Cyber crime gangs have been operating for years, but in recent months, they’ve shifted tactics. They’ve embraced new technologies, exploited new opportunities, delivered new payloads and sought out new targets. Their aim is to maximize the amount of money they can collect through cyber crime.

Gangs, such as Cosmic Lynx, Exaggerated Lion, Fin7 and Florentine Banker, have become major threats. Cyber crime gangs are getting smarter, increasingly basing their operations in countries beyond the legal reach of their targets. That enables them to engage in long-term attacks and continue using them after discovery. They’re banding together more than before. And they’re combining crimes — for example, ransomware and extortion.

They’re also seizing new opportunities quicker. For example, cyber crime gangs began to exploit the surge last year in the number of people working and being educated remotely. Because many of these transitions were unplanned, the cyber criminal organizations saw an opportunity. Some gangs are using typo-squatting and URL hijacking to imitate popular video conferencing applications. From there, they can take advantage of the fact that millions of people in business and education are unfamiliar with these platforms.

Taking the World By Surprise

All cyber attacks seek some element of surprise, but contemporary threat actors are getting better at faking authenticity. Some even use legitimate services for part of the scam.

In the past year or two, criminal gangs have increasingly set up legitimate-looking websites. They can also open social media accounts used just for social engineering. They’re able to deeply research targets to execute more sophisticated attacks.

A new whaling technique involves the research-intensive process of learning all about a target through their social media posts. (Whaling is a phishing attack on a big target, like a CEO.) The gang might study those posts for months. Then, the threat actor impersonates someone known to the target and invites their victim to share a document in an online office suite app. When accessed, that doc opens a remote HTML platform asking the person to sign in to that office suite. When they do, the gang gets access to all their documents, emails, calendars and contacts. The victim often doesn’t know they’ve been attacked until much later. Those attacks can involve catastrophic ransomware attacks, data theft, extortion or stealing money.

Patient Espionage Targets ‘Whales’

A cyber gang called The Florentine Banker stole millions from U.K.-based private equity firms by using patient, long-term and disciplined methods. The group would start their attack by whaling via manipulated email a tiny number of senior employees until someone could be tricked into revealing their credentials. From that advantage, they would then phish others with access to financial data within the companies, gaining access to their emails and monitoring them for, in some cases, months. The purpose of this was to learn and understand the lay of the land before actually stealing anything.

Florentine Banker members would start registering domains similar to the ones used by the targets’ colleagues. From there, they could start stealing money in several ways. They could initiate credible requests for wire transfers or intercept legitimate ones and replace them with account numbers that would divert the funds to the attackers.

Beyond Messy Phishing Emails

Spelling and grammar can be weapons deployed by cyber gangs. It’s a cliche at this point that attackers love email phishing or any kind of Business Email Compromise (BEC) campaign. It’s also a cliche that these emails notoriously contain all kinds of spelling, grammar, usage and style errors, mainly because target and perpetrator speak different languages. Bad English was, and still is, an easy way to spot any kind of fraudulent email. But recently, security researchers have noticed some cyber crime gangs sending fraudulent emails in impeccable English. Some even believe that gangs are hiring professional native-language writers.

Another ongoing trend that favors the accelerating evolution of cyber gangs is the commoditization of malware, including those that abuse SSH machine identities in their attack approach. A single SSH key can give attackers full access to an organization’s applications and data. This technique was developed, and previously used exclusively by, state-sponsored attackers, but is now for sale on the dark web.

Other examples of specialized tools that people put up for general sale on the dark web include TrickBot, CryptoSink, Linux Worm and Skidmap.

State Sponsored or Cyber Gangs? It’s Getting Harder To Tell

In previous years, it was easier to tell the difference between an attack carried out by cyber crime gangs and state-sponsored attackers. The sophistication, scale and duration of cyber attacks by governments often dwarfed anything cyber crime gangs could pull off.

But that’s changing fast. Cyber gangs are evolving to greater sophistication. And the reverse is also true. Cyber criminal organizations are developing tools and techniques so sophisticated they’re increasingly being adopted by state-sponsored attackers. Therefore, analyzing the sophistication of or the tools used in an attack no longer immediately tells a defender what kind of attacker it was.

State-sponsored attacks used to have the exclusive advantage of using the long-standing espionage technique of bribing people in person inside target organizations. Imagine an exchange where a spy in a dark coat and fedora meets their nervous target in a poorly lit park late at night. They exchange briefcases, one of which is packed with cash. Coordinated state-sponsored attacks can leverage this kind of old-school spycraft — and they have the money to do it.

