Dark Web: Secrets of the Illicit Underground

Dark Web: Secrets of the Illicit Underground

Webinar Highlights

Check out these key moments from our recent webinar on the dark web, featuring expert cybersecurity speakers:

  • Pouya Ghobi, Adjunct Faculty at St. Bonaventure University and Solutions Engineer, CyberArk
  • Brett Williams, Lead Solutions Engineer, Flashpoint Intelligence

Learn More

Schedule time to speak with an enrollment advisor to learn more about the online graduate cybersecurity programs at St. Bonaventure University.

 

Make an Appointment

 

Transcript

Katie Macaluso: Hello, everyone, I'm Katie Macaluso, and I want to thank you for joining us virtually today for our presentation, Secrets of the Virtual Illicit Underground.

It's hosted by the online Cybersecurity programs at St. Bonaventure University. We're especially excited today to have guest speaker Brett Williams of Flashpoint Intelligence joining us today to give the main presentation. I see that we still have few people joining us here and logging on right now, but we do have a full presentation ahead, so we're going to go ahead and get started right away.

I've put up some housekeeping items here for you all. So before we jump in, this event is being recorded for future viewing. You're in broadcast only mode, which means you can hear us, but we can't hear you. So if you do have any questions, please feel free to type those in the Q& A box at any time during the presentation. Also, I just want to let you know that the presentation dashboard in front of you is very adjustable. So there's a media player where our live feed is playing, and you can certainly drag that window to make it larger.

You can also make the slides larger as well, if you'd like. So please enjoy the presentation. We'll go ahead and get started here. On this side, I have our speakers for today.

First, I want to introduce our moderator, that's Pouya Ghotbi, a faculty member of the Cybersecurity programs at St. Bonaventure. He is a native of Australia and has focused his career on security including software security, cloud security, network security, penetration testing, identity and access management, and most recently privileged access management, PAM, primarily in large banks. In addition to his post at St. Bonaventure, he is also a solutions engineer for CyberArk.

We're, as I mentioned, really grateful to have our guest speaker Brett Williams on the webinar today as well. He's a lead solutions architect at Flashpoint Intelligence where he applies intelligence across various use cases including insider, cybersecurity, fraud, e- crime and counter- terrorism. Brett brings extensive and in- depth knowledge of the security landscape and has over 28 years of experience working in IT and security. And then last but not least, we have Marcos Baez with us.

He's an enrollment advisor on our admissions team. He's been working with perspective cybersecurity students since the program began back in 2018. Many of you on this call toady have previously expressed in interest in the online master's programs, and may have spoken with Marcos already. So he'll be sharing some information about the program as well at the close of the presentation. Thanks again to all of you for joining us today.

With that, I'm going to turn it over to Pouya to introduce our presentation.

Pouya Ghotbi: Thank you so much, Katie, and hi everyone. Thank you. Thank you all so much for joining us today.

Today, we've got a very interesting webinar and very, very, interesting topic. I just want to give you a very quick background on why did we choose this particular topic. So in a lot of our courses within the cybersecurity program in St. Bonaventure, we talk about different tools, techniques and procedures that attackers use to essentially get access to an organization's network and steal their data, and exfiltrate that data, and then use them somehow.

One of the questions that always the students ask and we always talk about it is, why do attackers do this? What are essentially the motivations behind this? So one thing that is very important to understand is there's a whole economy behind cybersecurity attacks, and the attackers use that economy to earn money, or they've got other motivations that Brett's going to talk about today. And I thought that it's a very good topic to have a look at that, because understanding the motivation behind attacks really help us to mitigate and prevents those attacks much better.

When I was thinking about this webinar, I thought about Brett. Brett is a very well-known security figure in the whole Asia-Pacific. Almost everyone knows him. He's got a lot of experience in all areas of security. But this particular area, it's his expertise. Yeah, so we're very happy to have you, Brett, on the call today. And looking forward to your presentation. Over to you.

Brett Williams: All right, thank you. Well, good morning, good evening, good whatever time of day it may be. I don't know where everyone is.

But essentially, thanks for the introduction, and I do start to feel a bit old when I hear my bio and my experience. I joined cybersecurity before it was cool, before it had a name called cybersecurity. We just used to call it security. If then, I actually started an infrastructure where we didn't even have antivirus, because there was really nothing connected to anything back when I started in IT. So how things have changed, I guess. So what I want to do is I'm going to start off with a little bit of history, because when I sort of started in security, we used to call it e- crimes.

Electronic crime, because a lot of the stuff we're going to talk about today is just crime. As everything in the world, things start off in the physical world, and generally go online, and that's all that's really happened here, is cyber criminals, gangs essentially are using tool sets online, like they would in the physical world. So big crime is nothing new. And I just tried to put a bit of a snapshot of history going back. And from what I could work out if I did my research, 1834, that was really what classifies as first cyber attack, in today's terms.

And that's where a few people, or a couple of guys attacked the old telegraph system in France to manipulate the stock market, and they were trying to manipulate stock prices. And you can image back in those days, doing that across morse code. I guess, a little bit closer to home for anyone over there in the east coast, fast forward a couple of years, there were a couple of young boys in some respects, hacking the New York's telephone exchange. And pretty much, all they were doing was dropping calls. They were just killing calls and trying to do that.

Now, fast forward with, obviously as technology's gotten more and more pervasive in the community, the attackers also got more and more creative. So we saw phone phreaking, and try and get free phone calls. And then we see, if anyone sort of remembers the first viruses back in the sort of late '60s, early '70s, on mainframes. And then of course we moved into fraud, and more serious attacks. And I guess where it's really come of age in my opinion, and I've lived through some major breaches and done some instant response. Around the 2010 mark, 2009, 2010 is where we started to see some of those sophisticated attacks.

