Cyber crime gangs have been operating for years, but in recent months, they’ve shifted tactics. They’ve embraced new technologies, exploited new opportunities, delivered new payloads and sought out new targets. Their aim is to maximize the amount of money they can collect through cyber crime.

Gangs, such as Cosmic Lynx, Exaggerated Lion, Fin7 and Florentine Banker, have become major threats. Cyber crime gangs are getting smarter, increasingly basing their operations in countries beyond the legal reach of their targets. That enables them to engage in long-term attacks and continue using them after discovery. They’re banding together more than before. And they’re combining crimes — for example, ransomware and extortion.

They’re also seizing new opportunities quicker. For example, cyber crime gangs began to exploit the surge last year in the number of people working and being educated remotely. Because many of these transitions were unplanned, the cyber criminal organizations saw an opportunity. Some gangs are using typo-squatting and URL hijacking to imitate popular video conferencing applications. From there, they can take advantage of the fact that millions of people in business and education are unfamiliar with these platforms.

Taking the World By Surprise

All cyber attacks seek some element of surprise, but contemporary threat actors are getting better at faking authenticity. Some even use legitimate services for part of the scam.

In the past year or two, criminal gangs have increasingly set up legitimate-looking websites. They can also open social media accounts used just for social engineering. They’re able to deeply research targets to execute more sophisticated attacks.

A new whaling technique involves the research-intensive process of learning all about a target through their social media posts. (Whaling is a phishing attack on a big target, like a CEO.) The gang might study those posts for months. Then, the threat actor impersonates someone known to the target and invites their victim to share a document in an online office suite app. When accessed, that doc opens a remote HTML platform asking the person to sign in to that office suite. When they do, the gang gets access to all their documents, emails, calendars and contacts. The victim often doesn’t know they’ve been attacked until much later. Those attacks can involve catastrophic ransomware attacks, data theft, extortion or stealing money.

Patient Espionage Targets ‘Whales’

A cyber gang called The Florentine Banker stole millions from U.K.-based private equity firms by using patient, long-term and disciplined methods. The group would start their attack by whaling via manipulated email a tiny number of senior employees until someone could be tricked into revealing their credentials. From that advantage, they would then phish others with access to financial data within the companies, gaining access to their emails and monitoring them for, in some cases, months. The purpose of this was to learn and understand the lay of the land before actually stealing anything.

Florentine Banker members would start registering domains similar to the ones used by the targets’ colleagues. From there, they could start stealing money in several ways. They could initiate credible requests for wire transfers or intercept legitimate ones and replace them with account numbers that would divert the funds to the attackers.

Beyond Messy Phishing Emails

Spelling and grammar can be weapons deployed by cyber gangs. It’s a cliche at this point that attackers love email phishing or any kind of Business Email Compromise (BEC) campaign. It’s also a cliche that these emails notoriously contain all kinds of spelling, grammar, usage and style errors, mainly because target and perpetrator speak different languages. Bad English was, and still is, an easy way to spot any kind of fraudulent email. But recently, security researchers have noticed some cyber crime gangs sending fraudulent emails in impeccable English. Some even believe that gangs are hiring professional native-language writers.

Another ongoing trend that favors the accelerating evolution of cyber gangs is the commoditization of malware, including those that abuse SSH machine identities in their attack approach. A single SSH key can give attackers full access to an organization’s applications and data. This technique was developed, and previously used exclusively by, state-sponsored attackers, but is now for sale on the dark web.

Other examples of specialized tools that people put up for general sale on the dark web include TrickBot, CryptoSink, Linux Worm and Skidmap.

State Sponsored or Cyber Gangs? It’s Getting Harder To Tell

In previous years, it was easier to tell the difference between an attack carried out by cyber crime gangs and state-sponsored attackers. The sophistication, scale and duration of cyber attacks by governments often dwarfed anything cyber crime gangs could pull off.

But that’s changing fast. Cyber gangs are evolving to greater sophistication. And the reverse is also true. Cyber criminal organizations are developing tools and techniques so sophisticated they’re increasingly being adopted by state-sponsored attackers. Therefore, analyzing the sophistication of or the tools used in an attack no longer immediately tells a defender what kind of attacker it was.

