain DNS: From the Market to the .Bazar

How Cybercriminals are using Blockchain DNS: From the Market to the .Bazar

June 12, 2018 | 5 Min Read

Since the takedowns of AlphaBay and Hansa in...
Threats to the 2018 Football World Cup: Traditional Rules or a New Style of Play?

Threats to the 2018 Football World Cup: Traditional Rules or a New Style of Play?

June 7, 2018 | 7 Min Read

The tension and excitement that precedes all...
Market.ms: Heir to the AlphaBay and Hansa throne?

Market.ms: Heir to the AlphaBay and Hansa throne?

June 4, 2018 | 5 Min Read

It’s almost one year since the AlphaBay and...
Keys to the Kingdom: Exposed Security Assessments

Keys to the Kingdom: Exposed Security Assessments

April 24, 2018 | 4 Min Read

Organizations employ external consultants and...
Out In The Open: Corporate Secrets Exposed Through Misconfigured Services

Out In The Open: Corporate Secrets Exposed Through Misconfigured Services

April 18, 2018 | 4 Min Read

For organizations dealing with proprietary...
When There’s No Need to Hack: Exposed Personal Information

When There’s No Need to Hack: Exposed Personal Information

April 17, 2018 | 4 Min Read

With Equifax‘s breach of 145 million records...
Escalation in Cyberspace: Not as Deniable as We All Seem to Think?

Escalation in Cyberspace: Not as Deniable as We All Seem to Think?

April 12, 2018 | 5 Min Read

The recent assassination attempt on former...
Leveraging the 2018 Verizon Data Breach Investigations Report

Leveraging the 2018 Verizon Data Breach Investigations Report

April 10, 2018 | 5 Min Read

Today, the 11th edition of the Verizon Data...
When Sharing Is Not Caring: Over 1.5 Billion Files Exposed Through Misconfigured Services

When Sharing Is Not Caring: Over 1.5 Billion Files Exposed Through Misconfigured Services

April 5, 2018 | 4 Min Read

Our recent report “Too Much Information”,...
Genesis Botnet: The Market Claiming to Sell Bots That Bypass Fingerprinting Controls

Genesis Botnet: The Market Claiming to Sell Bots That Bypass Fingerprinting Controls

April 3, 2018 | 4 Min Read

An emerging criminal market, Genesis store,...
The Five Families: The Most Wanted Ransomware Groups

The Five Families: The Most Wanted Ransomware Groups

March 27, 2018 | 5 Min Read

Last week we presented a webinar on “Emerging...
Pop-up Twitter Bots: The Shift to Opportunistic Targeting

Pop-up Twitter Bots: The Shift to Opportunistic Targeting

March 22, 2018 | 4 Min Read

Since the furor surrounding Russia’s alleged...
Cyber Security as Public Health

Cyber Security as Public Health

March 21, 2018 | 4 Min Read

Public health, one of the great 20th century...
Anonymous and the New Face of Hacktivism: What to Look Out For in 2018

Anonymous and the New Face of Hacktivism: What to Look Out For in 2018

March 13, 2018 | 6 Min Read

The Anonymous collective has been the face of...
It’s Accrual World: Tax Return Fraud in 2018

It’s Accrual World: Tax Return Fraud in 2018

March 7, 2018 | 5 Min Read

With just over a month until Tax Deadline Day,...
The New Frontier: Forecasting Cryptocurrency Fraud

The New Frontier: Forecasting Cryptocurrency Fraud

March 1, 2018 | 6 Min Read

Not a week goes by without a new case of...
Threats to the Upcoming Italian Elections

Threats to the Upcoming Italian Elections

February 22, 2018 | 7 Min Read

On 5 March Italian citizens will vanno alle urne...
Prioritize to Avoid Security Nihilism

Prioritize to Avoid Security Nihilism

February 20, 2018 | 3 Min Read

In many situations associated with cyber...
Infraud Forum Indictment and Arrests: What it Means