And I think, I look back now to those years, no one really talked about cybersecurity. It was never going to be on the front page of any major newspaper, on a news bulletin. Where I think we have a saying now, there's a cyber attack on any day that ends in Y. I'm assuming in the US, it's no different. Over here in Asia- Pacific or in Australia, where there's something on the news pretty much each week. I think I've counted at least 15 cyber attacks that have made the public news here since January in Australia. So it's getting more and more interesting.

I'm going to touch a little bit on Tor and Tor network. And see, that really didn't come out until just before, late sort of 2000s, 2008, 2009. So it hasn't been... what we call the dark web hasn't been around that long. I guess a little bit of a refresher for anyone who's sort of looking at treat actors and their motivations.

There's a lot of different categories of threat actors. I sort of put them into one of these five. They do overlap of course. People's motivations change. So naturally, you hear a lot about nation states. These are countries attacking countries. Obviously, if you're in a corporate world, your competitors can be an actor, in terms of competitive intelligence and espionage. Of course, there's the cyber criminals and that's where I'll spend most of my time today talking about cyber criminals and what really motivates them. On the other extreme, you've got the hacktivists. So these are people that are motivated by some sort of ideal, or even some religious ideals.

And they got a mission to get their voice out. And of course, more and more as we see it, extremism and terrorism are using cyber as a means of either money raising, money laundering, or even to potentially as an attack vector. And of course, motivation does change. Be it money, ideology, destruction. Now, of course, what we generally see when we talk about cyber criminals and hackers, this is what we normally see on the news. There's usually the guy in the hoodie in his basement.

But in reality, it's not like that. Of course it does, and there are people in their basements who wear hoodies and do attacks. But the ones we need to be concerned about are really the true cyber criminals. And these are humans, they're people, they're carbon lifeforms that are in it to make money, and they're in it to keep their cost down. And why that's important is because they run it as a business. They run it as a structured business, they run it as a profitable business. In some cases, stats say they make more money than the drug cartels. And as defenders, and cybersecurity professionals, what does that mean for us?

Well, if we make it really hard for them to attack us, we become the harder attack surface, they'll go onto their next victim, which is not good for the next victim, but good for us. Because they don't want to waste time and, or money just attacking for the sake of it. And of course, if we look at things like phishing attacks, that's a numbers game. The amount of phishing emails they send out are millions. On each day, they might only get one or two hits, but as long as they get one hit that makes money, that's all that matters. And we'll talk a little bit about ransomware a bit later. So then the other area I want to sort of talk about here is they are well- structured, and there is a hierarchy in the cyber criminal underground.

Naturally, there's always going to be a boss, someone who's motivated. And that can be an individual, in some cases, for small gangs, all the way up to well-known organized crime gangs, drug cartels and governments. And the reason there's a structure is obviously, there's separation of duties and skillsets. And we'll talk about sort of as a service and cloud offerings, but essentially, I don't need to know how to write malware when I can go get someone to write the malware and I buy that as a service. If I've stolen money and I don't know how to launder it, or I don't know how to process it through a system, I can find a fraudster who can do that for me. So naturally, they all sort of work together and collaborate in different areas.

And we see them collaborate across different forums and different mechanisms for that. So if we talk a little bit about the structure of the virtual underground.

There's the providers, these are the service providers, the people looking to sell something to us. And they go through sort of a structured process. The first is what type of products and services are on offer?

What can I get from this virtual underground? And essentially, it's everything from hot hosting, where it's hosting websites, or hosting a phishing campaign, or maybe what we call bulletproof hosting, something where it can't be taken down by law enforcement. And naturally, they offer malware. If I want to go buy ransomware, if I want to go and buy a remote access tool for an attack, I can go buy that off the shelf in some respects. When it comes to things more like monetization and fraud, they offer cashout services.

So that's where if I steal some cash from somewhere, I've got a credit card, I need to be able to process that money in a certain way. Maybe it's enough for a bitcoin, for example. Fraud support, and talking about that, is that if I want to go buy credit cards, I can go to service provider to get that. And I guess what we've seen probably in the last maybe three to four, five years really, is the as a service. If you look at this on the enterprise side, of what we do in cybersecurity, the whole cloud and software as a service, platforms as a service, it's no different on the other side.

Because like I said, I can go buy services. I don't need to run a botnet myself when I can go rent it by the hour. I can go get DDoS as a service, I can go get phishing as a service, ransomware as a service, and I can pay literally as I consume. Where does all this happen? Right now, we're going to talk a little bit about the dark web and Tor, but I really want to make it clear that this happens everywhere.

And even dark web is not as big as everyone makes out, and is as scary as people make out, and I'll talk about that a little bit later. But easily, this can happen on the clear web. This can happen in forums, places where people collaborate. They can happen in what we call to find a market places. More recently, probably in the last four years, chat. The world's, fair to say, that we can be very mobile, for the last 10 years, and that means a lot of people using chat services. So think of things like Telegram, QQ, WhatsApp, online social media.

All this can be used as a tool set for both collaboration and other nefarious means. Social media is very, very common for this. The amount of... Just last night, I got pretty much a targeted LinkedIn request, trying to connect to me. It stands out to me because I'm used to seeing them, but a lot of people don't see who they're talking to on social, and maybe might have the non- honest means. But of course, who's buying this? If I've got product to sell, who's buying it? And like I said before about the actors that we see and their motivations, this varies.

