Law enforcement and government officials don’t like encrypted peer-to-peer chat platforms such as WhatsApp and Jabber because it is harder to eavesdrop on what cybercriminals are planning. But according to a recent study of global cybercrime operations, the bulk of criminal discussions don’t happen over encrypted chat. Skype is the preferred mode of communication among cybercrime gangs worldwide.
Skype, owned by Microsoft and widely used by consumers and enterprises, doesn’t encrypt messaging end-to-end the way the secure messaging apps do. But it is still popular among cybercrime gangs around the world, FlashPoint analysts found in a study of communications platforms used by financially motivated cybercriminals.
While cybercriminals continue to use online message boards and web forums to meet like-minded actors, recruit for specific tools, buy technical tools, and sell their goods or services, when they need to coordinate with partners and team members, they tend to shift to mainstream messaging tools.
“The really meaty conversation is not happening in forums, but in different messaging applications,” said Leroy Terrelonge, FlashPoint’s director of Middle East and Africa Research and director of Americas Research. One reason could be that forums often shut down without warning or experience service interruptions.
FlashPoint analyzed the number of times cybercriminals mentioned the use of messaging services on underground message boards and forums over a four-year period. While there were some regional differences, Skype consistently appeared in the top five most-used messaging platforms among Russian, English, Spanish, Arabic, French, Chinese, and Persian/Farsi-speaking cybergangs.
Skype’s widespread usage was a surprise because it isn’t considered a secure platform, but its popularity may have a lot to do with the fact that it is readily available. Skype is bundled with a number of Microsoft products and is convenient to work with.
Cybercriminals, it seems, aren’t that different from consumers and enterprise users—they want tools that are easy to use and widely available. They prefer services “that are simple, have a clean graphical user interface, are intuitive to use, and are not ‘buggy,’” FlashPoint wrote in the study. Localization and language support also make a difference. Cybercriminals are very careful about who they let into their exclusive club, but they also don’t want to jump through excessive (and costly) hoops to communicate with each other.
Cybercriminals are also likely to work with messaging platforms they already use in their “civilian” lives because they are familiar with the interface. That may be why Chinese-speaking gangs preferred QQ and WeChat—two apps widely adopted in China—over Skype or encrypted apps like WhatsApp.
Even with Skype’s broad popularity, there was clear movement toward end-to-end encrypted messaging apps. Russian-speaking groups also used Jabber, ICQ, Telegram, and Viber. It was a surprise that the ICQ messaging platform—which is an unencrypted platform like Skype—was still popular, as it has largely disappeared among the mainstream outside of Russia, Terrelonge said. ICQ remains popular among Russian speakers because of its ties to the Mail.Ru group and other Russian business interests. English-speaking groups also employed Jabber, ICQ, and Kik, while Arabic-speakers preferred WhatsApp and Persian/Farsi groups tended to choose Telegram.
Among Arabic-speaking groups, “AOL Instant Messenger came in third, with a much higher number of mentions than analysts would have expected,” FlashPoint noted. It was unable to explain AIM’s popularity, since mainstream usage has been in decline since 2009.
Russian-speaking groups occupy a unique position at the top of the cybercrime hierarchy, as they are viewed as being the most sophisticated. As a result, groups in other regions often follow and emulate the kind of tools that Russians use. It also helps to be on the same platform when collaborating with them to take advantage of their skills and expertise. That is likely the main reason why ICQ is in use by non-Russian-speaking groups, Terrelonge said.
Members of French cybergangs take their privacy and anonymity seriously, and they still prefer email or forum messaging systems to send messages encrypted with Pretty Good Privacy (PGP) software, which sets them apart from other groups in FlashPoint’s analysis. While Jabber has gained in popularity and is now the most popular platform, PGP adoption remains high among French groups, followed by ICQ (likely in use to work with the Russians), then Sykpe.
“The French-language underground is by and large the most security-conscious language community in the Deep & Dark Web,” FlashPoint said in the study.
Cybercriminals around the world are increasingly shifting their communications from platforms with fewer encryption and anonymity protections to more sophisticated applications with built-in protections. The ubiquity of these platforms for criminal acts pose a challenge for security defenders, but weakening the encryption to be able to intercept and scrutinize the communications is not the answer—especially when they use non-encrypted chat methods, too.