Research (Insikt)

Combating the Underground Economy's Automation Revolution

Posted: 24th March 2020

Automation has become an essential part of nearly every industry, and nowhere is this more true than in cybersecurity. But unfortunately, the benefits of automation are equally available to criminal enterprises and defenders alike. So while the criminal underground has created an ecosystem of tools and resources to operationalize and monetize campaigns, SOARs can be used to tip the balance back in a defender’s favor by automating defensive intelligence feeds and combining them with automated detection and prevention.

Research by Recorded Future’s Insikt Group explored the tools and services used by threat actors to automate tasks associated with malicious campaigns and the mitigation strategies available through SOAR and threat intelligence solutions.


Cyberattacks frequently start with a compromised network or a database of credentials as a result of threat actors obtaining unauthorized access to a network, who then sell credentials on underground forums. This access can be used for privilege escalation within the network, business email compromise, ransomware, and other types of attacks.

Mitigation strategies include:

  • Keeping all software and applications up to date
  • Filtering emails for spam and scrutinizing links and attachments
  • Making regular backups of systems, and storing them offline
  • Compartmentalizing company-sensitive data
  • Instituting role-based access
  • Applying data encryption standards


Attackers with credentials obtained by data breaches then leverage checkers and brute-forcers to direct large-scale automated login requests to determine the validity of victims or gain unauthorized access through a credential stuffing attack for thousands of accounts.

Mitigation strategies include:

  • Using unique passwords for accounts, in addition to a password manager
  • Requiring additional details for login (e.g., CAPTCHA) or require multi-factor authentication (MFA)
  • Establishing customized web application firewalls
  • Slowing date or rate limit login traffic
  • Removing unused public-facing logins
  • Baselining traffic and network requests to monitor for unexpected traffic


Threat actors will also apply loaders and crypters to elude detection by endpoint security products, such as antivirus, and then download and execute one or more malicious payloads, such as malware.

Mitigation strategies include:

  • Updating antivirus software regularly
  • Implementing additional response and detection controls beyond antivirus to detect malicious payloads
  • Training and educating individuals on phishing and associated risks


Stealers and keyloggers are used to exfiltrate sensitive information from victims, including credentials, PII, and payment card information, and install secondary payloads onto victims’ systems.

Mitigation strategies include:

  • Investing in solutions offering patch posture reporting
  • Configuring network defense mechanisms to alert of malicious activity on devices
  • Monitoring for suspicious changes to file drives and registries


Automating the process by not having to write their own script, threat actors can easily obtain banking injects, which are widely published, popular, and powerful tools for performing fraud. Fake overlays or modules are used with banking trojans to inject HTML or JavaScript code to collect sensitive information before redirecting to a legitimate website.

Mitigation strategies include:

  • Keeping software and applications up to date
  • Installing antivirus solutions, scheduling updates, and monitoring the antivirus status on all equipment
  • Enabling MFA via SMS authenticator applications
  • Solely using HTTPS connection
  • Educating employees and conducting training sessions
  • Deploying spam and web filters
  • Encrypting all sensitive company information
  • Disabling HTML or converting HTML email into text-only email


Used to automate the exploitation of web browser vulnerabilities to maximize the delivery of successful infections, exploit kits deliver malicious payloads such as trojans, loaders, ransomware, and other malicious software.

Mitigation strategies include:

  • Prioritizing the patching of Microsoft products and older vulnerabilities in the technology stack
  • Ensuring that Adobe Flash Player is automatically disabled in browser settings
  • Conducting and maintaining phishing security awareness


Threat actors leverage spamming and phishing services to conduct email campaigns that give them access to hundreds of thousands of victims to deploy malware or gain further access into a network.

Mitigation strategies include:

  • Refraining from publishing your email address online or replying to spam messages
  • Downloading additional spam filtering tools and antivirus software
  • Avoiding using personal or business email addresses when registering online
  • Developing a password security policy
  • Requiring encryption for all employees
  • Educating employees and conduct training sessions


To extend the longevity of their criminal actions, threat actors leverage proxy and bulletproof hosting services (BPHS) to obfuscate their activities. BPHS provide secure hosting for malicious content and activity, and anonymity by relying on a model that promises not to comply with legal requests that would disrupt operations or result in arrests.

Mitigation strategies include:

  • Leveraging threat intelligence platforms, like Recorded Future, to assist in the monitoring of malicious service providers
  • Blacklisting servers affiliated with known-malicious BPHS’s


In the underground economy, sniffers refer to a type of malware written in JavaScript that are designed to infiltrate and steal card-not-present (CNP) data from the checkout pages of e-commerce websites.

Mitigation strategies include:

  • Performing regular audits of a website to identify suspicious scripts or network behavior
  • Preventing non-essential, externally loaded scripts from loading on checkout pages
  • Evaluating third-party plugins on an e-commerce website and monitoring for changes in their code or behavior


In order to monetize the content that threat actors have acquired, they sell stolen data in online credit card shops, account shops, and marketplaces. Money is made through the buying and selling of credentials for bank accounts, cell phone accounts, online store accounts, dating accounts, and even digital fingerprints of compromised systems to facilitate further breaches.

Mitigation strategies include:

  • Monitoring shops and marketplaces for accounts relevant to your enterprise
  • Acting on spikes in the number of accounts available in shops
  • Paying attention to credentials for non-public facing domains
  • Enabling MFA via SMS authenticator applications

For more information on the 10 types of tools and services currently used by threat actors to automate tasks, and suggested mitigations for defenders to implement, check out the full report by Recorded Future’s Insikt Group, “Automation and Commoditization in the Underground Economy.”