Of course, there's gangs buying from gangs. There's the straight criminals wanting to monetize, people launching attacks on customers, or victims I should say. People wanting to buy phishing kits, cardsters, obviously terrorists, and even nation states. We go back to probably the year 2010 when the first APT, or the advanced persistent threat was sort of termed. A lot of custom tools were being written by nation states. They were very sophisticated. Fast forward to the last few years, a lot of times they're using off the shelf products.

You'll hear terms like Cobalt Strike, which is an off the shelf pen testing tool. They'll go and buy services from the underground, because again, even though they're a nation state and money's really not their motivation, and they're generally after other sort of geopolitical reasons, they don't want to waste time. They don't wan to have to go to write stuff from scratch. Because if you as a defender burn that infrastructure, you discover them, that's a big investment to go and rewrite all that infrastructure. So buying off the shelf sort of software or malware or infrastructure like that means they can keep that attack alive at a cost- effective way.

Now, we talk about sort of sources of where we see this type of activity, and we sort of touched on this before.

But think of it as closed and open, rather than deep and dark web and clear web. And the reason that is, is a corporate network, so if I work for a large bank in New York City, my internal network is the dark web, because it's dark to me as a citizen or a person on the outside, because it's protected by firewalls and VPNs. So I guess, an easy way to think about it, anything that is not indexable by Google or other search engines, you can classify as close source.

And then of course the open source is the things that are indexable. Now, like I said, this is changing all the time, and some of the things we wanted to sort of keep, missions we do here at Flashpoint is keeping track of those threat actors and where are they collaborating for our customers to keep track of. So forums and chat services and those types of things. And more and more, alternative social networks, like MeWe and Parlor and those type of things are very much becoming the center of activity. And for those who sort of really don't know what I'm talking about when it comes to the Tor network, or hasn't ventured into the underground on that network, it's basically an encrypted routing network, if you like.

I won't go into the history of it, it's essentially invented by the U.S. Navy for secure communications in the military. You essentially need a special browser, or some sort of connection. Traditionally, we talk about Tor and the onion addresses, which is the traditional. But more and more, we're seeing other types of methods to hide. And really the goal of it is to hide the identity of the user from the source and everything in between. So when I connect to a Tor entry node, it then decides to route me around multiple, and it could be one to two, to 20, 30, across all the other different entry nodes.

And ultimately, I pop out at the other end. Now the difference between that and a VPN, and I encourage anyone who wants to do this, use a VPN as well, is the VPNs generally from you to the VPN exit point, and it's one connection. Where Tor can have hundreds of connections in between. Obviously, from the advantage point of view, it makes it difficult to trace back to the source. On the disadvantage, it makes it incredibly slow. I guess, to some advantage, it's getting a little bit faster than what it used to be, but it's still slow.

Now, the thing to note here is these entry and exit nodes often are taken over by law enforcement, which makes it easy for them to obviously intercept the traffic. And more and more worrying, and so you also get intercepted by the bad guys. So sometimes you don't know what you're getting into from an entry and exit nodes. But ultimately, at a high level, when you hear about the deep and dark web... Mainly the deep web, because as I mentioned, the dark web could be a corporate environment... You're really talking about the Tor network. That's where a good 80% of this happens.

As I said, there's 20% of other types of accessible hidden sources. But in reality, this is where we see most of that activity. As I mentioned, law enforcement often seizes the dark websites. And we call this, I guess a term you guys might be familiar with, the whack- a- mole game, right?

It's cat and mouse, I guess, a better way is. If I'm a bad guy, I spin up onion site, I get on the Tor network, I start selling my services. Law enforcement finds out about it, they'll seize it, or they'll take over the infrastructure. It's always up and down. Doesn't matter how quick you go bring a site down, a sister site comes up. They're always pivoting. Even if you see what happened with, the events that happened in January, in Washington with the alt- social, when Twitter and Facebook were taking people offline because their political views.

People were moving to Parlor, and MeWe and other alternative platforms. That's just the nature of what happens.

My screenshots look better in the PowerPoint. They're much more high definition, but unfortunately with this online platform, there's a little bit of compression here. This hasn't been blurred for security reason. This is just by nature.

But I want to sort of give some samples. This is quite a well known shop. What I really want to take away from this, these sites are quite sophisticated. They're incredibly easy to use. And I say that, most of them are, these marketplaces. I go in, I have an account, I've got a typical sort of e- commerce experience of what do I want to buy, what's its price, I do a checkout, I pay for it in bitcoin, and it gets sent to me electronically. So really, really easy.

But the other thing I wanted to say about the deep web and the dark web is it's also used for good. It was never built, like anything, for criminal use, just like everything.

People always adapt things for bad things all the time. It's just the nature of the world. But your Facebook's, your big news outlets, like The New York Times, BBC, The Guardian, others, have alternate sites on these, and the main reason for that, if you think about it, is there's a lot of countries and people out there who don't have access to free speech. They don't have the ability to look at other parts of the internet. And the only way they can do that is to hide through the Tor network. So a lot of these sites have these alternates. And of course, if you looked for something like The Guardian, the BBC, they're used by whistleblowers, and we've seen a lot of that over the years.

Just people being able to communicate securely to someone in the press without having their identity exposed. So there's a balance here. So let's jump into having a look at some of the services.

These prices are a little bit old now, because it's changing all the time, but it's not unlike what we see today. So this is what I'm talking about, I want to go buy something as a service, I want to rent something. It's not super expensive to go get a botnet. It's not super expensive to task someone to do a DDoS attack against a competitor, relatively speaking. We're not talking millions and thousands of dollars here. These two examples, again, it's a bit hard to read.

