Photographee.eu - Fotolia

RSAC16: Cyber criminals are hiding in plain sight, says RSA report

Cyber criminals are using social media as a communication and sales channel, not just for reconnaissance and phishing, an RSA study has revealed

Cyber criminals are hiding in plain sight on social media, a report has revealed.

While cyber fraudsters have used social media for years to target users with phishing attacks, to distribute malware and collect personal data, researchers at RSA – EMC’s security division – have discovered the growing use of social media as a communication and sales channel for criminals.

RSA FraudAction Intelligence team investigators hunting a particular cyber fraudster found a Facebook profile connected to their target, which led to the discovery of more than 500 fraud-dedicated social media groups around the world, with over 220,000 members.

The RSA team is a full-time research and analysis group that continuously monitors the dark web, the fraud underground and the open web for cyber crime activity to identify the criminals behind that activity.

Daniel Cohen, head of RSA FraudAction, told Computer Weekly: “In addition to taking down an onslaught of phishing attacks against a US bank’s customers, we were looking for more information about a specific attacker, and in the process of correlating various bits of information, we came across the attacker’s personal Facebook profile, which led to specific research into the use of social media by cyber criminals broadly and cyber fraudsters specifically.

“We were surprised by the extent to which social media is used as a sales and communication tool, and we were surprised to see cyber criminals offering things like botnets for hire, which is typically something that is usually found only on the dark web.”

The study’s goal was to research the structure, format and entry requirements for joining global cyber crime groups across the most popular social media platforms.

More than 60% of the 220,000 social media profiles linked to criminal activity were found on Facebook alone, despite Facebook’s terms and conditions strongly prohibiting this activity.  

Facebook clamping down

“In response to our investigation, Facebook is taking steps to clamp down on this abuse of the social networking service by removing the information and responsible parties, and we are streamlining our communications with Facebook so we can share the information as quickly as possible,” said Cohen, adding that RSA has also notified and provided the report to the appropriate law enforcement agencies.

While Facebook and Russian and Chinese-language sites are the most popular social media platforms with cyber criminals, and WhatsApp is the newest fraud communication channel gaining popularity, the researchers found that despite its worldwide popularity and proliferation, Twitter is not commonly used as a fraud communication channel.

The researchers found that cyber criminals share information that includes compromised financial information such as credit card numbers with personal and authorisation codes, cyber crime tutorials, and commercial offerings such as malware and malware tools.

During the six-month study, the researchers found details of more than 15,000 compromised credit cards available as free samples to lure buyers to their criminal services in social media postings in fraud-dedicated groups that are visible and open to all. 

Open and visible use

However, Cohen said the most open and visible use of social media by cyber criminals is in Brazil, West Africa and China, but not in the US and Western Europe because law enforcement is more active in those regions.

The report notes that in recent years, international co-operation among law enforcement agencies in the US and Europe has yielded many high-profile and much-publicised cyber crime gang takedowns and arrests.

“The research presented in this report might cause those who have questioned the value of intelligence sharing and the impact of cyber criminal prosecution to reconsider,” the report said. “The overall lack of fraud groups on Facebook in these regions is a clear indication that fraudsters are on the alert and intelligence sharing and prosecution is working.”

While cyber criminals in the US and Western Europe prefer the dark web to communicate, Cohen said that in West Africa, the researchers even saw cyber criminals using their personal profiles to communicate, mixing compromised credit card details with pictures of their friends and family.

Commercial tool

The researchers believe the use of social media as a commercial tool has been growing since 2011, but it has remained hidden until now because social media is designed to create communities by offering a user suggestions based on their preferences, interests and connections.

These suggestions are seen only by the individual user, and by no one else. As a result, each user can see only their own personal circle or extended network, but is completely blind to the networks of others they are not connected with, or to content they are not interested in.

This discovery is proving useful to law enforcement, because just as cyber criminals use social media to collect details on potential victims, criminal investigators can tap into social media to collect details on criminals.

“We have seen criminal groups use WhatsApp to set up carding groups, but to do that, they have to ask potential members to post their phone numbers so they can be added to the WhatsApp group,” said Cohen.

“Investigators can then use these phone numbers when trying to piece together bits of information, which also include email and social media aliases, to profile cyber criminals.

“All this information is provided on behalf of customers to law enforcement, and then the onus is on law enforcement officers to turn the information into evidence,” he said.

Read more about cyber fraud

Cohen said that although it would be impossible to go after every cyber criminal mentioned in social media, law enforcement officers are typically using the information to target the ringleaders and those who are providing the malware and the criminal infrastructure.

“Despite the widespread availability of credit card information, these criminals are still making a lot of money from carding, which accounted for 53% of the criminal activity we saw on social media, compared with account takeover (16%), wire transfer (9%) and malware (8%),” said Cohen.

He said it has become “painfully simple” to hack into small networks of point of sale (PoS) and using PoS malware to collect credit card data.

“We have calculated that by selling the details of just 80 compromised credit cards, cyber criminals can recoup the cost of the malware,” he added.

Compromised credit cards

In February 2016 alone, RSA FraudAction was able to recover about 500,000 compromised credit cards by scraping the information from criminal stores before the data was sold, to give the issuing banks an early warning, said Cohen.

“As long as the card details are in the stores, it means they have not been used for fraud yet, and we are seeing 300,000 to 600,000 compromised cards added to these stores every month,” he said.

According to Cohen, defenders against fraud and other cyber criminal activity need to know that social media is yet another channel in which criminals are sharing information and so yet another channel that needs to be monitored as a source of intelligence that can be used.

“We found specific information on carding methods, on where and how to do things without getting caught, which is great intelligence for those looking for ways of preventing attacks from happening,” he said.

To follow up this initial report, RSA FraudAction is working on reports that focus specifically on Russian and Chinese-language social media sites.

Read more on Hackers and cybercrime prevention