Image: James Thew/Adobe Stock Cybercrime comes in many different flavors, most of it being financially-oriented. Phishers, fraudsters and malware operators are the most noticeable ones, yet there are some other profiles in the cybercrime economy who play a crucial role and are yet very discreet: Traffers.
What is a traffer?
Traffers– from the Russian word “Траффер,” likewise referred to as “worker”– are cybercriminals accountable for redirecting Internet users network traffic to malicious content that they run, this material being malware the majority of the time.
SEE: Mobile device security policy (TechRepublic Premium)
Traffers are typically organized as groups and compromise websites in order to hook the traffic and bring the visitors to malicious content. They might likewise construct websites serving the very same purpose. As exposed by Sekoia researchers who have actually kept an eye on Russian speaking cybercrime forums, the traffer community is built of both extremely competent profiles and brand-new ones, making it a good entry point for beginners in cybercrime.
The “lolz Guru” underground forum in particular shows consistent new creation of traffers groups, on a monthly basis of 2022 seeing between five and 22 new traffers teams (Figure A).
Image: Sekoia. Number of new traffer teams created monthly on the Russian-speaking cybercrime online forum Lolz Expert.
As soon as produced, a traffer group might progress and reorganize, combine with other groups or restart from scratch, that makes it tough to examine the durability of traffer groups. One administrator of such a team has indicated it cost him $3,000 to create a traffer team of 600 people prior to offering it. A traffer team called “Moon Team” was priced at $2,300 in Might 2022.
The common organization for such a group is pretty straightforward: One or several group administrators lead traffers however also deal with the malware licenses and the analysis and selling of the logs gathered by the traffers (Figure B).
Image: Sekoia. Normal traffer group company. What are traffer group methods? The greatest activity from traffers consists of rerouting Internet users to malware, 90% of which consists of info thiefs. The info stolen by the malware can be valid credentials for online services, mailboxes, cryptocurrencies wallets or credit card details. All of those are called logs.
The team administrators do sell those logs to other cybercriminals who exploit this data for monetary gain.
Must-read security protection
The administrators are likewise responsible for managing the malware they need, buying licenses to the malware developers and spreading it to the group.
The administrators likewise supply their staff members with a set including different resources:
- Constantly upgraded malware files (also called “malware develops”) all set for usage.
- A crypter service or tool, necessary to encrypt or obfuscate the malware files.
- A manual and guidelines for traffers.
- A search engine optimization service to enhance the presence and variety of connections to their facilities.
- A Telegram channel to communicate easily between employee.
- Telegram bots for automating jobs, such as sharing brand-new malware files and creating data.
- A devoted log analysis service to make sure the logs sold by the administrators are valid.
When hired, traffers have the ability to get the malware files and distribute through redirections from jeopardized sites. They are paid based on the quality and amount of details they collect from the malware they release.
Traffers are often challenged into competitions arranged by the administrators. The winners get additional cash and access an expert version of the subscription. This access allows them to use a 2nd malware household, get better services and perks.
Each traffer uses their own delivery chain as long as it abides by the team requirements.
According to Sekoia, typical delivery approaches consist of websites masquerading as blog sites or software installation pages and delivering password safeguarded archive files in order to prevent detection. Experienced traffers seem to have a very good understanding of marketing platforms and manage to increase the promotion of their websites through those services. The downside of this kind of shipment technique for the assailants is that it generally strikes lots of victims and is therefore more quickly detected than other shipment method.
The 911 infection chain
The majority of traffers groups kept track of by Sekoia are in fact exploiting a method called “911” in underground online forums.
It consists of using taken YouTube accounts to disperse links to malware managed by the traffers. The traffer utilizes the account to publish a video enticing the visitor to download a file, disable Windows Protector and perform it. In most cases, the video is about breaking software. The video describes how to proceed and offers links to tools for installing broken software application, generate a license secret or cheat at different computer game. As soon as executed, those files contaminate the computer system with malware.
The malware is normally stored on genuine file serving services such as Mega, Mediafire, OneDrive, Discord or GitHub. In many cases it is a password protected archive file, which contains the stealer malware (Figure C).
Image: Sekoia. 911 infection chain used by traffers.
What malware is used by traffers?
The most used details stealing malware utilized by traffers, as observed by Sekoia, are Redline, Meta, Raccoon, Vidar and Personal Thief.
The Redline malware is considered the most reliable stealer, as it is able to access credentials from web browsers, cryptocurrency wallets, local system data and a number of applications.
Redline also enables the administrators to easily track traffer activity by associating an unique botnet name in the samples distributed by a traffer. Stolen information originating from using Redline are sold on numerous marketplaces. Meta is a brand-new malware and is marketed as an upgraded variation of Redline, becoming the malware of option for some traffer groups.
How to secure yourself from traffers
This hazard is highly related to malware and may target people as much as companies. Deploy security options and antivirus options on all endpoints and servers of the business. Running systems and all software application need to also be maintained to date and patched to prevent them from being infected by the exploitation of a common vulnerability.
Users need to be trained to detect phishing hazards and to avoid at any case using broken software or tools. Multi-factor authentication should be used whenever possible. A traffer checking for the credibility of taken qualifications might simply drop it if it is unusable without a second authentication channel.
Disclosure: I work for Trend Micro, but the views revealed in this post are mine.