An investigation of data-stealing malware records published on the dark web has led to the discovery of thousands of consumers of child sexual abuse information (CSAM), indicating how this data can be used simply to combat serious crimes.
“Approximately 3,300 unique users with accounts in known CSAM sources were discovered,” Recorded Future said in a proof-of-concept (PoC) report published last week. “4. 2% of them had source identification data, suggesting a higher likelihood of offender behavior. “
In recent years, commercially available variants of data theft have become a widespread and ubiquitous risk targeting operating systems in an effort to siphon off sensitive data such as credentials, cryptocurrency wallets, payment card data, and screenshots.
This is evidenced through new strains of theft malware such as Kematian Stealer, Neptune Stealer, 0bj3ctivity, Poseidon (formerly RodStealer), Satanstealeer, and StrelaStealer.
Distributed through phishing, spam campaigns, pirated software, internet sites with fake updates, search engine optimization poisoning, and malvertising, the knowledge gathered by those systems regularly ends up on the dark web in the form of theft logs, from where it is purchased through other cybercriminals. to continue with their activities.
“Employees save corporate credentials on their private devices or access private resources on the organization’s devices, increasing the risk of infection,” Flare said in a report last July.
“There is a complex ecosystem where malware-as-a-service (MaaS) providers sell information-stealing malware on illicit Telegram channels, malicious actors distribute fake pirated software or phishing emails, and then sell the records of the inflamed devices on specialized sites. Dark networks. Web Marketplaces”.
Recorded Future’s Insikt Group said it was able to identify 3324 unique credentials used to access known CSAM domain names between February 2021 and February 2024, to unmask 3 other people who had accounts on up to 4 websites.
The fact that the thieves’ records also come with cryptocurrency wallet addresses means that they may be used to knowing if the addresses were used to obtain CSAM and other destructive content.
In addition, countries such as Brazil, India, and the United States had the highest number of users with credentials from known CSAM communities; The company said that this may simply be due to “overrepresentation due to the origin of the datasets. “
“Information-stealing malware and stolen credentials are expected to remain the cornerstone of the cybercriminal economy due to the high demand for malicious actors seeking initial targets,” he said, adding that he had shared his findings with authorities.
“Investigators and law enforcement officers can use information thief records to track child exploitation on the dark web and provide information about a part of the dark web that is particularly difficult to trace. “
Facing identity threats? Learn how ITDR can protect you against ransomware and lateral movement attacks.
From knowledge leaks to identity theft, compromised credentials can cost you everything. Learn how to prevent attackers from stopping.
Get the latest news, expertise, exclusive resources, and industry leaders for free.