Cybercrime comes in many different flavors, most of it being financially-oriented. Phishers, scammers and malware operators are the most visible ones, yet there are some other profiles in the cybercrime economy who play an important role and are yet very discreet: Traffers.
What is a traffer?
Traffers — from the Russian word “Траффер,” also referred to as “worker” — are cybercriminals responsible for redirecting Internet users network traffic to malicious content that they operate, this content being malware most of the time.
SEE: Mobile device security policy (TechRepublic Premium)
Traffers are generally organized as teams and compromise websites in order to hook the traffic and bring the visitors to malicious content. They might also build websites serving the same purpose. As exposed by Sekoia researchers who have monitored Russian speaking cybercrime forums, the traffer ecosystem is built of both highly skilled profiles and new ones, making it a good entry point for beginners in cybercrime.
The “lolz Guru” underground forum in particular shows constant new creation of traffers teams, every month of 2022 seeing between five and 22 new traffers teams (Figure A).
Once created, a traffer team might evolve and reorganize, merge with other teams or restart from scratch, which makes it difficult to evaluate the longevity of traffer teams. One administrator of such a team has indicated it cost him $3,000 to create a traffer team of 600 people before selling it. A traffer team dubbed “Moon Team” was priced at $2,300 in May 2022.
The typical organization for such a team is pretty straightforward: One or several team administrators lead traffers but also handle the malware licenses and the analysis and selling of the logs collected by the traffers (Figure B).
What are traffer team methods?
The biggest activity from traffers consists of redirecting Internet users to malware, 90% of which consists of information stealers. The information stolen by the malware can be valid credentials for online services, mailboxes, cryptocurrencies wallets or credit card information. All of those are called logs.
The team administrators do sell those logs to other cybercriminals who exploit this data for financial gain.
The administrators are also responsible for handling the malware they need, buying licenses to the malware developers and spreading it to the team.
The administrators also provide their teams members with a kit containing different resources:
- Constantly updated malware files (also called “malware builds”) ready for use.
- A crypter service or tool, necessary to encrypt or obfuscate the malware files.
- A manual and guidelines for traffers.
- A search engine optimization service to improve the visibility and number of connections to their infrastructure.
- A Telegram channel to communicate easily between team members.
- Telegram bots for automating tasks, such as sharing new malware files and creating statistics.
- A dedicated log analysis service to ensure the logs sold by the administrators are valid.
Once recruited, traffers are able to get the malware files and distribute via redirections from compromised websites. They are paid based on the quality and quantity of information they collect from the malware they deploy.
Traffers are often challenged into competitions organized by the administrators. The winners get extra cash and access a professional version of the membership. This access allows them to use a second malware family, get better services and bonuses.
Each traffer uses their own delivery chain as long as it complies with the team requirements.
According to Sekoia, common delivery methods include websites masquerading as blogs or software installation pages and delivering password protected archive files in order to avoid detection. Experienced traffers seem to have a very good knowledge of advertising platforms and manage to increase the promotion of their websites via those services. The downside of this kind of delivery method for the attackers is that it generally hits many victims and is therefore more quickly detected than other delivery method.
The 911 infection chain
The majority of traffers teams monitored by Sekoia are actually exploiting a method called “911” in underground forums.
It consists of using stolen YouTube accounts to distribute links to malware controlled by the traffers. The traffer uses the account to upload a video enticing the visitor to download a file, disable Windows Defender and execute it. In most cases, the video is about cracking software. The video explains how to proceed and provides links to tools for installing cracked software, generate a license key or cheat at different video games. Once executed, those files infect the computer with malware.
The malware is generally stored on legitimate file serving services such as Mega, Mediafire, OneDrive, Discord or GitHub. In most cases it is a password protected archive file, which contains the stealer malware (Figure C).
What malware is used by traffers?
The most used information stealing malware used by traffers, as observed by Sekoia, are Redline, Meta, Raccoon, Vidar and Private Stealer.
The Redline malware is considered the most effective stealer, as it is able to access credentials from web browsers, cryptocurrency wallets, local system data and several applications.
Redline also allows the administrators to easily track traffer activity by associating a unique botnet name in the samples distributed by a traffer. Stolen data coming from the use of Redline are sold on multiple marketplaces. Meta is a new malware and is advertised as an updated version of Redline, becoming the malware of choice for some traffer teams.
How to protect yourself from traffers
This threat is highly related to malware and may target individuals as much as companies. Deploy security solutions and antivirus solutions on all endpoints and servers of the company. Operating systems and all software should also be kept up to date and patched to prevent them from being infected by the exploitation of a common vulnerability.
Users should be trained to detect phishing threats and to avoid at any case using cracked software or tools. Multi-factor authentication should be used whenever possible. A traffer checking for the validity of stolen credentials might just drop it if it is unusable without a second authentication channel.
Disclosure: I work for Trend Micro, but the views expressed in this article are mine.