Carding market doubles in the midst of coronavirus pandemic, reports Group-IB

The last year — a harrowing period for the world economy because of the Covid-19 pandemic — was also marked by the rise of the underground market for selling access to corporate networks and a more than two-fold growth of the ‘carding’ market.

Threat intel firm Group-IB reports that sales of access to compromised corporate networks grew four-fold over the last 12 months.

The increase was driven, in part, by state-sponsored attackers joining this segment of the cybercriminal market as a means to monetize compromised access to corporate networks.

In the first six months of 2020 alone, 277 offers of access to corporate networks were put up for sale on underground forums.


RELATED Dark web vendors feel the pinch as coronavirus lockdown restrictions impact underground operations


Most threat actors offered access to US organizations (27%), while manufacturing was the most frequently attacked industry in 2019, accounting for 10.5% of cyber-attacks.

In 2020, demand for access to state agency networks (10.5%), educational institutions (10.5%), and IT companies (9%) was high.

“Selling access to a company’s network is usually only one stage of the attack,” Group-IB reports.

“The privileges gained might be used for both launching ransomware and stealing data, with the aim of later selling it on underground forums or spying.”

Group-IB senior digital forensics analyst Oleg Skulkin told The Daily Swig that the increase in corporate network compromises is fueling the ransomware surge.

"We have recently seen that many threat actors, especially those operating ransomware, focused on big enterprise networks,” Skulkin explained. “It allowed them to grow their ransom demands up to millions of dollars.”

Skulkin continued: “As it’s not important for such actors whom to attack, it became quite common for them to buy access from a third party, so they can save their resources for post exploitation and ransomware deployment.”


Selling access to a company’s network is usually just one stage of an attack, Group-IB warns

Ransomware gangs switching tactics

Released this week, Group-IB’s Hi-Tech Crime Trends further reports a surge in ransomware attacks. Over the last 12 months more than 500 such attacks were reported in more than 45 countries.

A major ransomware “plague” outbreak was detected in the US, with the country accounting for about 60% of all known incidents.

The top five most frequently attacked industries include manufacturing (94 victims), retail (51 victims), state agencies (39 victims), healthcare (38 victims), and construction (30 victims).


Read more of the latest cybercrime news from around the world


The Maze and REvil ransomware strains accounted for more than half of all successful attacks, Group-IB estimates. Ryuk, NetWalker, and DoppelPaymer also accounted for a great deal of damage.

In late 2019, ransomware operators adopted a new technique: they began downloading all the information from victim organizations and then blackmailed them in order to increase the chances of the ransom being paid.

The Maze cybercrime gang (who allegedly called it quits not long ago) pioneered the tactic of publishing sensitive data as part of ransomware-based extortion scams.

In June 2020, REvil began auctioning off stolen data as a side hustle, Group-IB reports.

Cashing out

Elsewhere in cybercrime, the carding market grew by 116%, from $880 million to $1.9 billion.

The growth applies to both textual data (bank card numbers, expiration dates, account holder names, addresses, CVVs) and dumps (magnetic stripe data).

Dumps are mainly obtained by infecting computers with connected POS terminals with special trojans and thereby collecting data from random-access memory.

Textual data is collected through phishing websites and PC/Android banking Trojans, by compromising e-commerce websites, and by using JS sniffers.

Group-IB is currently tracking the activities of 96 JavaScript sniffer families. over the past year nearly 460,000 bank cards were compromised using JS sniffer (such as Magecart) attacks, according to Group-IB.

Spycraft turns destructive

According to Group-IB’s latest threat intel report, the physical destruction of infrastructure is replacing espionage as a motive in many military operations in cyberspace.

The nuclear industry has become a prime target for attacks, the researchers claim.

Unlike the previous reporting period, during which no attacks were observed, the current one was marked by attacks on nuclear energy facilities in Iran and India.

According to data analyzed by Group-IB, Asia-Pacific became the most actively attacked region by state-sponsored threat actors.

Group-IB’s Hi-Tech Crime Trends report was presented at its international conference CyberCrimeCon'2020 which concludes on Thursday (November 26).


RELATED Paying ransomware demands could risk US sanctions, OFAC warns