An investigation into dark web marketplace

What are the key findings of your report on the dark web regarding the Covid-19 crisis?
Cyfirma researchers observed that hackers are cognizant of the dangers of putting millions of lives at risk as families of those who have been infected by the Covid-19, would likely be desperately seeking a medical remedy. Any news of a vaccine availability could also send masses of people into a state of frenzy and cause major turmoil across many societies.

While hackers and scammers have been leveraging the pandemic to push out malware and phishing emails as part of their cyber- attack campaigns to steal data from businesses and consumers, or to cause social unrest amongst various communities, there has been an understanding amongst hackers groups to not ‘cross the line of humanity’ by selling fictitious vaccines.

A marketplace in the dark web called Monopoly has restricted the sale of fake vaccines for Covid 19 on their platform. While they sell all sorts of illicit stuff. And the ‘founder’ of the marketplace wrote a post, ’Any vendor caught flogging goods as a cure to Coronavirus will not only be permanently removed from this market but should be avoided like the Spanish Flu’. The forum post also stated the gravity of the pandemic and asked sellers not to use the crisis as a marketing tool.

However, there is a group of hackers who have ignored this warning and are choosing to sell fake vaccines and making anywhere from US$ 99 to US$ 25000. According to a Cyfirma report, the hackers are from North Korea and have got interest from Italy, Spain, France and the US. Payment is being made via bitcoin, few bitcoin accounts have collected to the tune of US$ 400K just in the last six days.

The obvious fallout of this malicious act is loss of money by the users but in order to get the vaccine, they have shared their personal identifiable information including health and social security details. Theft of personal information will also fetch additional financial gains for the hackers. Cyfirma predicts that personal information provided to buy fake vaccines could be used for the next wave of cyber attacks.

How are cyber criminals taking advantage of the ongoing global pandemic?
Due to the Covid-19, now a global pandemic, has enforced social distancing. Many employees are now working remotely in distributed operations. This increase in remote work arrangements, both temporarily and permanently, is creating significant growth in network access and traffic which provides more opportunities for threat actors to strike. Cyber criminals quickly recognised the opportunities the pandemic provided them. As the volume of emails from employers, governments and health agencies related to the outbreak increased, so did the number of phishing emails concerning Covid-19. Numerous scams, phishing campaigns, and malicious websites are proliferating. Covid-19’s impact is quickly shifting how businesses operate.

Cyber criminals are sending emails that resemble legitimate coronavirus-related notices in phishing attacks targeting anxious individuals expecting such communications. The attacks aim to get readers to click through on false links that promise coronavirus guidance. Covid-19 themed phishing campaigns using Word and PDF documents that include names like ‘ coronavirus response’, ‘coronavirus practices,’ and ‘coronavirus safety.’ Attackers are also using images and names of entities like the UN, WHO, CDC, FDA, and commercial companies in targeted fraud and phishing campaigns.

As a result of these activities, what are the security threats that have emerged, for organisations as well as individuals?
We also noticed coronavirus-themed emails designed to look like emails from the organisations’ leadership team and sent to all employees. Embedded with malware that would infect corporate networks, these phishing attacks deploy social engineering tactics to steal data and assets.

Other than unleashing cyberattacks to steal data, we also witnessed the planning of fake websites to sell face masks and other health apparatus using bitcoin in China, Japan, and the US.

To aggravate matters, hackers were also strategising to spread fake news to create further confusion. By investigating the dark web marketplace, Cyfirma uncovered illicit groups selling organic medicine claiming to cure and eradicate the Covid-19 virus (this is separate from fake vaccines). These discussions in the hackers’ communities were carried out in Mandarin, Japanese and English.

A new malware called ‘CoronaVP’ was being discussed by a Russian hacking community; this could lead to a new ransomware or EMOTET strain, designed to steal personal information.

Hackers leveraging on the Covid-19 pandemic are motivated by a combination of personal financial gain as well as political espionage to cause social upheavals. Threat actors in the world of cyber crime are well-equipped with tools, technology, expertise and financing to further both commercial and political agendas. In our hyper-connected digital world, cyber crime is a lucrative business, and we should expect attacks to be more frequent and more sophisticated as the pandemic continues to cast a shadow over the global economy.

What we have witnessed in the field of cyber intelligence has taught us the importance of staying vigilant, and frequently, the most dangerous forces at work are those we cannot see. The importance of relevant and timely threat intelligence cannot be over-emphasised as early detection of cyber threats could save organisations from hefty financial penalties and irreversible brand damage.

Which sectors/businesses face the maximum risk of cyber attacks, particularly in India?

As observed by Cyfirma researchers, state nation activities involving Pakistani or Arabic groups, North Korean and Chinese groups have taken interest in the Indian government and businesses. 

Government agencies, large telecommunications, retail, transportation, healthcare, manufacturing, B2C and supply chain companies are within the radar of hacker groups.

While all businesses are at risk of cyberattacks, SMEs tend to be most vulnerable as they typically have fewer measures in place to protect their systems and data.

As a cyber intelligence company, what have been your efforts to mitigate risks for your client organisations, in the current scenario?
As a cyber intelligence company, we are focused on bringing early warnings to our clients. Our key focus is always to ensure we detect these threats before the hacker gets the opportunity to mount an attack. We decode threats, help our clients make sense of them (who is the hacker, why is he interested, what does he want, when is he launching an attack, and how does he intend to do it), and provide remediation recommendations so clients can take swift actions to close security gaps.