State-sponsored attacks used to have the exclusive advantage of using the long-standing espionage technique of bribing people in person inside target organizations. Imagine an exchange where a spy in a dark coat and fedora meets their nervous target in a poorly lit park late at night. They exchange briefcases, one of which is packed with cash. Coordinated state-sponsored attacks can leverage this kind of old-school spycraft — and they have the money to do it.

Attempted Cyber Infiltration Started In Person

Now cyber gangs are doing something similar to state-sponsored actors, and for the same reason. In a very recent case, a cyber gang targeted California car company Tesla for what, in most of its details, was a pretty mundane attack. The plan was to get an employee to insert malware into Tesla’s internal networks that would propagate widely within the company. Then, the crooks would attack Tesla with a distributed denial-of-service (DDoS) attack to divert attention from the real attack, which involved exfiltrating sensitive data and business secrets. Then, they would extort Tesla to pay up or the data would be made public.

That’s a pretty mundane attack. But here’s the strange part. The gang (allegedly) sent a representative named Egor Igorevich Kriuchkov to physically fly to Nevada. His job was to personally wine and dine and groom an employee, ultimately offering him $1 million to install the malware.

Over the next year or two, it will probably become increasingly difficult for defenders to tell when attacks are state sponsored or executed by cyber gangs.

How to Stay One Step Ahead of Cyber Gangs

Many of the old methods for detecting breaches and security events may be obsolete. But, by reviewing training, policies, priorities and tools, organizations can adapt to the new world of cyber gang crime trends.

Educate employees about the dangers of posting any information on social media that could be used in a social engineering attack. Don’t automatically trust authentic or authentic-looking invitations, correspondences, and so on. Verify by phone or other means before opening anything that comes via email. Work to secure remote work sessions and work-from-home tools, and train against ever offering credentials requested on email.

Develop special training for executives, managers and other leaders about whaling attacks. Specifically, explain to them why they are most likely to be targets of very sophisticated social engineering attacks.

If you can, use artificial intelligence tools that can seek out strange behavior on the network. These could indicate an attack too subtle for humans to notice.

Stay vigilant about the insider threat. High-dollar bribes create a new motive for employees to help cyber gangs attack your organization. It’s no longer enough to look out only for disgruntled employees. Relatedly, set up extra checks and approvals for money transfers to prevent an internal social engineering victim from accidentally paying crooks.

Don’t Forget The Basics

You should prevent tools, including cloud-based office suites, from being accessed with a simple username and password. Set up additional authentication to prevent gangs from gaining access by stealing names and passwords.

The new world of organized cyber crime is a challenging one. The gangs are evolving not only the tools they use, but the use of human activity and legitimate tools to trick and evade. The threat is changing, but it can be defended against.

More from Advanced Threats

Phishing kit trends and the top 10 spoofed brands of 2023

4 min read -  The 2024 IBM X-Force Threat Intelligence Index reported that phishing was one of the top initial access vectors observed last year, accounting for 30% of incidents. To carry out their phishing campaigns, attackers often use phishing kits: a collection of tools, resources and scripts that are designed and assembled to ease deployment. Each phishing kit deployment corresponds to a single phishing attack, and a kit could be redeployed many times during a phishing campaign. IBM X-Force has analyzed thousands of…

Grandoreiro banking trojan unleashed: X-Force observing emerging global campaigns

16 min read - Since March 2024, IBM X-Force has been tracking several large-scale phishing campaigns distributing the Grandoreiro banking trojan, which is likely operated as a Malware-as-a-Service (MaaS). Analysis of the malware revealed major updates within the string decryption and domain generating algorithm (DGA), as well as the ability to use Microsoft Outlook clients on infected hosts to spread further phishing emails. The latest malware variant also specifically targets over 1500 global banks, enabling attackers to perform banking fraud in over 60 countries…

A spotlight on Akira ransomware from X-Force Incident Response and Threat Intelligence

7 min read - This article was made possible thanks to contributions from Aaron Gdanski.IBM X-Force Incident Response and Threat Intelligence teams have investigated several Akira ransomware attacks since this threat actor group emerged in March 2023. This blog will share X-Force’s unique perspective on Akira gained while observing the threat actors behind this ransomware, including commands used to deploy the ransomware, active exploitation of CVE-2023-20269 and analysis of the ransomware binary.The Akira ransomware group has gained notoriety in the current cybersecurity landscape, underscored…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today