COVID-19 pandemic: Through the cybercriminal’s eyes

By the Intel 471 Intelligence team. Cybercriminals’ exploitation of the global Coronavirus Disease 2019 (COVID-19) pandemic (in phishing lures, for example) has been covered widely in the media. But one underreported aspect is how the coronavirus itself is impacting cybercrime actors, their activities and their infrastructure. Our research of the underground marketplace and these actors show that many of them have had their activities significantly disrupted, but they’re seeing some potential benefits as well. 

Disrupted money-mule networks, long waits for fraud calls

Since late March 2020, we observed several cybercriminals complaining about COVID-19 disrupting their operations. We’ve particularly noticed this with actors engaged in banking fraud. For example, one Russian-speaking actor running a fraud network complained about their subordinates (“money mules”) in Italy, Spain and other countries being unable to withdraw funds, since they currently were afraid to leave their homes. Also some actors have reported that banks’ customer-support lines are being overloaded, making it difficult for fraudsters to call them for social-engineering activities (such as changing account ownership, raising withdrawal limits, etc).

Some criminal reshipping services are also reporting difficulties, due to the increased wait time when calling FedEx or UPS or to increased law-enforcement scrutiny of the packages they’re shipping. In response, they’re raising their prices and warning of longer shipping times, which in turn could hamper the activities of other actors who depend on those services. 

Carding tanks…or does it?

You might have thought carding activity, to include support aspects such as checker services, would decrease due to both the global lockdown and threat actors being infected with COVID-19. We’ve even seen some actors suggest as much across some shops, but the reality is there have been no observations of major changes. 

The infamous actor JokerStash came out to explain his lack of availability and admitted being sick with pneumonia, but clarified it was not due to COVID-19 infection. We can confirm JokerStash and the shop he runs has seen a change in normal activity since November 2019, but we’re unsure of the reasons. Any decline in credit-card fraud activity might instead be due to the Russian Federal Security Service (FSB)’s recent dismantling of a hacking group implicated in stealing and selling compromised payment card data through more than “90 online shops.” The shops allegedly were associated with the Russian national Alexey Stroganov aka Flint24 and were covered extensively in open sources.

Actors claim infections

We’ve noted a few actors claiming to have been infected with COVID-19, although these claims obviously are difficult to verify (and it’s not as though cybercriminals have a reputation for being honest and trustworthy). In any case, none of those actors appeared to have altered their online behavior in any significant way, so if they were infected with COVID-19 it looks as though they recovered and have continued with business as usual.

Some cybercriminals see the upsides 

However, we observed other fraudsters state there are potential benefits to be gained from the pandemic, particularly since more businesses are moving to purely online sales. At least one actor has claimed this will make credit-card fraud easier (presumably due to more small businesses moving online). Another actor speculated the upcoming global economic recession (and resultant unemployment) will make it easier to recruit low-level accomplices such as money mules. So the future doesn’t seem all bleak for cybercriminals — although, as with the legitimate economy, there’s still a lot that remains to be seen.