’Tis the Season for eCrime
Originally published by CrowdStrike.
Written by Bart Lenaerts-Bergmans, CrowdStrike.
Financially motivated criminal activities, aka “eCrime,” happen in waves. They come and go as adversaries develop new tools and target vulnerable victims. Similar to how investors track stock market activity using various indexes, CrowdStrike monitors eCrime using multiple observables and codifies the activity in the CrowdStrike eCrime Index™ (ECX). While most factors that affect the stock market — such as interest rates, oil prices and political upheaval — are common knowledge, the factors affecting eCrime are less visible. This blog explores what has affected the CrowdStrike ECX in the past 12 months, and what we can expect as we enter the holidays.
Quick Recap: The CrowdStrike eCrime Index (ECX)
The CrowdStrike ECX was introduced in early 2021 to gauge the overall health of the digital underground economy by looking at a variety of factors, including ransom demands, cryptocurrency fluctuations, vulnerabilities and exposures, and many other observables that, when weighted and averaged, provide a sense of what’s going on in the seedy underbelly of the internet and with the criminals who profit from the misfortune of others.
Trends that influence the CrowdStrike ECX include year-end holidays (Thanksgiving to Christmas) when users’ defensive shields go down; batches of vulnerabilities that can be exploited by newly developed criminal tools; and decreases in eCriminal activity following a large-scale incident or law enforcement action.
Hear more about holiday eCrime trends from Adam Meyers, SVP of Intelligence at CrowdStrike, in this short video.
CrowdStrike ECX Fluctuations over the Past 12 Months
CrowdStrike updates the CrowdStrike ECX weekly. Over the past 12 months, two notable peaks were seen: one in November 2021 and another mid-March into April 2022. These peaks were generated by overlap of multiple key observables including the following:
- SPAM activity between low and high moments fluctuated eight times. The highest peak happened from mid-November 2021 until mid-February 2022. A second, shorter peak happened immediately after the Russian invasion of Ukraine at the end of February 2022, ending in the middle of April 2022.
- BOTNET activity (i.e., commands received and replies sent) has been on a constant rise with an additional jump at the start of the Russian invasion of Ukraine.
- Number of victims of big game hunting (e.g., extortion, ransomware) also fluctuated up to six times between low and high moments. The first and highest peak started September 21, 2021 and ended the week before Christmas. A second, weaker peak was observed early March 2022 into the beginning of May 2022.
These variations may reveal some trends on how eCriminals act. The first lesson is of course that the end of the year is indeed the best time to spam, and in the next section we delve into why people remain especially susceptible to spam and also phishing at the end of the year. A second observation is that command-and-control (C2) servers — the systems that control the bots — remain hard to conquer and are never turned off, not even during the holidays. And third, big game hunters (i.e., ransomware operators and their affiliates) had a very active campaign before last year’s holidays and then took a vacation before coming back.
The Human Mind Remains a Weak Spot
Let’s look more closely at spam’s peak at the end of 2021 and why spam remains a critical tool for adversaries. It’s no secret that there’s a direct relationship between email spam, phishing and scams. The sender’s goal is simple: to mislead or trick the reader into revealing sensitive information, deploy malicious software or steal money via fraudulent schemes.
A recent BBB survey revealed the following on the effectiveness of online scams and how people interact with them:
- Running scams via online channels has become more preferable and more prevalent than using other delivery methods such as the telephone, and results in a higher percentage of targeted victims losing money.
- People are more attracted to “carrots” versus “sticks.” According to the survey, 70% of respondents said they continued the online engagement because they hoped to gain something, sell something or were curious to learn more. That’s compared to 30% who continued the engagement because they feared they would lose something, were threatened or thought there was an urgent situation they needed to address.
- The most common scams leading to monetary loss were those related to online purchase (89%), followed by cryptocurrency (87%), romance (85%), investments (73%), employment (68%) and government grants (64%).
- People reported being targeted by a scam most often while browsing social media (25%), followed by shopping online (24%), emailing (14%), using a search engine (10%) and searching for a job (7%).
Holiday season is the perfect time of year for phishing scams. It’s a time when humans are sensitive to at least three of the four survey findings above as we make more online purchases, receive tons of “carrots” in our inbox in the form of Black Friday or Cyber Monday savings, and spend a lot of time on social media and shopping sites.
Threats to Consumers and Retailers
It’s important to note that targeted victims during the holidays are not just consumers getting tricked in online scams but also retailers or ecommerce sellers. Black Friday, Cyber Monday, Giving Tuesday and the holiday shopping season provide ample opportunities for eCrime actors to conduct malicious campaigns directed against both consumers and retailers. CrowdStrike Intelligence assesses that eCrime actors during this period are most likely to use phishing campaigns, opportunistic scams, payment-system attacks and disruptive operations in the form of data theft, ransomware campaigns or extortion to achieve their objective of financial gain.
Theft of payment data remains an ongoing threat to retailers worldwide after soaring during the COVID-19 pandemic. This threat is often conducted through “form jacking” campaigns. The stolen data, and “form jacking” exploit kits targeting common online store management systems (e.g., OpenCart plugins), are offered for sale on multiple underground forums.
Another notable and trending end-of-year threat are “refund and return” scams. For instance, adversaries may email a “purchase refund request” document to a customer service department, sales representative or consumer tricking the reader into opening a malicious document and installing a form of malware. This tactic combined with usage of cross site scripting (Java Scripting) and malicious web servers is intended to steal information such as credit card, identity and account information that can be monetized later.
Stay Ahead with Threat Intelligence and Digital Risk Monitoring
CrowdStrike continuously monitors cyber crime activity and the underground economy using the CrowdStrike ECX. For example, big game hunters may take off a couple weeks at year’s end when businesses may be closed, while C2 infrastructure remains active. End-of-year spam creates a new funnel of phishing victims, as people are more susceptible when our online activity is different from our regular habits and Cyber Monday “carrots” are offered.
Threat intelligence and constant monitoring of the underground economy offer security risk managers early warning and help them better understand threat activities so they can be prepared.
Sign up to receive CSA's latest blogs
This list receives 1-2 emails a month.