ISMG Editors: Impact of Fragmented Russian Darknet MarketAlso: Fraud Trends to Watch in 2023; Is China the New Dominant Power in Cyber? Anna Delaney (annamadeline) • January 13, 2023
In the latest weekly update, four editors at Information Security Media Group discuss important cybersecurity and privacy issues, including how online markets selling illegal substances are moving to Android apps to evade authorities; how check fraud, first-party fraud and AI-related fraud will increase in 2023; and how Chinese state-sponsored actors may benefit from Russia's war in Ukraine.
The panelists - Anna Delaney, director, productions; Mathew Schwartz, executive editor, DataBreachToday and Europe; Suparna Goswami, associate editor, ISMG Asia; and Tony Morbin, executive news editor, EU - discuss:
- How, at a time when the wider Russian-language darknet market scene remains fragmented, online drug markets are switching to custom Android apps for greater privacy;
- Highlights from an interview with Frank McKenna of Point Predictive, who explains how check fraud, first-party fraud and AI-related fraud will increase in 2023, thanks in large part to growing insider threats and the global economic slowdown;
- How Russia's war in Ukraine is changing the balance of power in cyberspace and who is likely to be the main beneficiary.
The ISMG Editors' Panel runs weekly. Don't miss our previous installments, including the Dec. 30 edition, which looks back on 2022, and the Jan. 6 edition, which discusses the complexity of the Rackspace zero-day attack.
Anna Delaney: Hi, welcome to the ISMG Editors' Panel. I'm Anna Delaney, and this is a weekly discussion among members of the editorial team, where we reflect and analyze the week's top cybersecurity stories. The fantastic colleagues joining me this week include Mathew Schwartz, executive editor of DataBreachToday and Europe; Suparna Goswami, associate editor at ISMG Asia; and Tony Morbin, executive news editor of the EU. Wonderful to see you all.
Mathew Schwartz: It's great to be here. Thanks for having us.
Delaney: Matt, last year, the DOJ announced that the world's biggest darknet marketplace, the Russia-linked Hydra market was seized and shut down. And we know that criminals will always find other ways to operate. So what's the latest when it comes to darknet markets and criminal innovation since Hydra was shut down?
Schwartz: Right. So as you know, Hydra was shut down last April that was a German law enforcement-led but international police operation. And that followed the closure of dark market in January 2022. So not a great year for darknet market operations. Occasionally, you'll see the administrators get arrested. Occasionally, you'll see police get their hands on lists of buyers, sellers. Here in the U.K., they'll sometimes knock on doors and say, "look, we know you've been using narco forums to procure your recreational drugs, cut it out, the next time we're going to arrest you," that sort of thing. But we keep seeing dark net markets persist. Why is that? Supply and demand. There is demand for such things as illicit narcotics, or recreational chemicals, as they're often referred to on these darknet markets. There's also a market for stolen data, malware, fraudster tools, even such things as fake ID firearms. Just as the world has embraced online shopping, so do criminals continue to rely on these sorts of markets to connect buyers and sellers? And we see many different flavors. We see constant takedowns, despite the takedowns and the threats, we see buyers and sellers coming back for more. So what's been happening lately? One of the interesting innovations that is being tracked by multiple threat intelligence and security firms, has been the use of Android apps. So as I said, you have a lot of different kinds of forums. Some of them are more exclusively focused on drugs, some do everything, and some avoid drugs, because they think that makes them more of a target for law enforcement. But there are a number of drug-focused marketplaces in Russia that don't seem to have huge issues when it comes to law enforcement. And a handful of them now are providing Android apps to their users. So sellers can use it to list goods. They can also use it to keep track of the couriers they use to distribute goods. So one of the fascinating things about Russia is they don't attempt to use couriers in the sense of delivery services, or postal services. It turns out, they will typically use real-life couriers. They'll hand it off to a drug mule or drug trafficker, and they will do fulfillment by, for example, burying the package in a park and then sending the coordinates to the buyer and saying, "okay, it's one meter below the surface, or it's packaged in a magnetic enclosure, and you're going to have to get close enough before it'll ping back," I suppose, I don't know. But these dead drops sorts of things. And so there's this fascinating innovation that's going on with attempting to get buyers their goods in a way that doesn't imperil sellers, or the people that are handling the goods, because drugs (lucrative) puts you at risk if you're attempting to move them, of course. So there's this whole ecosystem that's sprung up. And back in the day, we would see darknet markets handling this. I think of them like illicit eBay with a set price or illicit Amazon marketplaces. When those get taken down, you'll often see people fall back on using encrypted chats, for example, but that has the difficulty of not been one to many, like an eBay-type model is. And so you have to still somehow get buyers and sellers to connect. So when you have this market now, which is pushing these Android apps or allowing people to use Android apps, you add this extra layer that in theory improves their operational security, assuming the provider of the app can be trusted, of course. But it's just this latest innovation we've seen as darknet market operators are attempting to handle this very lucrative trade, also keep themselves from getting disrupted. In theory, I think there might be some kill switch, they could flip if their infrastructure did get infiltrated by law enforcement. But it adds another layer, it makes them very difficult to stop. I don't know if we're going to see this outside the drug-focused marketplaces in Russia. These are all Russian-language operations so far. But certainly if it works, I predict that we will see it move into other arenas. And I guess we'll have to see how law enforcement responds.
