The war in Ukraine continues to offer cyber-criminals new opportunities to monetize conflict, with threat researchers observing ads offering to smuggle men out of the war-torn country.
Intel 471 said criminals are using insiders, including border service staff, to offer people smuggling services on the dark web. Since the start of the war, the Ukrainian government has forbidden any males of fighting age from leaving the country.
“Shortly after the start of the war, the actor claimed the insider could facilitate illegal border crossings for Ukrainian males aged 18 to 60,” the report noted.
“Accomplices used to facilitate the activity allegedly would transfer a person seeking to cross the Moldova-Ukraine border and bypass official checkpoints. The border crossing records for the person using the actor’s service would be backdated on a passport and government databases as part of the scheme.”
The conflict is also creating some unusual alliances. A separate report from Cybersixgill argues that Chinese and Russian cyber-criminals are starting to collaborate on the dark web.
This began last year when the RAMP forum resurfaced with a new interface making it easier for English and Mandarin speakers to use. However, the ties have arguably grown closer since the start of the war, with some Russian threat actors musing whether they should move to China for safety, according to the firm.
“Even within their own Russian-speaking forums, Russian threat actors actively discuss their pursuit of a cyber-criminal alliance with their Chinese counterparts, seeking out the prominent Chinese cybercrime platforms so that they may reach out and develop partnerships,” the report claimed.
Intel 471 also claimed the war has led to a surge in travel fraud in the region, with threat actors using insiders in travel companies. Scams are not confined to Eastern Europe; however, with the global travel industry an increasingly lucrative target as the summer holiday season gets going and pandemic restrictions begin to loosen.
“Since January 2022, Intel 471 has observed multiple actors across numerous cybercrime forums selling credentials tied to travel-related websites. In February, one such actor listed access to account credentials of UK-based users at a major travel booking website and two US-based airlines,” Intel 471 revealed.
“The actor specifically was targeting mileage rewards accounts with at least 100,000 miles. Access to these accounts allowed actors to leverage the rewards to book travel reservations for themselves and other customers. Alternatively, the accounts and their respective rewards points could be resold to other actors looking to conduct similar types of travel fraud activity.”