I'm hoping there's some context here, but these are just some samples I found recently where, the lighter color one is a ransomware service. They're opening up their new offerings, they've got some new features. They're looking to also recruit developers. The interesting thing with this post is they have clearly defined rules of where this ransomware can and can't be used, and what their targets are. Believe it or not, some of these gangs do have morals and ethics, so they generally would not target hospitals.

They say that, but doesn't mean that someone doesn't. And of course, they don't target their home country. So traditionally we see a lot of that, you're not going to attack the Russian, Ukrainian type areas. The one in the darker screenshot there is literally a, I want to go build my own ransomware. I want to sort of grab a kit, go through a wizard and build out my ransomware kit. And this chap here, or this person here was selling that as a service. So I didn't have to know anything about development or coding.

I buy the product, I run it up and it spits out my executable and I go off and attach that to my phishing campaign for the ransomware attack. These are sort of samples that I found, just again, about services.

So a lot of times on the dark web and in the sources we see, they talk about stress testing. In reality, what we're talking about is DDoS attack. So, " You can come buy my stress testing tool to stress test your website." A lot of times, this stuff gets put legitimate there. And let's be honest, if you're going to move into red teaming and penetration testing, you'll need some of these tools to be able to do penetration testing. But of course, they can be used for bad. So the first one here is a DDoS stress testing tool. Again, I can download it, I can point it to whatever target I want, and it will launch all the botnets to do a distributed denial-of-service attack.

Phishing is generally the first vector of any attack. So launching thousands and thousands of emails with my malware attached to it is quite cumbersome. So I can go buy phishing panels, phishing kits. So a phishing panel is where if I want to target someone on LinkedIn, or Facebook, or The New York Times, I can go buy a phishing panel that looks and behaves and it has the marketing and the branding for that. So that when I use it, someone thinks that's where they're going to.

And the last one there is a recent one for recruitment. So this is a cyber crime gang looking to hire cybersecurity professionals, programmers and others with certain skill sets to work on their services. So it's essentially a job ad. If we could see that there, you'll see a lot of the skills sets they're looking for are what you're probably being taught right now in university. I always say, there's a fine line from crossing the good to the bad. Everything we get taught in cybersecurity as defenders is really, enables you to be an attacker, because you can't defend if you don't understand the TTPs and actor motivation.

So this is a recent ad. I think I saw this back in February, end of February. And it was quite detailed, and it had a contact them, where you need to be able to live, what languages you need to be able to speak. So recruitment happens all the time on the... I just want to sort just clarify, these screenshots are from Flashpoints platform. That's why they look the same. Obviously, one of our jobs is to collect intelligence from these sources, and we present that in our platform to our customers. This is not what the original sites look like.

We hear a lot of talk about zero-days.

And as you talk to enterprises, they're always want to be on the head of the next zero- day. But of course by the definition of a zero-day, no one knows about it. Sometimes we get lucky, sometimes we'd get actors in the collections and marketplaces talking about zero- days, what they've got for sale, and they give you the TTPs, they tell you what it can do. Is it doing remote code execution? Is it going to be targeting a particular version of Microsoft Office or Word? Can it circumvent certain defenses such as Defender or some antiviruses? The one on the left here was back from our mid- last year, for IE11 and Excel, remote code execution.

What I found interesting about this is they kept updating every time patch Tuesday occurred. If you're familiar with Microsoft, they generally do large patches, sometimes they push them out before patch Tuesday. But the bottom post there basically says next Tuesday's patches, which is on the 8th of September, I think it was. It might be American dates, it might be the other way around. This exploit is still zero- day, so it's still relevant. So we see this came out in July, and so between the 17th of July and the 13th of September, this zero-day was still active, even after a couple of patches were released.

And likewise, the sample down the bottom is a lot of times we get demo videos, which is really helpful from a defense perspective. Because now I can actually watch how the malware, the zero-day will work on an endpoint, and that may give me a clue to may how I point my defenses to stop that zero- day. Moving into more of the...

I don't want to have to worry about malware. I don't want to have to worry about attacking someone and getting a phishing campaign. I just need to get straight to the source. Give me access to something. I want to buy direct RDP, Citrix, network access, VPN access into a corporation. Now sometimes, majority of these are individual computers at people's houses. So if you look at the prices, roughly what an endpoint would cost in various different regions, most of these are going to be your mum and dad type machines at home, have been hit by malware and have someone's...

Don't realize they've got malware on there. But for me as a bad guy, I can go rent that. I might use it to launch an attack. Obviously if I'm doing something like fraud, it obfuscates me from law enforcement because it's not me, it's the person's machine I'm using that's been doing the bad stuff. But increasingly, we see actors offering large scale network access to large organizations

And there's a couple of different marketplaces that we see this being done in. There's this one here, we call MagBO, I think is the correct pronunciation. This has been talked about quite a bit last year by the press. It's essentially what we call a web shell marketplace. So if you're not familiar with web shells, web shells is a code that gets dropped onto a web server. Generally, e- commerce, because that's where the money is, when people are buying online items. And it gives me access into that website. It allows me to control the web server. It allows me to go in and potentially look at the control panel and grab the credit cards, and the purchase history and what have you.

And sometimes if it's a non e-commerce site, such as maybe an online dating site, it would get me access to the online dating database. So you can think of all the various different use cases for getting access to a website. They're pretty descriptive of what it is. It'll tell you the website, what access they have, where's it located, the information you can get from it, et cetera. So one of the uses of this is I might be motivated to go and steal the data, and then I want to get that data and monetize it on a shop. And that's where we see that economy of that providers versus buyers in the services, where someone does the attack, goes and does all the heavy lifting and steals the data and then tries to monetize that data.