Delaney: I get it. And so when it comes to the wider Russian-language darknet market scene, what are the trends, the movements you're tracking?
Schwartz: There's so many interesting trends. We've seen an attempt to sanction the darknet markets, sanctions by the U.S. government, and this isn't because of the drugs necessarily, but I think more because they're often offering money laundering. And this is used by ransomware groups. It's used by drug traffickers, other criminal enterprises. And so the U.S. has been attempting to sanction a lot of the sites that provide these services. According to some preliminary results, from blockchain intelligence firm Chainalysis. The sanctions do appear to be working, at least temporarily. If there is a maxim with the underground that they find ways of responding because again, supply-demand, criminal profits to be made, they're always looking for innovative new approaches. So that's something else that I've been tracking with darknet markets. But it's just fascinating to me that when one gets disrupted, you see established players moving in to try to get that business, you see new services get launched to try to get that business. So even with the threat of losing all your money - if you are a buyer, possibly getting incarcerated - if you're a seller or an admin, people keep running darknet markets.
Delaney: And so in 2023, we're going to see more do you think of the use of Android apps?
Schwartz: I think we will, because it looks like it's working. Again, I didn't mention that a lot of the Russian-language markets that are offering this, they all are using something called M-Club. So it seems like they're all using the same engine or toolset for creating Android apps. Single point of failure, I think would be a concern here, but maybe there's some sort of assurances that are being provided, code-level review types of stuff, but I would think we would see this become more widespread.
Delaney: Let's see how the year goes. That's excellent insight. Thank you, Matt. Suparna, you've been discussing fraud trends for 2023 with Frank McKenna, chief fraud strategist at Point Predictive. It's an excellent interview. What are we likely to see in the year ahead, then?
Suparna Goswami: Sure, in fact, it's a good interview that we had. So what we did was we wrapped up on the fraud trends of 2022 and what were the highlights and the fraud types he expects to dominate in 2023. So in 2022, surprise, surprise, which always surprises me - check fraud. It emerged as the fastest growing fraud, and fraudsters probably you're in my bacon and easy money, they returned to stealing checks out of the mailboxes. And they are changing the payees and the dollar amounts and selling them on the dark market on by using mules to deposit those check into the bank account. So that was one fraud. That really surprised me because I thought the usage of check has decreased. But it has clearly been the fastest growing fraud. And then was the scams and Zelle fraud, which I followed very closely and it took the center stage in 2022. And I have written an elaborate piece, which should be out later this week. And how can we forget the crypto fraud - the boom days of 2021 ended, and 2020 was a rude awakening back to the reality, with NFTs and the crypto market bubbles all burst one after the other and it led to all fraud. So these were the highlights of 2022. So coming back to the year 2023, and what is expected? And surprisingly, check fraud will continue to see a rise. Now banks continue to use those aging technologies, which date back to I guess, the 1990s. And they are not equipped to stop the fraud. And the U.S. Postal Service is not ready to protect the mail carriers. So check fraud is expected to hit - I've been speaking to bankers - $24 billion. And will probably force banks to invest in technologies which can detect fraudulent check. A few of the banks may even eliminate check altogether. That's also one of the prediction. And other banks might just make an effort to push customers, probably to platforms like Zelle. And so that might be one of the three ways banks can tackle this. But yes, investment in technology as far as detecting fraudulent check concern is going to rise and we are going to see more vendors coming in the space. The other trend that we expect in 2023 is driven by the decision which some banks in the U.S. took in December last year to reimburse customers for specific kinds of authorized payment caps. But this will create a growing pain for fraud departments an analysts tasked with making the hard decision to know which is the first-party fraud, because you can't know whether the person carrying out the transaction is intentionally doing it or unintentionally because some third-party has pushed them to do it. So first-party fraud and claims from fake accounts will likely flourish with Zelle payments. And scam reimbursement will considerably change the way banks look at recovery process - the entire process - they will probably have to invest a lot more than that.