Attempted Cyber Infiltration Started In Person

Now cyber gangs are doing something similar to state-sponsored actors, and for the same reason. In a very recent case, a cyber gang targeted California car company Tesla for what, in most of its details, was a pretty mundane attack. The plan was to get an employee to insert malware into Tesla’s internal networks that would propagate widely within the company. Then, the crooks would attack Tesla with a distributed denial-of-service (DDoS) attack to divert attention from the real attack, which involved exfiltrating sensitive data and business secrets. Then, they would extort Tesla to pay up or the data would be made public.

That’s a pretty mundane attack. But here’s the strange part. The gang (allegedly) sent a representative named Egor Igorevich Kriuchkov to physically fly to Nevada. His job was to personally wine and dine and groom an employee, ultimately offering him $1 million to install the malware.

Over the next year or two, it will probably become increasingly difficult for defenders to tell when attacks are state sponsored or executed by cyber gangs.

How to Stay One Step Ahead of Cyber Gangs

Many of the old methods for detecting breaches and security events may be obsolete. But, by reviewing training, policies, priorities and tools, organizations can adapt to the new world of cyber gang crime trends.

Educate employees about the dangers of posting any information on social media that could be used in a social engineering attack. Don’t automatically trust authentic or authentic-looking invitations, correspondences, and so on. Verify by phone or other means before opening anything that comes via email. Work to secure remote work sessions and work-from-home tools, and train against ever offering credentials requested on email.

Develop special training for executives, managers and other leaders about whaling attacks. Specifically, explain to them why they are most likely to be targets of very sophisticated social engineering attacks.

If you can, use artificial intelligence tools that can seek out strange behavior on the network. These could indicate an attack too subtle for humans to notice.

Stay vigilant about the insider threat. High-dollar bribes create a new motive for employees to help cyber gangs attack your organization. It’s no longer enough to look out only for disgruntled employees. Relatedly, set up extra checks and approvals for money transfers to prevent an internal social engineering victim from accidentally paying crooks.

Don’t Forget The Basics

You should prevent tools, including cloud-based office suites, from being accessed with a simple username and password. Set up additional authentication to prevent gangs from gaining access by stealing names and passwords.

The new world of organized cyber crime is a challenging one. The gangs are evolving not only the tools they use, but the use of human activity and legitimate tools to trick and evade. The threat is changing, but it can be defended against.

More from Advanced Threats

GootBot – Gootloader’s new approach to post-exploitation

8 min read - IBM X-Force discovered a new variant of Gootloader — the "GootBot" implant — which facilitates stealthy lateral movement and makes detection and blocking of Gootloader campaigns more difficult within enterprise environments. X-Force observed these campaigns leveraging SEO poisoning, wagering on unsuspecting victims' search activity, which we analyze further in the blog. The Gootloader group’s introduction of their own custom bot into the late stages of their attack chain is an attempt to avoid detections when using off-the-shelf tools for C2…

Black Hat 2022 Sneak Peek: How to Build a Threat Hunting Program

4 min read - You may recall my previous blog post about how our X-Force veteran threat hunter Neil Wyler (a.k.a “Grifter”) discovered nation-state attackers exfiltrating unencrypted, personally identifiable information (PII) from a company’s network, unbeknownst to the security team. The post highlighted why threat hunting should be a baseline activity in any environment. Before you can embark on a threat hunting exercise, however, it’s important to understand how to build, implement and mature a repeatable, internal threat hunting program. What are the components…

Top-Ranking Banking Trojan Ramnit Out to Steal Payment Card Data

4 min read - Shopping online is an increasingly popular endeavor, and it has accelerated since the COVID-19 pandemic. Online sales during the 2021 holiday season rose nearly 9% to a record $204.5 billion. Mastercard says that shopping jumped 8.5% this year compared to 2020 and 61.4% compared to pre-pandemic levels. Cyber criminals are not missing this trend. The Ramnit Trojan, in particular, is out for a shopping spree that’s designed to take over people’s online accounts and steal their payment card data. IBM…

Detections That Can Help You Identify Ransomware

12 min read - One of the benefits of being part of a global research-driven incident response firm like X-Force Incidence Response (IR) is that the team has the ability to take a step back and analyze incidents, identifying trends and commonalities that span geographies, industries and affiliations. Leveraging that access and knowledge against the ransomware threat has revealed tools, techniques and procedures that can often be detected through the default Windows event logs (WELs). In particular, the X-Force IR team has identified several…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today