An analysis of information-stealing malware logs published on the dark web has led to the identification of thousands of consumers of child sexual abuse material (CSAM), showing how such information can be used to fight serious crime.
“Approximately 3,300 unique users with accounts on known CSAM sources were found”, Recorded Future said in a proof-of-concept (PoC) report published last week. “A notable 4.2% had credentials for multiple sources, suggesting a greater likelihood of criminal behavior.”
Over the past few years, off the shelf info hijackers options became a ubiquitous and an omnipresent threat targeting various operating systems to obtain sensitive information such as credentials, cryptocurrency wallets, payment card data and screenshots.
This is evidenced by the increase in the number of new malicious programs, such as The death of theft, Neptune’s kidnapper, 0bj3ctivity, Poseidon (formerly RodStealer), Satan the kidnapperand StrelaStealer.
Spread through phishing, spam campaigns, hacked software, fake update websites, SEO poisoning, and malicious ads, the data collected by such programs usually end up on the dark web in the form of theft logs from where other cybercriminals acquire them to further their schemes.
“Employees routinely store corporate credentials on personal devices or access personal resources on organizational devices, increasing the risk of infection.” — Flare noted in a report last July.
“There is a complex ecosystem in which malware-as-a-service (MaaS) providers sell information-stealing malware on banned Telegram channels, threat actors distribute it via fake hacked software or phishing emails, and then they sell logs of infected devices to specialized dark networks. web markets”.
Recorded Future’s Insikt Group said it was able to identify 3,324 unique credentials used to access CSAM known domains between February 2021 and February 2024, using them to expose three individuals who were found to be holding the accounts entries on no less than four websites.
The fact that the theft logs also contain cryptocurrency wallet addresses means they can be used to determine if those addresses were used to purchase CSAM and other malicious material.
Moreover, countries such as Brazil, India and the US had the highest number of users with credentials for prominent CSAM communities, although the company said this could be due to “over-representation due to the search for data sources”.
“Information-stealing malware and stolen credentials are projected to remain a cornerstone of the cybercriminal economy due to high demand from threat actors seeking initial access to targets,” it said, adding that it shared their findings with law enforcement agencies.
“Theft logs can be used by investigators and law enforcement partners to track child exploitation on the dark web and provide information about the part of the dark web that is particularly difficult to trace.”
