Automation is something businesses in almost every sector are familiar with, as part of their efforts to make systems more efficient. It’s something that the cybersecurity industry is increasingly using, with automated data collection and processing playing an ever-growing role in protecting against data breaches and cyberattacks.
But now, in the same way that they’ve picked up other techniques from business, cyber criminals and hackers are also increasingly turning towards automation to help conduct malicious campaigns, making it easier for them to scale up their operations.
In fact, almost all of the tools and services used in active hacking campaigns or traded on dark-web forums now have some level of automation – and researchers at security company Recorded Future have analysed underground economies and detailed 10 of the most common automation services used by hackers to facilitate campaigns.
The simple reason cyber criminals are automating processes is because they see it as an avenue for more successful attacks and generating larger amounts of profit, more quickly and more efficiently.
SEE: Cybersecurity: Let’s get tactical (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic)
“Threat actors have realized that, even though in the short term it may seem that you can have a bigger windfall if you do everything from beginning to end, in the long run, if you focus on doing one thing very well, you will likely make more money,” Roman Sannikov, director of cybercrime and underground intelligence at Recorded Future, told ZDNet.
The 10 types of automated tool listed in the report aren’t in any particular order, but researchers note that they’re all extremely useful to cyber criminals looking to boost their illicit activity. Automated tools are used in the following areas:
1. Data breaches and sale of databases
The sheer number of cyberattacks and data breaches means there’s always new private information entering the underground market. In many cases, those distributing the database won’t sell its contents entirely, but rather will use automation to pick out the most valuable data, such as email addresses, passwords, payment card data and other personal information, before selling this on for a profit.
2. Brute force attacks
Credential stuffing and brute force attacks are one of the most common means of threat actors automating cyberattacks. Using a list of stolen or commonly used passwords, it’s possible for attackers to fully automate breaking into accounts, with an automated password cracking tool doing all the work for them to gain access to accounts.
3. Loaders and cryptors
Loaders and cryptors allow threat actors to obfuscate and deliver malicious payloads, bypassing antivirus products whenever possible. In many cases, low-level attackers don’t have the expertise to deliver malware or ransomware to their victims, so authors of the malicious software are automating the processes in advance, allowing the attackers to install the malware without any hands-on input. Sometimes they’re able to make minor changes with a simple user-interface, but for the most part it’s hands off, with the initial author having automated the service at the start.
4. Stealers and keyloggers
Stealing information is at the heart of a lot of hacking and cyber criminals can use preconfigured tools to steal login credentials from popular websites, or even a preconfigured keylogger that monitors all the activity by an infected user, allowing attackers to steal sensitive data.
5. Banking injects
Powerful tools that are widely available on the dark web, banking injects are modules that are typically bundled within banking trojans that inject HTML or JavaScript code into processes to redirect users from legitimate banking websites, to fake ones designed to steal details. While these tools are typically expensive – they can sell for four figures on underground forums – they provide users with an automated kit that they can use to make that figure back many times over and with little effort.
6. Exploit kits
Exploit kits automate the exploitation of known web-browser vulnerabilities in order to enable successful infections to deliver other forms of malware – and because the process is entirely automated, they’re a key element of the infection playbook. The Fallout exploit kit remains one of the most commonly used today.
7. Spam and phishing
Email spam is one of the simplest cybercrimes to operate, with attackers indiscriminately using automated software to generate email addresses and send out low-level scams, such as get rich quick schemes, fake gift vouchers, phoney messages about locked accounts and more to potentially millions of victims at once. This takes little effort to set up, so even if only a handful of victims are compromised it’s still worth it.
SEE: Coronavirus-themed phishing attacks and hacking campaigns are on the rise
Spear phishing is slightly more complex due to the use of social engineering and more complex attack techniques, but it’s still possible to automate large areas of the attack with the use of templates and frameworks that can easily be acquired on the dark web.
8. Bulletproof hosting services
Bulletproof hosting services (BHS) are one of the cornerstones of the cyber-criminal economy, with the providers of BHS promising to hide malicious activity and prevent shutdown by law enforcement. Many dark-web forums run on these kinds of services, with the aid of automated techniques, like geo-spoofing, to prevent any sort of detection as to where the service is hosted or who by.
9. Credit card sniffers
Underground forums are full of trade in sniffers, malware designed to steal card-not-present data from the checkout pages of online shops – and this data is extremely valuable, be that for the attackers to use it for themselves or to sell it onto others.
Much of the process is based around a malicious JavaScript injection that automatically collects payment card information and personal data of customers, sending that directly to an attacker-controlled command and control system for further exploitation.
10. Automated marketplaces
Making money in crowded dark-web forums can be a tricky business, given the amount of buyers and sellers looking to take part. In order to beat other users, some vendors and buyers use automated services to make deals. Criminals can download a plug-in and follow simple instructions to set what they want to buy or sell, then fully automate the process – all while remaining completely hands-off.
But while attackers are doing all they can to make conducting hacking, illicit trading and other cyber-criminal activity as simple and efficient as possible, cybersecurity teams can help protect against automated threats by ensuring awareness about these operations.
“We believe the most effective tools against criminal automation is awareness of the tools and services they’re using – specifically understanding new tools and services as they are released and as they evolve and are updated,” said Sannikov.
“As threat actors increasingly utilize automation to scale their efforts, network defense teams must embrace a similar approach,” he concluded.