How digital ‘drifters,’ eager to turn an easy profit online, fuel the malware marketplace

New research presented during Black Hat 2021 in Las Vegas on Wednesday reveals the important role of amateur, and amateurish, players in sustaining the cybercrime ecosystem.

The cybercrime underground is often portrayed as driven by a small number of highly motivated and capable actors with criminal intent — bot herders, ransomware masterminds and spy chiefs. But new research suggests it is sustained by a huge penumbra of individuals simply trying to earn a living off the internet — a portion of whom over time drift into criminal activity.

“What we conclude from our analysis is that there is a large informal workforce evolving at the periphery of the malware industry that is necessary to its operation,” Masarah Paquet-Clouston, a security researcher for GoSecure, told a virtual session at the Black Hat security conference in Las Vegas Wednesday.

She compared these “drifters,” moving from the informal economy to the cybercrime ecosystem, to the street level dealers and enforcers — often drug addicts themselves — who make the operations of transnational drug cartels possible. “They’re not the masterminds behind … the cartels. But if we take them off the streets, maybe we can tackle the [drug] problem differently,” she said.

This picture of an informal, opportunistic workforce that fuels cybercrime emerges from a unique dataset, uncovered in 2019 by researchers from Stratosphere Labs investigating the Geost banking trojan. Geost was a malware package that targeted Russian-speaking Android users and infected an estimated 800,000 of them.

The dataset included both private text chats on Skype among a small group of individuals with access to the Geost command and control infrastructure and several much larger sets of messages posted in public or semi-public forums. It was analyzed using both quantitative and qualitative methods.

The Geost insiders whose Skype chat logs were leaked also posted on a public message board, according to Paquet-Clouston. A “shady” — but not explicitly criminal — Russian and English-language online forum, called SearchEngine.guru. The forum, where users discussed techniques for internet affiliate marketing and web search engine optimization (SEO), was where the Geost insiders sought to recruit business partners to help them develop tools to spread the trojan or find ways to cash out the proceeds.

The forum users, Paquet-Clouston said, were workers in an informal internet economy — earning money under the table, and thereby putting themselves on the wrong side of the law, but not necessarily doing anything inherently illegal.

Significantly, the insiders were extremely discrete in the public forum — despite the fact that their operational security was flawed, which is what led to the discovery of Geost in the first place.

“What’s really striking here,” said another of the researchers, Serge-Olivier Paquette, senior manager of data science for Secureworks, “is that never, in all their public interactions, did they mention Geost or talk about spreading malware, even though a lot of these business interactions were about creating” specially modified versions of Android gaming software that would infect anyone who downloaded it.

But this kind of discretion makes it very difficult to tell who else in the public forum might also be engaging in serious criminal activity.

To better understand the relationship between those working in the informal — or “shady” — sector, and those involved in serious criminal activity such as propagating a banking trojan, the researchers used a huge database of postings from cybercrime forums compiled by Flare Systems.

Unlike SearchEngine.guru, these forums, on both the clear web and the dark web, “openly advertise themselves as criminal spaces,” Paquet-Clouston said.

By looking for posts on these forums by individuals employing the same username or handle as someone who posted on SearchEngines.guru, the researchers concluded that about 7 percent of the forum users were “crimino-curious” — posting on other, openly criminal message boards as well.

Over time, as many as 25 percent of these drifters migrated exclusively to the explicitly criminal forums, abandoning the informal economy for the cybercrime ecosystem.

But more than three-quarters of the drifters remained merely “crimino-curious,” she said, “mainly posting on the informal economy platform and … only a little bit in the cybercrime ones.”

This mass of “crimino-curious” users provides more serious criminals both a pipeline for enlisting potential partners and camouflage — allowing them to hide their recruiting and communication in among the mass of relatively innocent users.

But even those doing the recruiting, like the Geost insiders whose Skype chat logs were leaked, are typically far from being the criminal masterminds of popular imagination. The translated texts of their chats show them wrestling with their own technical ineptitude, poorly designed tools and the unreliability of their business partners. They also complain constantly about how little money they are making.

“This is light years away from being some kind of mastermind behind a large-scale botnet,” said Paquette. Even the Geost insiders did not seem at all skillful or especially motivated.

“We have this black and white mentality,” he noted, in which all those involved in cybercrime were sophisticated and malicious botmasters. The reality was very different, and replete with opportunities to intervene, on both a macro and micro level, to head off the transition into cybercrime.

“Understanding their real motivations, and realizing that for them, this is earning a living, suggests that … sometimes, if they would have another alternative for a job, maybe they would not drift into crime.”