When Cybercrooks Chat, Privacy isn’t Everything

In-brief: a survey of cyber criminal groups by Flashpoint revealed that secure messaging apps are becoming more popular, but that security isn’t the only thing motivating online criminals. 

Cyber criminals lurk in the dark recesses of the Internet, striking at random and then disappearing into the virtual ether. But when they want to talk shop with their colleagues, they turn to Redmond, Washington-based Microsoft and its Skype communications tools, according to an analysis by the firm Flashpoint.

Skype is the hands-down winner among various online communications options for cyber criminal groups, which have migrated to more secure, encrypted platforms from legacy chat tools like ICQ, Jabber and AOL Instagram in recent years.

To study surveyed mentions of social media platforms in the underground communities monitored by Flashpoint. Mentions of different platforms were used as a proxy for gauging interest in and use of these messaging services. (Yes, we get that this is a questionable assumption.) Flashpoint analysts looked, especially, for invitations to continue conversation outside of cyber criminal marketplaces, like references to ICQ accounts or other platforms.

The researchers also observed discussions of the relative merits of different messaging services, apparently a popular topic of conversation among cyber criminals. Communications were lumped together based on language community, including Russian, Spanish, Chinese, Farsi and French studied. Researchers compared data from 2012 and 2016 to observe changes in community preferences.

The survey results show that, out of a population of around 80 instant messenger platforms and protocols, a short list of  just five platforms accounts for between 80% and 90% of all mentions within the cyber underground. Of those, Microsoft’s Skype was the chat king. It ranked among the top five platforms across all language groups. That, despite the platform’s lack of end-to-end encryption or forward secrecy features and evidence, courtesy of  NSA hacker Edward Snowden, that US spies may have snooped on Skype video calls in recent years.

But Flashpoint data suggests that Skype may be losing its appeal as criminals migrate to more secure alternatives. Skype’s standing fell among Spanish, French and Arabic hacking groups between 2012 and 2016, while it remained the same among English, Chinese and Persian/Farsi speaking hackers during the same period. Citations of Skype in hacking forums increased only among Russian language hackers in the last four years.  Only Russian and English-speaking hackers appeared to be using Skype as their main chat and communications platform in 2016.

But while Skype, ICQ and PGP are still popular in different language groups, data suggests cyber criminals are warming to more secure alternatives, particularly those that offer end to end encryption. In Persian and Farsi – language hacking groups, for example, the new secure communications application Telegram appears to be favored in 2016. That’s a big change from 2012, when hackers in Iran and neighboring countries appeared to prefer Yahoo! Messenger.

Among Arabic language hackers, WhatsApp has supplanted Skype and Windows Live Messenger as the messaging platform of choice. The French prefer Jabber and PGP as well as ICQ over Microsoft’s Skype. Chinese hackers, among the world’s most prolific, prefer to use QQ, an ICQ knock off, as well as WeChat in more or less the same proportions as they did in 2012. It’s worth noting that Flashpoint’s method of observation may not reflect actual platform use. And, at the same time, queries about platforms with less salient names like “Signal” had noisier results that may have distorted Flashpoint’s analysis of their use, the company noted.

Still: increased interest in encrypted communications among cyber criminals follows public attention to the revelations of Edward Snowed and the emergency of new, secure messaging alternatives. Cyber criminals are also eager to share information with others inside communities of interest, further disseminating information about alternative chat platforms.

The biggest take away may be that, while security is a priority amongst thieves, it isn’t the sole concern that cyber criminals and their associates have. In fact, sophisticated hacking communities like those in Russia to continue to rely on legacy platforms like ICQ when provably more secure alternatives exist. The reason? Business.

“These cyber criminals have a lot of different options that they’re juggling and a lot of factors that weigh on their options,” said Leroy Terrelonge III, the Director of Middle East and Africa Research at Flashpoint. “We might suspect that cyber criminals use the most secure means of communication all the time, that’s not what our research showed.”

In fact, convenience weighed heavily on the choice of platform, as well the “network effect,” a key factor in the adoption of any communications platform. “The more people on a platform, the more attractive it is for more people to use it,” he said. Skype’s longevity and its bundling with Microsoft products like Windows juices that “network effect.” That simply makes it easier to communicate with any given individual and may force cyber criminals to downgrade the security of the communications platform they use for the privilege of communicating at all, Terrelonge told The Security Ledger.

Law enforcement leaders and policy makers in the United States have argued that the advent of encrypted communications platforms like Telegram, Signal and WhatsApp have allowed criminal networks to “go dark,” evading surveillance by law enforcement. FBI head James Comey has argued for the creation of special access provisions in secure communications platforms that law enforcement can use to observe the content of that communications. That idea has been roundly criticized by technology experts and executives of high tech firms, who note that so-called ‘back doors’ in encryption tools weaken security for everyone, because they can be used both by good and bad actors.

In a report released last year, scholars from The Berkman Center For Internet & Society at Harvard University concluded that arguments against the use of strong encryption by public figures like Comey are unfounded. Rather, technology adoption and current technology business models based on the monetization of data and metadata will create ample opportunities for online surveillance.

“Communications in the future will neither be eclipsed into darkness nor illuminated without shadow,” wrote the authors of the report in a blog post.

“We have to see encrypted communications as a tool not just for cyber criminals but other individuals, as well,” Terrelonge said.