Infraud Forum Indictment and Arrests: What it Means

February 15, 2018 | 7 Min Read

On 07 February 2018, the U.S. Department of...
Cryptojacking: An Overview

Cryptojacking: An Overview

February 13, 2018 | 5 Min Read

What is Cryptojacking? Cryptojacking is the...
2017 Android malware in review: 4 key takeaways

2017 Android malware in review: 4 key takeaways

February 8, 2018 | 4 Min Read

Android mobile devices were an attractive target...
Phishing for Gold: Threats to the 2018 Winter Games

Phishing for Gold: Threats to the 2018 Winter Games

February 6, 2018 | 7 Min Read

Digital Shadows has been monitoring major...
Four Ways Criminals Are Exploiting Interest in Initial Coin Offerings

Four Ways Criminals Are Exploiting Interest in Initial Coin Offerings

February 1, 2018 | 5 Min Read

Initial Coin Offerings (ICOs) are a way of...
Another Year Wiser: Key Dates to Look Out For In 2018

Another Year Wiser: Key Dates to Look Out For In 2018

January 10, 2018 | 4 Min Read

Early last year, we published a blog outlining...
Meltdown and Spectre: The Story So Far

Meltdown and Spectre: The Story So Far

January 4, 2018 | 5 Min Read

On Wednesday, rumors surfaced that there were...
Cybercriminal Christmas Wish List

What Attackers Want for Christmas

December 22, 2017 | 4 Min Read

Our guest author Krampus has a special blog post...
online carding bots

OL1MP: A Telegram Bot Making Carding Made Easy This Holiday Season

December 21, 2017 | 3 Min Read

Back in July, we published our research on the...
‘Tis The Season To Do Predictions – The 2018 Cybersecurity Landscape

‘Tis The Season To Do Predictions – The 2018 Cybersecurity Landscape

December 18, 2017 | 3 Min Read

This post originally appeared on Huffington...
Risks to Retail: Cybercriminals Sharing the Joy This Holiday Season

Risks to Retail: Cybercriminals Sharing the Joy This Holiday Season

November 21, 2017 | 3 Min Read

Despite some early deals, Black Friday officially...
Fake News is More Than a Political Battlecry

Fake News is More Than a Political Battlecry

November 16, 2017 | 3 Min Read

This week, British Prime Minister Theresa May...
Why “Have a Safe Trip” Is Taking On Greater Meaning

Why “Have a Safe Trip” Is Taking On Greater Meaning

November 14, 2017 | 5 Min Read

This post originally appeared...
OPCATALUNYA

Pwnage to Catalonia: Five Things We Know About OpCatalunya

November 2, 2017 | 5 Min Read

Since October 24th, Digital Shadows has observed...
ICS Security Cyber Aware

ICS Security: Strawmen In the Power Station

October 31, 2017 | 5 Min Read

Congrats, it is now almost November and we have...
cyber extortion

Extorters Going to Extort: This Time Other Criminals Are the Victims

October 26, 2017 | 3 Min Read

We are increasingly used to the tactic of...
cyber vulnerabilities

Trust vs Access: A Tale of Two Vulnerability Classes

October 20, 2017 | 5 Min Read

It's been a big week in cyberspace, with high...
krack attacks

Key Reinstallation Attacks (KRACK): The Impact So Far

October 16, 2017 | 4 Min Read

Today, a series of high-severity vulnerabilities...
german election threats

Bringing Down the Wahl: Three Threats to the German Federal Election

September 14, 2017 | 7 Min Read

Hacking has become the boogie man of political...
Exploit Kits

Fluctuation in the Exploit Kit Market – Temporary Blip or Long-Term Trend?