Mouse in Box, very similar, but this is essentially direct access to endpoints or RDP sessions, so I can go and buy individual computers.

And the pricing there varies from a couple of dollars up to $50, $60 depending on what type of websites the person's got, the passwords, what's on the box itself. This is just a quick screenshot of a very common RDP shop, so you can imagine when you're Googling, there's a lot of computers on the internet that aren't secure, which is incredibly frustrating as defenders, the amount of people that expose things on the internet and don't secure them.

But that means it's pretty easy for us to go and find those and get access to RDP. And generally, this is where we see them compromise through credential stealing malware, et cetera. So I steal someone's credentials, I go and attack them on the RDP. Genesis is another very common one.

I could spend an hour on this marketplace alone, it's so clever and sophisticated. But to really summarize it, when you log onto an e- commerce website, particularly online banking, a lot of times that company will profile your computer. They'll know what time of day you log on, your location, the browser you're using, the types of transactions you do. And that forms what we call a fingerprint. Those fingerprints can be used for anti- fraud. So if I log into my online banking from Melbourne, Australia during nine to five Australian time, but suddenly someone's logging in from China outside of those hours, there's probably a good chance someone's got my online banking credentials.

Genesis allows me to buy copies of people's fingerprints, so when I'm using the computer, I look and behave like the victim. So it sort of fools, a smokescreen up in front of the fraud prevention. And again, there's hundreds of these being published every day. Of course, everyone probably heard.

If anyone speaks about the deep and dark web, it's identity. It's credit cards. So yes, you can go and buy licenses, yes, you can go and buy passports and credit cards. And they vary of course depending on the value of the country, the passport, whether it's fake, forged or actually stolen and real. And there's a lot of things that drives pricing. So I always present to Australian customers, so naturally I go and try and find our Australian details on line, and it's not hard.

I must say, it's not hard to go and grab various different identities. And what do these get used for? Well, in Australia particularly, we have what's called the 100-point check. You can't open a bank account, you can't get a mobile phone without having 100 points of identity. And those things like a passport, a Medicare card, drivers licenses, birth certificates, all those add up to 100 points of identity. Obviously, the more identity I have, the more likely I'm going to get. So this is where people are starting to set up those fake accounts. Online bank heists.

This is essentially the buying and selling of bank accounts and credit cards. Again, these vary based on the type and the credit limits, the balance of the account, but we see people offering that. In the US, we still see a lot of check fraud and fake checks. For banking, I don't think I've used a checkbook here in 15 years. But essentially, anything to do with banking is pretty easy to find. Of course, from a fraudster's perspective, there's a lot of how-to guides

This is a big part of what we see, is how do I bypass fraud detection? How do I get something through various different fraud detections? In Australia, we have a concept called PayID. It allows for real-time transfer of payments using mobile phone and email addresses. Well, I can buy a guide here that helps me bypass that, how to hack into it step by step. I if want to go and attack an HEM and plant malware, I can find those tool sets, there's how-to guides, what do I get in the kit, what's included, very easy to find. And of course, credit card fraud is not going away.

There's techniques we're using to prevent credit card fraud of course, but I think we see millions and millions of credit cards a day. In fact, two weeks ago, if you Google Swarmshop, that was a large shop that was breached by another gang. That data was then published. That was 600,000 credit cards published online for free, with full PII, personal identifiable information. So this stuff happens every day, and it impacts pretty much everybody, every citizen. I mentioned Telegram and chat, another named QQ, which is a Chinese chat app.

Fraud is ripe and on there as well, so we see people buying and selling real- time credit cards, showing how to do ATM fraud. It's just ripe. It's quicker, it's real-time, it can be deleted, it's encrypted. So a lot of times, we see the real-time fraud occurring in real-time chat services. So just to sort of tail out here for the next 10 minutes or so, I wanted to really just talk about three big trends we've seen in the last year.

And these aren't going away, just from a cybersecurity perspective, but just how the cyber gangs are doing it. And the first one, I think, hopefully everyone understands ransomware and understands the potential evolution that we're seeing. But if you think about how ransomware has moved, particularly in the last year.

Traditionally, it was a process of I go and launch a phishing attack, I attach my malware to that phishing campaign. I then pretty much encrypt your hard drive, generally, it used to be just your computer, your one or two computers. Then I asked you for money to get your decryption key.

Now, the problem with that was most people have good backups. Most people are aware of this and go, "Well, you know what? I'll just restore my computer. I'll just restore from backup." So of course, naturally, when you start to put defense mechanisms in, the bad guys need to pivot. So now what they do is they might come in with another piece of malware, or another way, through the RDP access I discussed, or through Mouse in Box and get in the machine, and they'll steal your data. They'll hover up all the corporate data they can get, as much as they can, and that could take weeks and months. So they're in someone's network and using malware.

Potentially, Emotet was taken down by Microsoft and a lot of other intel providers a few months ago, but Trickbot is another one. These are malware families that are modular, they get deployed, they can deploy modules that generally steal the data, then they encrypt it.

Sometimes they don't encrypt it because they don't need to, they steal enough of it.

And then they publish it to a leak site. Those leak sites then say, " Hey, if you don't pay by this date, we're going to start leaking your data." Now obviously, depending on what was stolen, sometimes the customers don't even know, or the victims do not know, which is a concern. But they then may choose to not, or pay that ransom. And we've seen an increase in ransomware payments generally by victims because of their cyber insurance is paying it. They can't restore from backup, or they don't want that sensitive data being published online.

So that's where we're sort of seeing it move from just a, oh, encrypt one computer or a couple, maybe 10 computers, hope there's some money to... now, let's steal the data, encrypt it and extort you. And there's many families. I think last count, we're tracking about 30, maybe 28 extortionist malware families.

