The latest findings from the Digital Shadows' Photon Research team highlight how the pandemic is shaping the business operations of criminal networks, which, like those of legitimate businesses, have shifted dramatically. Tracking how the market is changing in real time, Digital Shadows has observed that some operations have quickly curtailed their activity while the majority of malicious actors are capitalizing on the crisis, noting, for example, that an increase in online transactions has potentially bolstered success rates for credit and debit card fraud.

Digital Shadows has observed threat actors operating on cybercriminal forums and marketplaces expressing their worries and a sense of desperation as to how the pandemic will affect their established business models. Some are urgently trying to adapt their offerings to survive in this vastly changed landscape. Other cybercriminals see an opportunity to profit from mass hysteria and panic or take advantage of the increased online exposure that virus-tackling measures have inadvertently caused. 

Below are some of the findings from the Digital Shadows report.

Opportunity: Online Carding and Spreading Malware

Digital Shadows has observed threat actors on multiple Russian- and English-language cybercriminal forums initiating threads to discuss the likely impact of coronavirus on established services and offerings and the different types of cybercriminality that might be boosted by this unprecedented situation.

According to Digital Shadows:

• In one discussion thread on the gated Russian-language carding forum Verified, one user predicted a rise in credit and debit card transactions with the increased numbers of people working or studying at home. The user opined that this would benefit carding activity because “the greater the volume and diversity of transactions, the more difficult it is to attribute fraud”.
• A user on the high-profile Russian-language cybercriminal forum Exploit echoed this viewpoint, stating that as “everyone is afraid to go out on the streets,” they are choosing what they think is a safer option and paying online or with cashless methods in shops, which will cause carding to “develop even more.”
• Although not explicitly stated in the forum discussion threads, increased online shopping could lead to increased online fraud for a number of reasons, including less cyber-savvy consumers using online platforms more than they usually would and businesses standing up rushed online shopping systems that don’t protect customer details as well as they could.
• One user on the Russian- and English-language carding forum Club2CRD pondered “how to get the maximum benefit from this quarantine.” They observed that as time spent online will likely increase globally during worldwide lockdowns, cybercriminals who specialize in rerouting or abusing Internet traffic “will not miss the moment” and that consequently the number and quality of malicious software installed via this method will increase.
• There are many ways that cybercriminals could take advantage of increased online activity to spread malware, including interfering with IP addresses to direct increased numbers of people to fake websites hosting malware, or creating malicious advertisements on search engines to trick visitors into visiting harmful sites.

Many users on cybercriminal forums have been discussing or exhibiting ways in which they can adapt their current business models to derive increased profit from the current situation.

• An Exploit forum user who has been creating fake web pages for stealing credit card or bank details for many years updated their long-standing thread to offer COVID-19-themed fakes.
• Digital Shadows has also observed several marketplace vendors who have previously been engaged in drug sales and/or carding relating activity who have now pivoted to advertising “coronavirus face masks” or miracle corona-related cures on dark web marketplaces.

Travel and Event Fraud

According to Digital Shadows, in a thread on Verified, one user highlighted travel- and event-related fraud as a sector of the cybercriminal-related economy that could be particularly hard-hit, noting that “people are afraid of flying and the borders are closed."

• Another Verified user who maintains a long-standing thread offering fraudulent tickets for same-day events posted an update stating that “everything is closed for 2 weeks” as a result of the cancellation of events across the globe.
• A Club2CRD user responsible for promoting the travel services provided by an established vendor appeared to be trying to ride through the situation, encouraging users to “RUN from coronavirus,” adding “Many routes are still available and open."
• A different Verified user initiated a pleading thread titled “find a job for an old man” to beg for additional income. The post stated that the user had worked since 2012 on fraud targeting tourism, hotels, air travel, and excursions, but that “since the world decided to spin up a cool scam codenamed ‘coronavirus’ which will likely lead to another crisis… I am left without earnings for an indefinite period.” They suggested that they could take on work registering or checking fraudulently obtained accounts, or any other unspecified work that would guarantee daily hours and payment, adding that they already had access to the anonymizing infrastructure required for this type of work. At the time of writing, the user had posted again to reiterate their request, indicating they had had no luck so far in finding work.

On March 17, 2020, Amazon announced that they would be blocking all shipments of products other than food, medicines, and other products deemed “essential” to its warehouses in response to increased demand, meaning that both legitimate and cybercriminal vendors who make use of Amazon’s storage and delivery network to move their goods will no longer be able to ship these non-essential products, says the research team. 

• One Verified member who has been offering a drop service buying carded goods for resale since February 2011 announced that “Due to force majeure circumstances beyond our control (coronavirus epidemic) Amazon is stopping accepting goods with the exception of food and medicine products until at least 5 April due to an inability to process warehouse restocking. From today it is impossible to send your illiquid assets [i.e. goods that are not hot commodities among an extensive audience] on Amazon. Please do not create new packs with illiquid asses [sic], they will not be paid for”.
• Another drop service provider on Verified has been experiencing identical issues. They updated their longstanding thread to announce that they had been “forced to stop buying all illiquid assets.” They added that “in connection with the panic over the coronavirus we have already started to run into problems with delivery.”

Browsing messages and offerings on cybercriminal forums and marketplaces shows that coronavirus truly is proving to be a double-edged sword for threat actors, says the research team. "Some enterprising cybercriminals may be relishing the increased earning opportunities that the current crisis will bring them, while others will be aghast at the thought of the swift destruction of the business models and reputations that have taken years to develop. It will be interesting to see how the cybercriminal landscape has altered once the storm has passed, and who has been able to successfully weather the situation," concludes the research team. 

For the full report, please visit Digital Shadows.