August 16, 2017 | 5 Min Read

Exploit kit activity is waning. Collectively...
Criminal Markets Alpha Bay Hansa

Cybercrime Finds a Way, the Limited Impact of AlphaBay and Hansa’s Demise

August 7, 2017 | 5 Min Read

The law enforcement operations that took down the...
Texting SMS Cyber Threats

Reading Your Texts For Fun and Profit – How Criminals Subvert SMS-Based MFA

August 1, 2017 | 4 Min Read

Why Multi Factor? Read almost any cyber security...
Credit Card Fraud

Fraudsters Scoring Big – an Inside Look at the Carding Ecosystem

July 18, 2017 | 3 Min Read

In season two of the Netflix series Narcos, Pablo...
Criminal Market Place Bitcoin Virtual Currency

The Future of Marketplaces: Forecasting the Decentralized Model

July 17, 2017 | 4 Min Read

Last week we wrote about the disappearance of...
exploit kit

Petya-Like Wormable Malware: The “Who” and the “Why”

June 30, 2017 | 7 Min Read

Late on 27 June, the New York Times reported that...
Cyber Criminal Attack Vectors

Keep Your Eyes on the Prize: Attack Vectors are Important But Don’t Ignore Attacker Goals

June 23, 2017 | 5 Min Read

Reporting on intrusions or attacks often dwells...
Dark Web Cyber Crime

Threats From the Dark Web

June 26, 2017 | 5 Min Read

Despite the hype associated with the dark web,...
Account Takeover Credential Stuffing

7 Tips for Protecting Against Account Takeovers

May 22, 2017 | 3 Min Read

In May 2017, an amalgamation of over 1 billion...
WannaCry Ransomware

5 Lessons from WannaCry: Preventing Attacks with Security Engineering

May 16, 2017 | 5 Min Read

With the recent news storm concerning the...
WannaCry Ransomware

WannaCry: The Early 2000s Called, They Want Their Worms Back

May 12, 2017 | 3 Min Read

Earlier today it was revealed that the United...
Threat Actors Cyber Criminals

The Usual Suspects: Understanding the Nuances of Actors’ Motivations and Capabilities

April 21, 2017 | 3 Min Read

When it comes to their adversaries, organizations...
French Election Cyber Threats

Liberté, égalité, securité: 4 Threats to the French Presidential Election

April 20, 2017 | 5 Min Read

French citizens will take to the polls on April...
OpIsrael

OpIsrael Hacktivists Targeted By Unknown Threat Actor

March 30, 2017 | 3 Min Read

Ideologically-motivated “hacktivist” actors...
Turk Hack

Turk Hack Team and the “Netherlands Operation”

March 29, 2017 | 4 Min Read

Since mid-March, Turk Hack Team have been...
Tax Fraud

Tax Fraud in 2017

March 27, 2017 | 4 Min Read

The IRS recently released an alert that warned...
Dutch Flag

Dutch Elections – Looking Back at Cyber Activity

March 21, 2017 | 3 Min Read

Last week, I wrote about the potential threats to...
Dutch Elections Red Pencil

Back to the red pencil – Cyber threats to the Dutch elections

March 13, 2017 | 5 Min Read

Over the weekend, media reports surfaced about...
Financial Threats

Learning from the Top Threats Financial Services Faced in 2016

March 8, 2017 | 2 Min Read

Organizations operating within the financial...
Blaze Exploit Kit

New “Blaze” exploit kit claims to exploit recent Cisco WebEx vulnerability

March 2, 2017 | 4 Min Read

A previously undetected exploit kit has been...
Sunset Stock

Sun to Set on BEPS/Sundown Exploit Kit?

February 22, 2017 | 4 Min Read

On February 13, 2017, the security researcher...
Valentines Day

Four Things to Look Out for This Valentine’s Day

February 14, 2017 | 4 Min Read

Consumers are increasingly moving to the Internet...
Malware Taylor Swift

An unusually Swift(tay) malware delivery tactic

February 9, 2017 | 5 Min Read

While doing some background research into recent...
Mongo DB

How the Frenzy Unfolded: Analyzing Various Mongo Extortion Campaigns

February 7, 2017 | 4 Min Read

The MongoDB “ransom” pandemic, which has been...
Super Bowl 2017

Ready for the Blitz: Assessing the Threats to Super Bowl LI

February 2, 2017 | 4 Min Read

Like any major event, Super Bowl LI brings with...
ATM Malware

Making Cents of ATM Malware Campaigns – Comparing and Contrasting Operational Methodologies