The biggest one was Maze, that sort of slowed down, they decided to pull out of the market. They've made their millions, went home, or billions. And this is where the real money's made. These guys are asking, in some cases, $ 100,000 worth of bitcoin. I think the largest one we've just seen recently this year was $50 million, and that was the Taiwanese computer manufacturer Acer. That's pretty large ransomware, and that's a lot of money for a lot of victims to do. The interesting thing with these gangs to is they live up to their reputation of they won't publish if you pay. If they've encrypted it, they'll provide you the decryption key.

Now, not always. Look, at the end of the day, we're talking about people here that don't necessarily have the morals and ethics that we might have, but in reality... Like I said at the start, they're in a business, right? They're there to make money, and the whole cyber underground, or the illicit underground, I should say, is built on reputation. And if you have a bad reputation, you will not get business. It's similar to you wouldn't go to a restaurant without having a look at a Google or a Yelp review, right? That happens here as well. So a lot of this stuff when we get asked by customers, " Will they not publish it?" Well, there's a good chance they won't.

And we sort of, each gang's sightly different, or each group is slightly different. The second big trend is compromised credentials.

Now, to understand this, there's sort of a lifecycle of where a credential is breached, and how is it processed through the cyber underground.

So breaches can occur from different things. Phishing campaigns, you've probably all received a phishing email. And you've gone to the website, you start typing all your details in, and they've basically got your password. A common one of that is they'll redirect you to a fake Outlook, or a Gmail, hoping to get your Outlook and Gmail. Why? Because the email is generally the center of the universe when it comes to identity. Because most of the websites you go to, they'll send you a password reset to your email. So if I can get your email password, I can go to your bank and get maybe a reset. Or Amazon, have your password, reset and take over your Amazon account.

Once it's breached, they get put into what's called combo lists. So I may get hundreds of thousands of credentials through phishing or malware or other means, social engineering.

And then the criminals will bundle them up into what we call combos or base lists, which is just a big list of them, and because again, this is a numbers game. The more credentials you have ... If I want to go target Amazon, the more credentials I have against Amazon, the more likelihood I'm going to get a hit. It's a probability game. They then validate this. They run that through what we call account checkers, brute force software, again, as a service.

So I might have 100, 000 credentials, how do I know how many of those are actually real and ready to go?

How can I make sure that they're going to use them?

So these account checker and brute force software automate that. And actually, once I've got what I want and I know they're good, I'll go and sell them and say, " Hey, here's a credential. It's got access to this bank account, it's got access to Amazon. Knock yourself out, I'm going to charge you $ 10 for it." And combo lists, brute forcing software, all this stuff is really, really easy to find.

If you want to have fun, you can go and Google combo list and you'll find free and open combo lists of people's details. Naturally, price dictates quality, if it's free, it's generally not great. So you need to go to forums and buy proper combo lists, but a lot of this stuff is traded for free. A lot of these tools like OpenBullet and others are free to get. What OpenBullet does is essentially allows you to take a website profile and target the credentials and just point it at it and automate the brute forcing. So we call that word list, password list, et cetera. And the final trend of course, we couldn't talk about COVID, I'm sure everybody's sick of hearing about COVID, but it did make a lot of news last year for various reasons.

I think the main one being, when there's any major event, anything that's impacting a lot of people, people try to take advantage. Scammers, fraudsters, criminals. It's just what we do as humans, unfortunately. So phishing campaigns, malware campaigns. And from an underground perspective, at the early stages of COVID, back in 12 months ago, in March, people couldn't get masks, people couldn't get sanitizer.

So naturally, there was a black market for both legitimate or sub- par masks and sanitizers. I know Australian Border Force here stopped a lot of shipments coming in the early stages, because people were buying cheap masks online, and they weren't going to do anything. You may as well just not bother wearing them, so there was a lot of that uptick. As it matured, when I say matured, as the pandemic started to get more and more serious, naturally, scams came out and there was how- to guides and related documents on how to do fraud, how to take advantage of government payouts.

In the US, I think it was called the CARES package. Here, we had superannuation benefit. How do I get fraud? How can I conduct fraud? And I guess more recently, as we've matured again in the pandemic, buying and selling of fake COVID vaccines. I just took this screenshot literally on Saturday, in a very common marketplace that sells drugs, everything from your usual drugs that you can buy on the street, to pharmacy medicines. And it didn't take me long to find both the Moderna and the Pfizer vaccines online that I could buy.

Now, I'm pretty sure they're not real. Particularly given the type of transportation storage required for some of these vaccines. But people don't know that. People get suckered in. The other thing that happened during the pandemic is unfortunately, people take advantage and attack healthcare, which is just kicking someone when they're down, obviously.

So accessing networks, multi- million dollar healthcare companies you can see, everything from selling PII, getting patient records. I've even seen online videos of someone as you go and get a COVID test at a hospital, you have to fill out all your personal details. Taking a photocopy of that and immediately selling it or trying to give it away. So it's just that, what we call an insider, really. But the point being here is, everyone's a target. Obviously, when things are going bad for a particular industry, be them airlines or healthcare, they do get targeted.

And of course, what manifests in that is, a lot of times, we see medical records for sale.

And you might think, " Well, what's the point of that? Is there a use case for that?" But there's many use cases. We've seen nation states use it for extortion, if they target a particular individual. Obviously, it's sensitive information that someone might not want out there. There's lots of uses for this data. I don't actually know all of them, because I don't have that sort of mindset. But suffice to say, we see this all the time. Your personal identifiable information is a hot asset to buy and sell. So with that, I'm pretty much gone through the content.