Delaney: And, Suparna, what's of interest to you in terms of your own reporting that you'll be observing closely in the coming year?
Goswami: So I'm definitely planning on a story around check fraud. Probably go on Telegram and then you will probably see that there are fake checks, people are selling on darknets, there are checks, which have amounts, which you can probably tell the name. And there's thousands and thousands of player who are probably doing that. So check fraud is something that I will follow, though it's tough to get the comments from the banks. But yes, off the record, they have said that there is a big problem that they're facing with that. And the other thing that I'll closely follow is caps. I'm interested to know that if banks ultimately reimburse customers, will that lead to a reduction in this kind of fraud. Because I don't see that happening. Customers will be less careful when they know they have the surety that yes, I will probably be reimbursed or banks will reimburse when it comes to pay or authorize push payment fraud. So I predict, and I think people will agree that first-party fraud will see a big rise. And yes, banks will have to invest in proactive detection software to prevent scams.
Delaney: Excellent analysis. Thank you, Suparna. Okay, Tony, when it comes to nation-state adversaries all eyes, definitely were on Russia for a lot of last year. So the big question is, what is China up to?
Tony Morbin: I'm about to sort of give my perspective. Looking forward, nobody knows. So I'll absolve ISMG from any of my conclusions here. But Russia's disastrous invasion of Ukraine has diminished Russia economically and diplomatically. And when the war's over, Russia is likely to be a weakened former world power. Despite its no-limits partnership with China, it's not in China's interest to get involved in the conflict, and Russia will likely become simply a dependent vassal state of a resurgent China after the war, suggested one commentator Alexander Gabuev. So how does this affect cybersecurity industry? The new relationship will effectively put the talents and expertise of Russia's criminal and state hacking community at the disposal of China, enhancing its already formidable offensive cybersecurity capability. Now, most states currently engage in some form of cyber spying to the extent to which their native talents or financial resources allow them to direct as extensions of their government's political and economic ambitions. Previously, we've seen Russia reported to have worked in collusion with cybercriminals, particularly ransomware gangs to enrich criminals. While its state cyber spies have infiltrated networks have their adversaries both government and private sector, with the assumed objectives of intelligence, disinformation, and potential espionage during conflict. Most notably, the SolarWinds backdoor demonstrated the capability of its offensive cyber warriors. And of course, this activity has extended during the Ukraine war to actual espionage, with the deployment of wipers, including attacks on all sectors of government and critical infrastructure, but particularly energy and extending to satellite communications or down to DDoS attacks. Now, these capabilities are still going to exist after the war, but their use, to some extent, is likely to become subservient to the interests of China, on whom Russia will increasingly depend. Now, China has also pursued its authoritarian political aims online. Its primary focus, however, has appeared to be the theft of IP, described by one commentator as the biggest transfer of wealth in history. And for China, it's been incredibly successful. It's contributed to bringing the vast majority of the world's most populous country out of poverty in one lifetime. Also, in contrast with Russia, whose main engagement with Western trading, blocks was energy, China is actively engaged as a major player in the world's trading and manufacturing industries. Its products are employed globally, which in the age of connected devices, IoT, industrial internet of things, has provided it with an opportunity to directly deliver backdoored products, whether or not you believe it's done so. Now these concerns have led to the banning of 5G products from Huawei and ZTE by the U.S., the U.K. and many others. It's also contributed to a push for a ban on technology and personnel to work on semiconductor technology. That's to say U.S. and Western technology in China, and now deferred those proposals for moratorium on components manufactured by the top semiconductor company, SMIC, as well as other companies' memory producers YMTC and CXMT. And then earlier this month, the U.S. Pentagon hosted a meeting of the Five Eyes partners the U.S., Australia, Canada, New Zealand and the U.K. for cybersecurity talks. And during the discussions the group adopted zero trust as their new paradigm with the assumption that networks are already compromised, and as a result require continuous validation of users and devices. The moves against China fit in with this zero trust approach. For some this represents a new age of paranoia. And certainly China has loudly opposed each step from the banning of its 5G offerings to limits on semiconductor technology, and any suggestion that it might supply backdoor products has been loudly decried. But another story this month demonstrates that the paranoia isn't without some foundation. In the U.K it was reported this month that intelligence officials stripped back government and diplomatic vehicles and found at least one SIM card capable of transmitting location data. It was described as a Chinese tracking device, which had been placed into a vehicle inside a sealed part imported from a supplier in China and installed by the vehicle manufacturer. The report by I-news added the other rather disturbing things had been found during the extensive search, during which the cars were dismantled surgically down to the last nut and bolt. So going forward, we may see the OT capabilities and manufacturing opportunities afforded to China, combined with the IT skills and experience of Russia to create an even more formidable adversary opposed to democracy. So zero trust will certainly become the order of the day for some time to come.
