David Hétu, Head of Research at Flare Systems, owns a Ph.D. in Criminology from the University of Montreal. He focuses his research on illicit Internet and Darknet markets. His findings, published in more than 40 articles over the past 10 years, have helped to better understand the structure and inner workings of criminal underground.

He joined the Forensik 2020 Conference where he made a presentation to reveal the ins and outs of cybercrime. In particular, he showed how job search ads can predict future threats.

We asked him a few questions for our INTRASEC podcast, In Fidem’s cybersecurity channel.

See below the informative and fascinating David Hétu’s interview with our host, Alexandre Cayla, on the hidden face of cyberattacks, enough to guide you to anticipate potential threats!

AC: Before getting into the results of your study, we would like to first have an insight about your data collection. One of the things that struck us about your presentation was the amount of data you fetched. How did you do it?

DH: Offenders are active on a multitude of platforms. Maybe this is where the strength of our work lies and that is where we are going to search for our data all over the place.

There has been a lot of talk about the dark web over the past few years. It feels like this is where all the offenders hang out. But what I wanted to emphasize is that if the dark web will answer some of our questions, we can also collect additional information on chat systems and forums directly accessible from the Internet.

As part of the presentation, we wanted to determine if by analyzing the forums and, more precisely, the classified ads of criminal employment, we would be able to understand what is happening in what is called the “underground criminal” on the Internet.

AC: Compared to the other conference presentations that focuses on incident management and response, your presentation was more upfront and focused more on how it is possible to understand and anticipate potential attacks.

DH: For me, this is the crux of the matter. We build extremely high walls, but if the attacks come from the air or by digging tunnels, our wall will not serve us much. So, our goal is to understand and generate intelligence on the offenders’ behavior to be able to use the right defenses at the right time.

This is important because in criminology what we often see is how quickly these offenders adapt to these defenses.

This is partly surely why the field of cybersecurity is so active. Offenders are always adjusting and trying!

So, for us, when companies can too be adapting in sync with the offenders, they are more likely to block their attacks.

AC: Do you have patterns emerging from your analysis?

DH: We went to see the technologies and skills that offenders were looking for. We know that delinquents use teamwork. Today, no one can tackle a major Canadian bank on his own, at least, without purchasing a product or service from others operating in the illicit community.

So, this collaboration forces them to write messages that say “here is what I lack to attack my target”.

We saw several types of products and services that were in great demand. For example, the development of viruses, particularly the development of single viruses or viruses capable of bypassing security systems. This means that having an antivirus is good, but surely you need other tools to protect yourself.

We also saw a lot of people looking for email hacking services.

AC: Because email is a bit like a key to several other systems?

DH: People usually trust email. Then one can ask them to do certain things, such as money transfers. As an example, the “Fake President’ frauds” in recent years when employees were asked to transfer large sums of money to bank accounts.

One can also collect usernames and passwords, company maps, etc. We talk a lot about data as the “oil of the 21st century”. Well, this is everything that we can go for when we have access to email.

AC: Another interesting component of your presentation is that on the one hand, there are people who do “basic” fraud with the ECP (Canadian Emergency Benefit), Amazon gift cards, etc., and on the other, we find people who will develop sophisticated viruses. Therefore, we see two very different types of criminals. Can you tell us what these communities look like?

DH: As a matter of fact, we find a bit of everything. Somehow, like what generally happens in society, we see a division of labor among delinquents. Somehow,  there will be some people who are going to be extremely good at developing viruses while others at distributing them, and others who are going to be very good at using the fruits of these attacks to make purchases and so on.

One might think that it is easy. Even if I gave you my credit card number today, with all the information, there is not much you can do if you don’t understand how to abuse of that information

Consequently, that is why it is super important to be able to benefit from someone else’s expertise to get it done.

AC: On these platforms, they are all criminals who want to steal from people, but they need to find people they can trust.  Somehow, it may seem a bit contradictory. How do they manage to find trusted partners…

DH: My doctoral thesis was precisely about this subject! “How can we create bonds of trust in an anonymous and even hostile context? “.

People used to say the same thing back in the 90s with e-commerce: “How can I buy something online and trust the company?” “. At the time, most companies were very small and had no reputation.

And, somehow like these companies, we will see that delinquents will build a reputation online and they will leave traces of this reputation. They will publish profiles on forums and public markets. Therefore, one does not  know who this individual is, but knows that 1000 people trusted him. Then, it is very likely someone who has been around for a while and has some credibility

Another element I spoke about during my conference, we found that the presence of tools will allow the creation of almost formal “contracts” in which offenders will register: who is involved, the date, the obligations of each of the parties, what should be paid, to whom, when, etc. They will also assign the responsibility to a third party to manage these contracts – who often act as forum administrators

If all goes well, the third party will pay the service provider. If things go wrong to a certain extent, one party can rely on a judge here who will be able to call whether the money shall be returned to the buyer or back the seller.

In short, there exists a set of tools that can reduce tensions and increase the fluidity of transactions.

AC: Are these tools and services all “alternative” or will some criminals try to use “mainstream” services?

DH: Usually they will use solutions and services which are illegitimate because within the transaction details, there may be obligations such as “provide 5 stolen credit cards”, “provide access to a hacked server”, etc.