And I know it was quite relatively quick there.

But I'm obviously open. A little bit about Flashpoint if you hadn't heard of us before. We are a New York headquartered, Washington headquartered intelligence provider. Our job is to track threat actors, get into these illicit locations using trade craft and personas, collect that data and present it in a safe way, in a portal to our customers to use to build their intelligence programs, and obviously meet cyber threats, physical threats, fraud and so on. So that's really where we're coming from. So I'm open to, we got any questions, or anything you want to move forward with?

Katie Macaluso: Hey, I'm going to just jump in here. Just looking at the time, if we can maybe go ahead and jump to the next slides, and maybe we'll save all questions for the end, if that sounds okay?

Pouya Ghotbi: Sure.

Katie Macaluso: All right, I'll pass it off to you, Marcos.

Marcos Baez: Absolutely, Katie. Just to kind of touch on St. Bonaventure as a school, if you weren't aware, we're based out of Olean in New York, which is 90 miles south of Buffalo.

We were founded in 1858, so we've been around for quite some time. Being a private, not-for-profit, Catholic university, we do encourage our students to follow the Franciscan tradition. And if you're not familiar, basically what that means is we want our students to lead lives full of sound values, strong morals and solid ethics. I think that ties in very well to cybersecurity. Obviously, based on the presentation alone, you can see the sensitive information that it entails, and obviously, in this field you need to handle that information ethically.

Just recently, we were ranked number three in the State of New York, in best value. I think that speaks pretty highly of our combination of tuition as well as the quality of our curriculum. And with that in mind, our programs are 100% online, really allowing them to be accessible to students across the globe. And with our faculty, they also bring their expertise from the field into our coursework as well. Whether that's through the curriculum, and also our partnerships with industry recognized entities like Cisco Academy and the Electronic Commerce Council, as well as facilities on campus, like the Western New York Cybersecurity Research Center, and also our student- ran Security Operation Center.

Now, with our program offerings here, we do have two tracks for students, dependent on their background.

For a career changer, or someone new to the cybersecurity field, we do have a graduate certificate option for those students. This is intended to bring you up to speed in some of those key foundational areas within cybersecurity. Now, this program would be a five course, 15 credit hour program, which would take approximately eight months to complete. Now, outside of that option, of course, we have the Master of Science in Cybersecurity. Dependent on your background, your computer science and cybersecurity experience is taken into consideration for this program.

So with that in mind, it could be as low as three credit hours to complete, or as short as 18 months to complete the program. Again, your background could determine if any of the foundation courses would be required for you to take. Also keep in mind, this program would be more so geared to those students really looking to add on to their credentials, tie in their work experience with a relevant credential that could help them expand their careers, potentially looking at senior level and management roles within cybersecurity.

Now, in terms of requirements, the first step would be to speak with me.

We typically go through an interview process for our students to ensure not only that our program is a good fit for you, but also that you would be a good fit for the program, in terms of what you're looking for. The first step would be to submit an application, then we would also require transcripts from all institutions attended towards your bachelor's degree, which is also required. Typically, we're looking for a bachelor's degree from a regionally accredited institution. Outside of that, you'd have to provide us with a resume and a police clearance.

Obviously due to the sensitive nature of the materials you would be touching in these courses, a security clearance ensures that you have a sufficient background and are ethically sound to touch on these subjects. And lastly, there is no GMAT or GRE exam required for this program, which can be typical of similar programs.

Katie Macaluso: Thank you so much, Marcos. And thank you so much to Brett as well for the fantastic presentation ahead of this.

At this point, we are going to go ahead and move into the Q& A section here. So if you haven't already submitted any questions, if you had any about the presentation itself, or any questions about the master's or certificate programs, please use the Q& A box below the slides to submit those questions, and we'll do our best to answer a few of those here in these last few minutes of the webinar. Let me go ahead and check and see if we've gotten any so far. And Pouya, did you want to add anything before we get started there?

Pouya Ghotbi: Yes. Yes, yeah, absolutely. So first of all, thank you so much, Brett. That was an absolutely great presentation.

I just wanted to make this remark that when we see a presentation like this, when we see the seriousness of cybersecurity, and actually how it's affecting the world, how the economy behind it works, how nation states are using these type of attacks to achieve their political goals, then we understand the importance of cybersecurity, and the fact that there is a massive shortage of resources, skilled resources in cybersecurity space that we talked about in one of our previous webinars.

I think we're talking about something like 20 million resources, shortage of 20 million resources globally. In United States specifically, also that market, there's a lot of demand in the market. So what we try to do with this program is obviously helping people that are already in IT and they want to move into cybersecurity, or we have students that they actually want to change field, but they do have a good understanding, a good technical background.

We definitely sort of can help those people to move into that track. So on that note, I just had a question for Brett. So when you look at those trends in these attacks, how do you see that being different in different countries? Are these global trends, or in certain countries, you see some of those trends being dominant?

Brett Williams: Well, the ones I sort of talked about there is global. I don't think anyone's immune to it, it's a global problem.

But we do see, it's like anything, the more attacks surface, the greater the attack surface, the more likelihood you're going to get attacks. So naturally, countries like the United States and Europe have a bigger attack surface than Asia. It also comes down to sophistication of the citizens. The more connected a country is, particularly, the more risk it's at. So I guess the trends are generally global, but we do see a wave. A lot of times, when we see credit card fraud, or we see a cyber attack technique, it might start in the US first or Europe, and it'll wave across the world, and sort of over a couple of days or a week, you start to see the same sort of TTPs.

