In episode 69 of The Security Ledger podcast, we speak with Luca Allodi of The University of Eindhoven in The Netherlands about research on the functioning of dark markets. Also: DUO Security researched the trade in phishing toolkits – you’ll be surprised at what they learned. And we deconstruct a campaign against the citizen journalism website Bellingcat.com to understand how the Russian Group known as Fancy Bear works.
We read a lot about so-called “dark markets,” the secretive and mostly hidden bazars where cyber criminals trade their wares. And most often, we read about them on the occasion of their demise. But, raids aside, the cyber underground continues to survive and, according to Luca Allodi, a researcher at the University of Eindhoven in the Netherlands, to thrive. In this week’s Security Ledger Podcast (our 69th!) we talk with Allodi about his research into cybercriminal marketplaces (PDF) and his opinion that dark markets are often more efficient than their above board counterparts.
While it is a common saying is that there is no honor among thieves, Allodi begs to differ. His research into the functioning of underground dark markets used by mostly Russian cyber criminals has found that the most successful and well trafficked of these are characterized by a rigid and strictly enforced code of conduct and business ethics that ensures fair and prompt payment for goods and services. In fact, Allodi said, dark markets appear to do a better job providing incentives for participants than do their above board competitors like vendor sponsored bug bounty programs understanding what he calls the “economics of attack acquisition and deployment.”
“The perception is that it is a very fair system where people know what the rules are. The rules are enforced and if you operate according to the rules, you know that you will be fine.” — Luca Allodi on his study of Russian dark markets.
Among other things, criminal marketplaces (at least those that aren’t outright frauds) do a better job creating certainty for sellers of software exploits and other hacking wares. In the above ground market, such as bug bounty programs, the conditional nature of rewards act as a disincentive for sellers, who never know exactly what they will be paid for their effort.
The market for phishing tools
Also this week: Phishing attacks are the foot in the door for most sophisticated hacks these days. But where do they come from? DUO Security, a company that offers strong authentication tools, has researched the universe of phishing kits, collections of files and scripts that make it easy for just about anyone to set up a sophisticated scam. Jordan Right of DUO said that one of the biggest findings of their research was how much sharing of tools and assets is happening between different and in theory competing cyber criminal groups.
Dissecting Fancy Bear
And, in our final segment: the Associated Press broke a big story this week detailing the extent of attacks by the Russian advanced threat group Fancy Bear against groups and individuals who were critical of the Russian Government or the regime of Vladimir Putin. Rob Simmons of the firm ThreatConnect talks to us about his company’s research into attacks on one of the targets: the citizen journalism site Bellingcat, which has exposed links between the Russian military and the downing of a Malaysian Airlines passenger jet in 2014.
As always: check our full conversation in our latest Security Ledger podcast above or over at Soundcloud. You can also listen to it on iTunes. As always, if you like our intro music, give some love to the group JoeLess Shoe, who recorded “Baxton,” the song we use in just about every podcast.