January 30, 2017 | 4 Min Read

Throughout 2016 some of the most notable...
Two Factor Authentication

Dial “M” for malware: Two-factor scamming

January 26, 2017 | 4 Min Read

Adversaries are developing new ways of attacking...
Ripper cc

Innovation in The Underworld: Reducing the Risk of Ripper Fraud

January 23, 2017 | 7 Min Read

Reputation is incredibly important for business....
Calendar Threats for 2017

Known Unknowns: Key Events to Keep Your Eyes Out for in 2017

January 19, 2017 | 3 Min Read

On Friday, millions will tune in to see Donald...
Keyboard

All You Can Delete MongoDB Buffet

January 12, 2017 | 4 Min Read

A number of extortion actors were detected...
Website

10 Ways You Can Prepare for DDoS Attacks in 2017

January 11, 2017 | 1 Min Read

At the end of last month, we published a paper...
Anonymous Hacktivist

Mirai: A Turning Point For Hacktivism?

December 16, 2016 | 5 Min Read

A “digital nuclear attack”. A “zombie...
Trojan

Coming to a Country Near You? The Rapid Development of The TrickBot Trojan

December 16, 2016 | 4 Min Read

Since the discovery of TrickBot in September...
DDoS Extortion

Crowdsourced DDoS Extortion – A Worrying Development?

December 13, 2016 | 3 Min Read

We all know about DDoS extortion – the process...
Chess Game

A Model of Success: Anticipating Your Attackers’ Moves

December 1, 2016 | 4 Min Read

In a previous blog, we discussed the role of...
Retail Cyber Threats

Windows Shopping: 7 Threats To Look Out For This Holiday Season

November 23, 2016 | 5 Min Read

Thanksgiving, Black Friday, Cyber Monday,...
Ransomware as a service

Ransomware-as-a-service: The Business Case

November 22, 2016 | 4 Min Read

It can be tempting to dismiss cybercriminal...
Media and Broadcasting Threats

Top 5 Threats to the Media and Broadcasting Industry

November 11, 2016 | 3 Min Read

For media and broadcasting organizations, the...
Code

Surveying the Criminal Market

November 8, 2016 | 3 Min Read

It’s no secret your personal information and...
Anonymous Poland

Anonymous Poland – Not Your Typical Hacktivist Group

October 28, 2016 | 4 Min Read

On October 29, 2016 a Twitter account associated...
Device Security

Don’t Break the Internet, Fix Your Smart Devices

October 25, 2016 | 4 Min Read

The Distributed Denial of Service (DDoS) attack,...
American Election Threats

Rocking the Vote? The Effects of Cyber Activity On The U.S. Election

October 25, 2016 | 5 Min Read

Contrary to some media reporting, our latest...
US Polling Data

Targeting of Elections; Old News, Fresh Tactics

October 25, 2016 | 4 Min Read

There has been no shortage of media coverage...
Domain Squatting

Squashing Domain Squatting

October 24, 2016 | 6 Min Read

Digital Shadows was recently the victim of a...
Combatting Online Crime With “Needle-Rich Haystacks”

Combatting Online Crime With “Needle-Rich Haystacks”

October 18, 2016 | 3 Min Read

At Digital Shadows our analyst team is...
Plumbing the Depths: the Telnet protocol

Plumbing the Depths: the Telnet protocol

October 3, 2016 | 4 Min Read

On October 1, 2016 Krebs on Security reported...
Exploit kit

Swotting Up On Exploit Kit Infection Vectors

October 3, 2016 | 3 Min Read

Exploit kit users need to drive web traffic to...
Phishful Of Dollars: BEC Remains Top Of The Charts

