Traffers are the latest threat to businesses arising from the credential theft ecosystem. In this article, Beatriz Pimenta explains what traffers are, how they operate to steal sensitive data; and what sets them apart.
Stolen credentials are a major problem for organizations. According to a recent IBM data breach report, compromised credentials were the primary attack vector of the breaches analysed. Despite best efforts to protect sensitive information, data breaches are all too common with much of the stolen information sold for profit by threat actors. This has led to a rise in initial access brokers (IABs), the sprawl of ransomware groups, an increase in malware prices, as well as an evolution in the credential theft ecosystem which has been influenced by the recent formation and growth of traffers.
In a recent report Outpost24’s Threat Intelligence team, Kraken Labs, took a deep dive into the credential theft ecosystem. The following highlights the most interesting findings from this research, including the evolution of cybercriminal groups and how they are threatening business data today.
What are traffers?
Traffers are more specialised than the average hacker. They are organized groups of threat actors that operate with a pyramid-like structure. They have a panache for credential theft exfiltration - typically using malware stealers to carry out their attacks. The stolen information is then either sold for profit or used for other nefarious purposes.
At the top of the operation and pulling the strings are the ‘administrators’ or leaders. These individuals made the initial investment to form the group. Their responsibilities largely consist of malware research and development, infrastructure creation and recruitment. The administrators will also purchase malware hiding tools, premium Telegram accounts as well as hiring individuals to develop Telegram bots and web developers to create websites where they offer free, pirated, software infected with stealers.
The layer below the administrators consists of the traffers who, by contrast, are younger, have less computing skills and are newer to this format of online criminality. They are the workforce, and these individuals are responsible for spreading the malware as far and as wide as possible.
Administrators will often look to the dark web and other underground forums in search of potential traffer candidates. With that said, traffers are also directly recruited through encrypted chat platforms like Telegram. Once recruited and added into the group, they are then trained in the art of credential-stealing and how to use and deploy malware effectively.
Traffers will largely rely on social engineering techniques to achieve their goal of spreading malware as far as possible on the targeted system. They will be expected to download malware and begin spreading it with the intent of infecting as many devices as possible. A common way of achieving this is through YouTube videos or other social media posts. They would also target victims by driving their traffic with Google and Facebook Ads to fraudulent content. The aim is to entice victims into clicking the ad and downloading whatever product the page purportedly offers. Yet, as expected, the user will get infected with malware, instead of downloading the desired software.
The traffer ecosystem is a network and each group of traffers have their own established means of communication (mainly chat channels) where they talk about a wide variety of topics. This includes what they have earned as well as exchanging knowledge around new techniques, procedures, tools, etc.
How have traffers changed the underground market?
The creation of subscription-based cloud offerings - like the Telegram channels as dedicated marketplaces for stolen credentials has changed the traditional credential market into specialised shops and forums. These Telegram channels act as an online marketplace where logs are constantly added by traffers, and buyers can access stolen credentials (instead of buying log batches as was customary in the past).
This is clear evidence of the cybercriminal underground market developing to meet the demands of its clientele. The traffers model provides a consolidation of a lot of elements that had not been seen before: the professionalisation of service providers, creation of new services, improvement of products, increase in product prices based on demand. For example, since the rise of traffers and similar subscription-based models, the price of stealer malware spiked by 2000 percent in 2022.
Avoiding credential theft
The rise of the traffers model is another concern for security professionals and organizations around the world. Once a victim's identity or information has been stolen, this will act as a catalyst for the attacker to use the information to potentially reset passwords, deny the victim access to their accounts, download sensitive data, or use the credentials to navigate onto other accounts or systems.
Organizations and individuals that wish to reduce the possibility of falling victim to a credential-based attack, must reinforce the need for the workforce to improve cyber security awareness and follow cyber security best practices. For those responsible for their organization's security, its necessary to invest in cyber threat intelligence to effectively detect compromised credentials in real-time as well as remediation solutions to adequately protect and reduce the impact of a malware infection.
Security steps to help organizations and individuals include:
- Ensure security policies are adequately configured across Internet browsers used by individuals. This also involves disabling passwords being saved and auto filled on browsers because stealer malware can easily obtain credentials stored on Internet browsers.
- Prevent users from downloading and installing software from the Internet. This measure will block individuals downloading ‘cracked’ software on corporate and personal devices.
- Invest in a password manager for the company so that every user has assistance when creating passwords and storing them securely.
- When available, have multi-factor authentication activated on internal and external systems and applications.
- Have security awareness training to arm users with the knowledge to identify the latest threats as well as how to spot red flags or fraudulent activity online.
With the cybercriminal landscape continuing to change and traffers becoming more prolific and profiting from credential theft, the need for comprehensive cyber intelligence and defence has never been greater. Organizations must take a proactive stance to protect their most valuable commodity which is sensitive information. By adopting the security practices mentioned above, they can help build the necessary awareness and defence to keep credentials and data safe.
Beatriz Pimenta, Threat intelligence analyst, Outpost24.