Delaney: That's a rich perspective, Tony, I just want to ask Matt, because you've been following the war closely. What have you been hearing in terms of how Russia's war has perhaps changed the balance of power between nation-states and anything you just wanted to pick up on there?
Schwartz: I want to pick up first on the zero trust for automobiles. I think that's a fascinating way to look illustrate the challenge of knowing not just where the device has come from, but the components that make up the device, the supply chain that supplies the components that make up the device. It's a lot of room, as Tony noted in there for mischief. And certainly we've seen attempts to probe those sorts of capabilities in the past by the likes of China. In terms of the Ukraine question, it's complicated, but we've seen so many interesting things happening on that front. We've seen a lot of laudable and effective efforts by Ukraine, in partnership, an overused word, but I think good here, in partnership with the West, and especially private businesses, such as Microsoft and others, that have been helping it, keep its systems running, Starlink, helping keep it connected. It's all been fascinating. It's been changing in so many ways. I think, from a cybersecurity standpoint, wipers, DDoS attacks, hack attacks, all that sort of thing continues to disrupt or attempt to disrupt Ukrainian operations. And yet they've managed to keep their defenses up and running. Kinetic attacks, I think are still far more of a concern. Cybersecurity is used to sometimes supplement those efforts. But it's not the primary efforts. So we're coming up on the anniversary of the war. Doesn't look like it's going to be over. But I'll be rounding up some lessons learned definitely as we come up to that February 24th anniversary.
Morbin: But interesting, though, that you combined the supply chain with zero trust because of course, those were the two highlights for our industry of the Biden executive order. And they are very interrelated.
Schwartz: Lot of work to be done. Information Assurance, I think, is sometimes a subhead or subtitle of cybersecurity. And there's a lot of assurance that needs to happen here. And it's not clear how we're going to get there. SBOMs or software bill of materials might help, but they are nascent, and they won't solve everything.
Morbin: And you can't deconstruct every component down to the last nut and bolt for every car. So it is as you say, securing the supply chain with real proper audits, and the whole process has to be strengthened. Sorry, Suparna?
Goswami: I was saying ... I have been speaking to people, and it's barely scratched the surface. Because if you are taking something from the open-source code, how will you just track that? It is so difficult. So as long as it's a step in the right direction, but yes, as Matt said, it's still nascent, and we need to see how it all pans out in bigger picture.
Delaney: Great work team. Moving on. Finally, last question, you've been tasked with creating a new anonymous web browser, of course, it would be only used for legal and safe activities, what would you call it? The Onion Router has been taken by the way, Tor.
Morbin: I'm going to jump in with Serendipity. And the reason is we've got Google and we've got coming soon, ChatGPT as ways of finding out the things that we want to know about. So I'd come up with something different and give you a search engine that tells you about things you didn't know you wanted to know about. Because I'm an old guy who's used to print and that's the one thing I miss about print is the serendipity effect of finding out about things that you didn't even know you're interested in. Whereas online, you tend to find out what you know you're interested in?
Delaney: Yeah, I like that. And there's that positive feeling to it. Suparna?
Goswami: I thought Web100 with the tagline "the true privacy-focused internet," because Web3 claims that it has better privacy, so I thought, let me have Web100, the true privacy-focused internet.
Delaney: Love it!
Schwartz: Or just turn it up to 11, Suparna that always works. I'm going to sound a little bit like Tony but for different reasons. I was just thinking Serenity because so much news. There's so much just craziness in the world. You have these billionaires swaggering about causing online chaos. Who doesn't want a little bit of serenity, but maybe there could be a Serenity and a Serendipity tie up? I don't know.
Delaney: Yeah. I'm going to go for Griffin. That was the invisible man in H. G. Wells' The Invisible Man.
Schwartz: Not the mythological beasts with big claws.
Delaney: No, but that could also work. It's always a pleasure, team. Thank you very much. I've had great fun!
Goswami: Thank you, Anna.
Schwartz: Thanks, Anna.
Delaney: Thank you for watching. Until next time!