I always like to say, the cyber crime gangs are global, they don't discriminate about borders. There is no borders online, as we know. And likewise, the threats are everywhere. But obviously, if I'm a country that doesn't have a lot of connected citizens, the likelihood of a phishing campaign and credential stealing and me getting online banking details is going to be lower than somewhere like the United States or Australia where we're incredibly connected.

Pouya Ghotbi: Awesome, thank you. I think we've got a question for Marcos. Katie, do you want to take that question for Marcos, please?

Katie Macaluso: Absolutely. So the question here is, could completion of any of the grad certificate courses be applied as credit toward the MS Cybersecurity degree? Marcos, could you take that one?

Marcos Baez: Yes. So the answer is yes, I suppose. Keep in mind, the courses within the graduate certificate could be required of you to take if you chose to pursue your master's with us, dependent on your experience level in those areas.

Katie Macaluso: Perfect. Hopefully that answers the question, and if you have any follow ups on that one too, you could always schedule an appointment with Marcos to kind of go through what your experience looks like in that area.

All right, our next question is from someone who says they've never taken an online course before. How easy is it to connect with the professor if I have any questions about the materials? Can I send that to you, Pouya?

Pouya Ghotbi: Absolutely. So the way that we've done our online course is actually very interesting. So there are multiple ways and multiple methods of communicating.

We've got discussion boards, we've got forums that you can essentially use to communicate. Not only with your instructor, but also with the other students, and that is quite important for us. We work as a community, we collaborate, we share a lot of knowledge and information. We do have live weekly webinars that we communicate again, we go through the content. We are available obviously on email and chat through the platform.

But what I sort of wanted to highlight is the way you sort of do our online courses is very different from traditional online courses. So traditionally, you had probably equivalent of PowerPoints on a website, you go through them. But our courses are designed professionally in an interactive way, so in a way that you interact with the course, a lot of material in the course, you need to go through, interact and learn and practice.

So it's very interesting, I would say.

Katie Macaluso: Perfect, thanks Pouya.

One additional question here, this person asks, I'm considering doing some of the certifications in cybersecurity. Do I still need to do the master's degree as well?

And I know sometimes we get that comment a lot in admissions, and I don't know if you can speak maybe a little bit to sort of the difference between the two.

Pouya Ghotbi: Absolutely, yeah. Look, I, myself have done a lot of certification in my career, in my time.

So the difference is obviously industry certifications are very important. People regard them highly, and they look at the certification. But they're typically targeted toward a certain technology, and they're sort of very narrow around that particular technology. And then, it's good if you only want to work on that particular technology. But they don't replace an official degree from a university. And that's something that's a proven track record of you going through this process, learning all the important aspects of cybersecurity, getting exposed to different areas of cybersecurity, from securing your software design, from all the way to penetration testing, to audit and compliance, all different areas of cybersecurity.

And that's a valuable thing that will stay with you, that degree. A lot of certifications, you have to renew them every year or every two years, and they lose their value over time. There are many, I'm sure Brett can agree with me, even five or 10 years ago, a lot of certifications were regarded really highly in the industry, but now they've disappeared because they're not relevant anymore. So that's something that stays with you for life, the degree that you do in university, like.

So yeah, hopefully that answers the question.

Katie Macaluso: Very helpful. Thanks, Pouya. I think that is all of the questions that we've received so far, so thank you all for the questions.

Thanks especially to Pouya, Brett and Marcos. That wraps up our presentation for today. Oh, wait. I think I see one more. I want to just double check here, if we've answered this. Pouya, I don't know if you want to take a quick minute to answer- this last question that came in on, what are some of the certifications that can be completed as part of the degree?

Pouya Ghotbi: Absolutely. So what we do as part of the course material, we give you a lot of foundation to go and tackle those couple of certification that I will mention, like certified ethical hacker, or CEH, is one of them that a lot of our courses cover the material in that course.

But it doesn't necessarily mean that just by doing our program, you can go and tackle the exam. Any exam, any certification's got its own sort of requirements and hacks and tricks that you need to sort of go through and learn, but it really helps you. And it's not only that, if you look at another certification, like CISSP that everyone is very interested in. It's highly regarded nowadays in the industry. A lot of concepts of CISSP, we do cover in different courses throughout the program.

So yep, it helps to build that foundation, to learn a lot of concepts, and even practice a lot of those requirements of the certifications, but you still need to sort of study for the certification, if it makes sense. I think we've got another question as well, Katie.

Katie Macaluso: There is one last one, so let's see if we can tackle this one as well. The question is, what if you have a bachelor's degree but no experience in cybersecurity? Would you still be able to enroll in the certificate program?

Pouya Ghotbi: Absolutely. So as part of the admission process, obviously Marcos going to conduct an interview, we go through your experience.

Sometimes your experience and exposure to technology is not really captured in your resume as well, so that's why we really want to talk to you and understand where you're coming from, what are your expertise and experience with technology. Especially if you're coming from an IT background, the certificate program helps you to build that foundation of whatever you need to be successful in the master's program. Even things like, we do get a lot of students that they've never written code, or they're struggling with coding.

In some of courses, we do use coding, because we want to show you how vulnerabilities work, or how to securely design your software. So as part of foundation, we teach you all of those skills that you require to succeed in the master's program.

Katie Macaluso: Great. Thanks so much, Pouya. Hopefully we've answered all of your questions here, today.

If you think of anything additional though, there should be on the dashboard in front of you, a place where you can schedule an appointment with Marcos to kind of talk through your own goals, and talk through any questions that you might have.

So with this, we'll go ahead and wrap up. We will send out a recording of the webinar tomorrow, so look forward to that, and we hope you have a great rest of your day. Thanks again. Take care.