Dark web key enabler for cyber criminals, say McAfee researchers

The dark web is a key conduit for the malware industry to refine and distribute its products and services, say security researchers

The dark web is a key enabler for the malware industry and has been linked to high-profile point-of-sale (POS) attacks and data breaches at US retailer Target in late 2013, say security researchers.

Cyber criminals are increasingly using hidden areas of the internet to test, refine and distribute malware, according to the latest quarterly threat report by researchers at Intel-owned security firm McAfee.

These criminal areas of the internet are also used for fraud, people-trafficking in people and the distribution of illicit goods such as firearms and images of child abuse.

The report highlights the growing ease of purchasing POS malware online, and selling stolen credit card numbers and other personal consumer data online.

Digitally signed malware

McAfee Labs also saw the number of digitally signed malware samples triple in 2013 to more than eight million, driven largely by the abuse of automated Content Distribution Networks (CDNs).

Read more about digital certificates

  • Digitally signed malware a fast-growing threat, say researchers
  • Options for mitigating digital security certificate problems
  • Microsoft revokes additional digital certificates due to encryption weakness
  • New malware signed with government digital certificate
  • SSL certificate management: Avoiding common mistakes
  • Microsoft warns of fraudulent digital certificates, issues patch
  • Explaining how trusted SSL certificates and forged SSL certificates work

These CDNs wrap malicious binaries in digitally signed, otherwise legitimate installers with the aim of bypassing whitelisting and sandboxing security controls.

Although the total number of signed malware samples includes stolen, purchased, or abused digital certificates, most of the of growth comes from CDNs.

These are websites and companies that allow developers to upload their programs, or a URL that links to an external application, and wrap it in a signed installer.

The practice of code signing software is aimed at validating the identity of the developer who produced the code and ensures the code has not been tampered with since the issue of its digital certificate.

But McAfee Labs believes this accelerating trend could pose a significant threat to the long-established certificate authority (CA) model for authenticating “safe” software.

Off-the-shelf malware

Detailed research of high-profile card data breaches in the fourth quarter of 2013 found the POS malware used in the attacks on Target used relatively unsophisticated technologies.

Researchers said the malware was “likely purchased ‘off-the-shelf’ from the cybercrime-as-a-service community, and customised specifically for these attacks”.

McAfee Labs’ ongoing research into underground dark web markets identified the attempted sale of stolen credit card numbers and personal data stolen in the attack on Target.

The researchers found the cyber criminals offering for sale some of the 40 million credit card numbers reported stolen.

“The fourth quarter of 2013 will be remembered as the period when cyber crime became ‘real’ for more people than ever before,” said Vincent Weafer, senior vice-president for McAfee Labs.

 “These cyber thefts occurred at a time when most people were focused on their holiday shopping and when the industry wanted people to feel secure and confident in their purchases.

“The impact of these attacks will be felt both at the kitchen table as well as the boardroom table. For security practitioners, the ‘off-the-shelf’ genesis of some of these crime campaigns, the scale of operations and the ease of digitally monetising stolen customer data represent a coming-of-age for both cybercrime-as-a-service and the ‘dark web’ overall,” he said.

McAfee's report also noted a surge in mobile malware as more people use smartphones. It collected 2.47 million new mobile malware samples in 2013, with 744,000 samples collected in the fourth quarter alone.

McAfee said its collection of Android unique samples had grown by 197% since the end of 2012.

Read more on Hackers and cybercrime prevention