Researchers from IntSights observed a sharp increase in the use of popular instant messaging apps over the past year among threat groups.
Threat groups are increasingly leveraging popular instant messaging platforms such as Telegram and Discord to buy, sell, and exchange criminal goods, advertise products, and communicate with each other.
Much of the popularity has to do with the secure, encrypted, peer-to-peer communications available with these platforms, allowing criminals to transact business relatively openly while avoiding scrutiny from law enforcement.
The trend highlights the need for organizations to pay closer attention to malicious activity on IM channels, says Etay Maor, chief security officer at IntSights, which this week released a report based on a yearlong study of IM usage among criminals.
“Enterprises should be aware of the changes and trends in threat actor behavior,” Maor says. Organizations that wish to stay ahead of the curve have to know how and where threat actors communicate. “Security is not a static ‘check, we are done here’ process. Enterprises have to make sure they know what the threat landscape looks like, how and what their adversaries are planning,” he says.
IntSights’ researchers observed a substantial increase in IM platform usage among threat actors between January 2019 and January 2020. Data pulled from the company’s proprietary external threat intelligence platform and other sources showed platforms such as Telegram, Discord, and ICQ to be especially popular among criminal actors.
IntSights researchers counted more than 56,800 Telegram invite links and some 223,000 mentions of the application across cybercrime forums during the one-year period, suggesting it was the most widely used platform. It was also the most heavily discussed on non-English language forums.
However, Discord — a popular chat and IM platform among gamers — appeared to be the fastest-growing platform within the criminal community based on the over 392,00 mentions of the app in forums used by threat groups. ICQ, a messaging system that’s been around since 1996, ranked third in popularity based on the number of invite links to ICQ chat groups and the number of mentions on criminal forums. Other platforms that cybercriminals are using, but somewhat less widely, include WhatsApp, Skype, IRC, and Signal.
IntSights researchers found that groups engaged in financial fraud — such as selling or buying stolen payment card data, physical goods, and counterfeit products — tended to use IM platforms more heavily than other crooks. Generally, cybercriminals also tended to use these platforms to share news, exchange vulnerability, and exploit information and cite research work from within the cybersecurity community. “Threat actors leverage the real-time communication to inform each other of any fresh cyber landscape news that could impact their future efforts,” IntSights said in its report this week.
Reasons Why IMs are Popular
Maor says there are several reasons for the popularity of IM apps and services among cybercriminals. Chief among them are operational security, relative ease of use, accessibility by mobile users and automation. “While you can install a mobile Dark Web browser, IMs are much easier to access on mobile platforms, giving threat actors the ability to communicate on the go,” Maor says.
The solid, end-to-end encryption available with many modern IM platforms gives attackers a way to conceal their activity from law enforcement more so than possible on the Web. “It is known that law enforcement agencies have the capability to track and attribute Deep and even Dark Web communications on forums,” Maor notes.
As one example, he points to “Operation Bayonet,” the international law enforcement operation that resulted in two of the most notorious Dark Web markets — AlphaBay and Hansa — being taken down. Such takedowns have pushed threat actors to using IM platforms more heavily recently.
Communications on IM are also more challenging to break into, especially on platforms that allow users to create their own servers. IM protocols like Jabber — now known as Extensible Messaging and Presence Protocol (XMPP), for instance — allow cybercriminals to operate their own private networks with no outside interference, Maor says.
IM platforms by nature also have a quick turnaround time, as opposed to forums where criminals first post and then have to wait for a reply. Tools like chatbots allow for automated replies and advertising on chats, helping threat actors achieve more in less time, he notes.
IM applications have been around for some time, and in fact were the go-to platform for criminals in the past. When dark web forums began increasing in popularity, IM apps were used mainly for out-of-channel communications and closing deals. “Now, with rise in popularity of secured, encrypted IMs,” Maor says, “more and more threat actors [are moving] every aspect of their business there.”
Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio
Follow me for more information.