Phishful Of Dollars: BEC Remains Top Of The Charts

October 3, 2016 | 3 Min Read

Business email compromise (BEC) is not going...
exploit kit

Forecasting the exploit kit landscape

September 15, 2016 | 5 Min Read

We’ve previously written on the most popular...
exploit kit

Understanding Exploit Kits’ Most Popular Vulnerabilities

September 12, 2016 | 2 Min Read

One significant aspect of mitigating the risk...
OpSilence

Hacktivism, it’s not all DoSing around

September 12, 2016 | 4 Min Read

Hacktivism isn’t all high levels of low impact...
SCADA hacks

Show me the context: The hacking proof of concept

September 8, 2016 | 2 Min Read

A common feature at security conferences,...
DD4BC

Bozkurt to Buhtrap: Cyber threats affecting financial institutions in 1H 2016

August 23, 2016 | 3 Min Read

At the beginning of 2016, it was reported that...
OpOlympicHacking

Forecasting OpOlympicHacking

August 15, 2016 | 3 Min Read

We recently published a report on the eight...
thedarkoverlord

“Air cover” – cybercriminal marketing and the media

August 10, 2016 | 3 Min Read

For a new or relatively unknown cybercriminal...
Photo URL

Overexposure – photos as the missing link

August 3, 2016 | 3 Min Read

You have heard it all before ­– recycling...
OpOlympicHacking

More Data Leaks as part of OpOlympicHacking

July 28, 2016 | 2 Min Read

In our recent research, we demonstrated eight...
Anonymous Brasil

Tracking the Field: Eight cybersecurity considerations around Rio 2016

July 25, 2016 | 2 Min Read

Last week, we saw reports of individuals arrested...
PoodleCorp

PoodleCorp: in the business of kudos

July 22, 2016 | 5 Min Read

PoodleCorp claimed to have successfully rendered...
DDoS

Three Tactics Behind Cyber Extortion

July 11, 2016 | 3 Min Read

As explained in a previous blog, extortion is not...
Dridex

Modern crimeware campaigns – two bytes of the cherry

July 5, 2016 | 3 Min Read

To a Columbian drug lord, the most valuable...
SHA1

Recycling, bad for your environment!

June 27, 2016 | 4 Min Read

The news is constantly flooded with yet another...
Silk Road

The philosophical difference between the Old and New Schools of the cybercriminal underground

June 27, 2016 | 3 Min Read

I would recommend that anyone interested in the...
EU

Forecasting the implications for cybersecurity in Britain after Thursday’s referendum

June 21, 2016 | 4 Min Read

On Thursday, the United Kingdom goes to the polls...
dark web

Shining a light on the dark web

June 21, 2016 | 3 Min Read

The dark web receives more than its fair share of...
OPSEC

OPSEC versus branding – the cyber criminal’s dilemma

June 17, 2016 | 3 Min Read

Like any business, cybercriminals offering...
TeamViewer

“Hidden” TeamViewer service advertised on criminal forum

June 17, 2016 | 5 Min Read

Over the last few weeks, there have been a number...
Cyber extortion

Your money or your data: Keeping up-to-date with the innovation

June 17, 2016 | 2 Min Read

DDoS extortion and ransomware attacks have...
Business email compromises

Are you at risk from business email compromise?

June 6, 2016 | 3 Min Read

Business email compromises (BEC) are on the rise....
OpOlympicHacking

Hacktivism: same old, same old?

June 3, 2016 | 4 Min Read

Cyber activists, or hacktivists, have become a...
OPSEC

The OPSEC Opportunity

May 31, 2016 | 2 Min Read

Operations Security (OPSEC) has long been a key...
Advanced Persistent Threat

The Plan is Mightier than the Sword – Re(sources)

May 24, 2016 | 3 Min Read

After having discussed the importance of planning...
OpIcarus

OpIcarus – Increased Claims Against Financial Institutions

May 23, 2016 | 3 Min Read

There’s no shortage of online hacktivist...
Goliath malware

Goliath ransomware, giant problem or giant con?

