Users of cybercrime forums often fall victim to info-stealers, researchers find
While cybercriminals are busy looking for victims, they might be quietly under attack as well, according to new research.
After analyzing millions of computers infected with info-stealing malware, researchers at cybersecurity firm Hudson Rock said they identified 120,000 that contained credentials used for logging into cybercrime forums.
Although it’s difficult to say whether those devices were owned by cybercriminals, the researchers said they were able to identify the real identities of some hackers through additional credentials found on the devices, such as email addresses, usernames and phone numbers.
“These findings tell us that just as ordinary people fall victim to info-stealer infections, hackers are susceptible to them as well,” Alon Gal, chief technology officer at Hudson Rock, told Recorded Future News.
The study also shows that while cybercrime forum users might prey on ignorant victims, they aren't necessarily tech-savvy themselves, he added.
“This is particularly true for budding cybercriminals who have not yet developed a full understanding or appreciation of operational security practice, or even have begun to fully operate in a criminal manner,” said Tim West, head of cyberthreat intelligence at WithSecure.
Hudson Rock analyzed the top 100 cybercrime forums and discovered that Nulled.to has the largest count of compromised users – over 57,000. It is followed by Cracked.io and Hackforums.net.
These forums share leaked data, such as porn, data dumps or cracked software for free.
“Oftentimes these freely shared links are either just malware like stealers or downloaders or are backdoored or maliciously modified versions of the alleged cracked software,” Marisa Atkinson, senior analyst at cybersecurity firm Flashpoint, told Recorded Future News.
The researchers also looked into the passwords of the compromised cyberforum users and found out that the forum with the most “secure” user passwords was Breached.to, while the one with the weakest passwords is the Russian site Rf-cheats.ru. In general, the passwords on cybercrime forums were stronger than those seen in many other sectors, according to the report.
The majority of info-stealer infections were attributed to the Redline stealer, followed by Raccoon and Azorult.
These attacks weren’t directed at any specific targets. “Info-stealer infections of this kind are opportunistic,” Gal said. “Hackers are trying to infect as many computers as possible, some of which happen to belong to hackers.”
According to Hudson Rock, info-stealer infections have surged by 6,000% since 2018. They've become the main method that threat actors use to initially breach organizations and carry out various cyberattacks like ransomware, data breaches, account takeovers, and corporate espionage.
The fact that hackers themselves can become targets of such attacks can have a significant impact on the industry, according to Gal.
“Law enforcement agencies stand to gain significant benefits from these findings, as the data could serve as crucial evidence for attributing cybercriminal activities,” he said.
Daryna Antoniuk
is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.