Cybercrime now more interconnected and likely to increase, say senior cyber sleuths

The proliferation of Darknet markets in Asia has allowed cyber criminals to operate without much concern of getting caught, said security company Palo Alto Networks. PHOTO ILLUSTRATION: ST FILE

SINGAPORE - Cybercrime and fraud are expected to be more rampant than in previous years, said two senior figures from cyber-security company Palo Alto Networks.

Among the threats, business e-mail compromise (BEC) and ransomware attacks remain high on the global watch list.

BEC, a sophisticated scam that targets both businesses and individuals performing legitimate transfer-of-funds requests, remains the most common and most costly threat facing organisations globally, said Ms Wendi Whitmore, Palo Alto Network’s Unit 42 senior vice-president.

Unit 42 is a team within Palo Alto which identifies new threats, analyses them and looks for correlations based on the data it receives.

Ms Whitmore said: “We see (criminal) organisations where you’ve got a member in Nigeria that’s closely communicating (on the Dark Web) with someone in Eastern Europe, and maybe communicating closely with someone in Asia.

“I think that as the economy continues to have more challenges, we’re going to see even more of that level of interconnectivity.”

BEC continues to hold the top spot for the sixth year running on the 2021 FBI Internet Crime Complaint Centre report.

Global losses have skyrocketed from US$360 million (S$495 million) in 2016 to US$2.3 billion in 2021.

In Singapore, 93 victims lost about $56.2 million to BEC scams in the first three months of 2022, the police said in July.

Mr Vicky Ray, a principal researcher at Unit 42, studies data and telemetry behind such global attacks. He acknowledged that the Dark Web has become a breeding ground for cybercrime.

Unlike the Internet, where the public can openly search for information or participate in forums, the Dark Web requires a special browser and known URL to gain entry. Some Dark Web forums require a new member to be vouched by a known party.

According to Palo Alto, the proliferation of Darknet markets in Asia has allowed cyber criminals to operate without much concern about getting caught due to the anonymity provided by the platform.

Mr Ray told The Straits Times: “It’s hard, but at the end of the day, it is our job to connect these dots together to really answer... the hard question of who may be behind it (a cyber attack) or what the motivation is.” 

Whether an attack is ransomware – a type of malicious software that blocks access to a computer system until money is paid – or leaked data such as NRIC numbers or passport scans, the cyber criminals exist in an ecosystem where “everyone supports each other and collaboration is everywhere”, Mr Ray said, showing ST a screengrab of a malware developer getting feedback on a Dark Web forum.

“What has changed in the past three years has been the tactics of ransomware as a service,” he added. “These gangs who were actually creating and using the ransomware to target victims, or potential victims back in the day, what they have realised is, if they provide that to other criminals, who are called affiliates, they can be more profitable.”

They take a cut of between 20 per cent and 40 per cent from the total ransom, said Mr Ray.

A malware developer posting on a Dark Web forum about his new software and asking for advice on how to get it published and sold. PHOTO: PALO ALTO NETWORKS

Criminals on the Dark Web cooperate at different levels, from affiliates who buy the malware from developers, to “consultants” who provide expert advice.

But the same collaboration also exists between law enforcement and private-sector parties, such as Palo Alto, which share their cybercrime research with Interpol.

In 2021, the Nigerian Police Force arrested 11 members of a prolific cybercrime gang who are thought to be members of “SilverTerrier”, a network known for BEC scams, said Interpol on its website.

From Dec 13 to 22, 2021, Operation Falcon II saw investigators analysing data from the network’s BEC schemes, said to be linked to 50,000 targets. While no monetary figure was revealed, one suspect had more than 800,000 potential victim domain credentials on his laptop.

Interpol said: “Through Interpol’s Gateway initiative, Palo Alto Networks’ Unit 42 and Group-IB (a cyber-security firm) have contributed to investigations by sharing information on ‘SilverTerrier’ threat actors, and analysing data to situate the group’s structure within the broader organised crime syndicate. They also provided key technical expertise consultancy to support the Interpol teams.”

The Gateway Initiative facilitates secure and rapid exchange of information between law enforcement agencies and relevant private entities for the prevention and disruption of cybercrime.

Added Mr Ray: “We really see the significance of these (partnerships)... So you will see a lot of the law enforcement now openly talking to us and collaborating.”

Join ST's WhatsApp Channel and get the latest news and must-reads.