May 17, 2016 | 3 Min Read

Ransomware can cause big problems for individuals...
DBIR

Analyzing the 2016 Verizon Data Breach Investigations Report

May 2, 2016 | 4 Min Read

Last week Verizon released the 2016 Data Breach...
OpIsrael

OpIsrael: An Update

April 6, 2016 | 3 Min Read

Last month our intelligence team published a blog...
Email Compromise

URGENT, ACT. RQD: Navigating Business Email Compromise

April 4, 2016 | 3 Min Read

Call me phishmail. Whaling ­– also known as...
dark web

Dark web: More than just a bastion of criminality

March 31, 2016 | 3 Min Read

For many people, the term “dark web” refers...
Automated Vending Carts

Online credit card shops – a numbers game

March 21, 2016 | 3 Min Read

You may have recently read headlines about an...
ASOR Hack Team

OpOlympicHacking: A hurdle for Rio’s sponsors to vault

February 22, 2016 | 3 Min Read

This month Anonymous Brazil and an affiliate...
bitcoin

Why Go Through the Trouble to Tumble?

February 17, 2016 | 3 Min Read

Today you can purchase a pizza in Berlin and pay...
PoS system

Surviving the threats posed by PoS malware

February 2, 2016 | 3 Min Read

These days, you can’t go into a store or mall...
Israeli Cyber Attack

“Largest cyber attack” on Israel lacks power

February 1, 2016 | 3 Min Read

On 26 January, Yuval Steinitz, the Israeli...
OpKillngBay

Escalation in OpKillingBay

January 25, 2016 | 3 Min Read

There has been a noticeable recent increase in...
web hosting

Criminal services – Bulletproof hosting

January 21, 2016 | 2 Min Read

Cybercrime can be a lucrative business if you do...
DD4BC

DD4BC Arrests: What Now for Extortion?

January 15, 2016 | 3 Min Read

Earlier this week, Europol published a press...
exploit kits

A Complex Threat Landscape

January 13, 2016 | 2 Min Read

Achieving a better understanding of the threat...
Remote Access Trojan

RATs: Invasion of Your Privacy

January 11, 2016 | 2 Min Read

When most people hear the word “RAT” they...
cryptocurrencies

Digital Currency and Getting Paid In The Underground

January 6, 2016 | 3 Min Read

It’s been said that money makes the world go...
Malware

Criminal Services – Crypting

December 18, 2015 | 3 Min Read

In the world of cybercrime, malicious software...
Hacker Buba

‘Hacker Buba’: Failed extortion, what next?

December 11, 2015 | 2 Min Read

An actor identifying itself as "Hacker Buba"...
Antivirus

Criminal Services – Counter Antivirus Services

November 30, 2015 | 4 Min Read

Infosecurity Magazine recently reported that two...
Crackas with attitude

Crackas With Attitude: What We’ve Learned

November 23, 2015 | 3 Min Read

One of the most active actors of the past several...
MitM

The Way of Hacking

November 10, 2015 | 3 Min Read

In the Japanese martial art of Aikido it is said...
ransomware

Emerging Markets: Online Extortion Matures via DDoS Attacks

November 9, 2015 | 5 Min Read

Unlike scenes from books or movies where shadowy...
crackas with attitude

Crackas With Attitude strike again?

October 28, 2015 | 2 Min Read

Last week, the New York Post reported that...
DDoS

Smilex: Dangers of Poor OpSec

October 27, 2015 | 3 Min Read

Background On 13 Oct 2015, it was revealed in an...
online carding

Online Carding

October 7, 2015 | 3 Min Read

There is no shortage of credit card information...
OPSEC

OPSEC and Trust In An Underground Cybercriminal Forum

September 9, 2015 | 4 Min Read

Introduction There are perhaps tens of thousands...
ransomware

Emerging Markets & Services: Ransomware-as-a-Service

September 7, 2015 | 5 Min Read

Emerging Markets & Services:...
duqu 2.0

Kaspersky Labs Discloses Duqu 2.0 Attack

September 7, 2015 | 4 Min Read

Introduction Today social media channels the...
Extortion

Online Extortion – Old Ways, New Tricks

September 7, 2015 | 6 Min Read

Online Extortion - Old Ways, New...
cyber extortion

Exploiting Is My Business…and Business Is Good

September 4, 2015 | 8 Min Read

Introduction Exploit kits are not new to the...