It would be a bit surprising to learn that a Laval law firm would have managed this type of contract, let’s say

AC: Are these types of analysis an ongoing part of your research projects? How do you find such information? How do you use it? What is the end goal?

DH: Our goal is to collect as much data as possible so that we can pre-analyze it and enable our customers to better understand the threats that attack them. In this case, this is the kind of ad-hoc research we are going to offer our clients.

One can collect millions of pages, millions of keywords. The number of people who will mention a company can be astronomical. Should one ask a small cybersecurity team to receive 20,000 alerts per day, that does not make sense.

Therefore, we will filter and prioritize the alerts and show which ones are important and we will show the kind of intelligence we can develop.

AC: Because typically people will mention their targets?

DH: Yes, indeed! Often, it is going to be company names, but it can also be platforms such as WordPress or e-commerce platforms.

Our work can help to determine if the platforms one uses are very targeted or not.

We will also see company names, like Amazon, but there is less chance that we will see the name of a small company in Beauce, for example.

This is infrequent because offenders will generally be less interested in a particular site and more in platform breaches. Using the Beauce company as an example, hackers will end up penetrating their systems simply because it uses a certain technology.

AC: So, in a way, these attacks are often not personal: “I will not attack your site because I find it interesting, but I will penetrate it because I know a flaw in the systems that you used “

DH: Exactly. We will see that delinquents will be relatively opportunistic and will try to find as many victims as possible. And then they will sort it out.

We also see more targeted attacks, but since certain vulnerabilities are so widespread, criminals will not necessarily be choosy and will try to enter as many systems as possible.

AC: Therefore, one of the biggest challenges is identifying which threats are most serious or finding the ones that would have the most impact?

DH: Exact! In this regard, we try to assess the actors’ credibility and then, base ourselves on the level of details that the people will provide.

So, if someone says, “I am able to access any JPMorgan Chase bank system in the United States,” and it is the first time it is being seen, one would likely doubt it’s credibility.

If it is someone who has been around for several years, this individual has a certain popularity rating. If this person mentions that he or she is going after regional banks and, all of a sudden, comes forward and says, “I made it all the way to Chase!”, there is more credibility here.

Therefore, typically, we will look at the history, the number of comments, the level of details, etc.

During my presentation, I showed a video where the offenders were saying “I am able to reach JPMorgan Chase and here is a video of me logging into the JPMorgan Chase infrastructure”. In these cases, there are alerts that will go off and this is a threat one should probably watch out for.

AC: In your presentation, you showed a small table that contained the types of threats, but not necessarily the ones that had the most impact or fallout.

DH: We will see that the types of threats will significantly vary from one platform to another. People sometimes think that the “dark web” is like a monolithic block but we witness that delinquents are grouping together according to their interests and their geographic origin.

Thus, we are going to have more Canadian criminals in Canadian forums, even though there are people coming from all over the world.

We saw it when we analyzed Canadian forums: we saw several conversations about Canadian banks, but we gathered very little information about attacks against European banks, particularly French ones.

This issue was fixed once we added other forums to our analysis. Suddenly, we were able to discover attacks against French banks, whereas before, we would have thought that they were better protected or less targeted by cybercriminals.

Another rather interesting case is that of a forum where there was a lot of talk about money laundering. For example, if I have access to a Paypal account that holds $ 2,000, I cannot make a transfer to my own account because it is very easy to trace.

Consequently, we will see that criminals will try to exchange them for other things such as Amazon gift cards. These cards can be used in many places and are almost like cash.

With this knowledge, enterprises might pay higher attention should a new client desires to make a purchase with an Amazon gift card. They may not accept the transaction thinking that it may be fraudulent card.

AC: Now that we understand the situation and the type of information you are offering; how can a company use this information to better protect itself?

DH: The point really is to understand where the threats are from. Are people going to come after me in a technical way or using social engineering? And then we try to see which attacks were successful.

It is difficult to detect that attacks have happened. Often, it takes several months before the breach is detected, so we want to try to find these breaches as quickly as possible.

Videos that have been shared by offenders can be used to identify stolen information, systems that have been breached, and also to understand the patterns that may have been used to access the systems.

Consequently, our work is often going to be combined with other cybersecurity services, sometimes a little more technical, and we will guide them where to look for. .

AC: Looking at everything you have seen this year. What do you think we should expect this forthcoming year? And, furthermore, what would you like companies do to better protect themselves?

DH: Nothing is necessarily new, but what we mostly hear about right now are ransomware attacks and we expect this type of attack to keep increasing. My best wish would be to provide training to employees so that they understand the existing threats and their level of responsibility. As an employee, one does not necessarily realize all of the information that is readily available and the consequences of people’s actions.

I think that, in the last few years, a lot of training has been given about phishing where people have been told to stop opening any attachment. It is important to carry on instilling this questioning in people: When someone calls me, is it really that person? Is it okay for this individual to ask me to transfer money? Etc.

99% of these requests will be legitimate, but we must keep this critical wisdom. This is what will make the difference between an increase or a decrease in cybercrime in Canada.

The full interview is available in French on Ausha, Spotify, Apple Podcasts, Google Podcasts, Podcast Addict.