Like any business, cybercriminals offering criminal services need to develop and maintain a brand and reputation in order to attract customers. However, unlike a legitimate business, a cyber criminal enterprise must operate clandestinely and maintain their operational security (OPSEC) in order to avoid attracting the attention of law enforcement. Therein lies a fundamental conflict faced by all cyber criminal enterprises that rely on sales in order to profit.
Making a name for yourself
Some actors put significant effort into developing an identifiable brand and advertising their services. A recent example is the Cerber ransomware variant, which has its own logo (a three headed dog, alluding to the mythical beast Cerberus) and is being actively advertised as for sale on Russian language criminal forums. A review of this malware was even added to a now defunct Russian language hacking site in order to boost awareness.
Figure 1 Screenshot of Cerber’s ransom message in browser. Source: IB Times.
However, making a name for yourself can backfire. In August 2015 six alleged members of Lizard Squad, a group which sells a DoS-as-a-service stresser tool and conducts high profile DoS attacks in order to advertise this service, were arrested in connection to DoS attacks on the PlayStation network and Xbox Live in December 2014. The law enforcement attention this relatively low capability group attracted was a direct result of their established reputation and penchant for high profile attacks.
Security through obscurity
Other actors however have taken a more subtle approach. The Angler exploit kit (EK) was the most prominent EK on the market prior to its disappearance in June 2016, but very little is known about how and where it is sold, who developed it or who uses it. Angler does not even have its own distinctive name – it is referred to by its owners as “XXX”, making it next to impossible to search for.
Figure 2 Screenshot of Angler EK control panel. Source: malware.dontneedcoffee.com.
There are some indications that Angler was created by an individual or group using the name JP Morgan (note the JPMC logo on the control panel), which has also made gathering intelligence on this actor through open sources very challenging. Reporting from InfoArmor suggests that Angler is sold through closed channels, with potential buyers being vetted and all communications taking place over anonymous, encrypted instant messaging services. Despite the obscurity of and the reported complexity of gaining access, prior to its disappearance Angler was one of the most widely used and sophisticated EKs available and almost certainly proved hugely profitable for its developers.
Finding the balance
The world of cyber crime is a Darwinian one and the need to maintain good OPSEC while developing a brand is a lesson that has not yet been learned by many actors. However, Angler provides an excellent example of how this can be achieved and the danger is that other actors will learn from it, improve their operational practices and come to pose a greater investigative challenge for law enforcement and researchers.