Security Experts:

Connect with us

Hi, what are you looking for?



Lessons from the Movie Industry – Sequels are Profitable

Some of the most profitable movies

Some of the most profitable movies ever made include sequels, for example two Twilight movies, two from the Pirates of the Caribbean series, both Avengers movies and four Harry Potter films. Why? The base of fans is established, the formula works and typically there are efficiencies in replication rather than starting from scratch. In other words, the risk/reward ratio is attractive.

Threat actors think much the same way. Why not bring back a “good” idea that was previously profitable?

The re-opening of the xDedic marketplace is the most recent example of a malicious “sequel.” xDedic closed down on June 16, 2016 following the release of a report on its activity by Kaspersky Lab. The marketplace reportedly offered compromised servers for sale and when it closed down had more than 70,000 available for purchase. References to the new domain are emerging in threads on criminal forums, although it is still too early to assess the site’s current traffic volume. Given, however, that the previous site was attracting 30,000 users a month at the time it closed down, it is likely that awareness and use of the new site will increase in the coming weeks and months.

Cybercrime Forums Often Re-OpenAnother example is the Armada Collective, a bad actor that used the threat of DDoS attacks in an attempt to extort Bitcoin (BTC) payments from targeted companies, individuals and organizations. Armada Collective was first reported in September 2015 and continued until December 2015, targeting financial services firms, hosting providers, email providers and casinos with ransom demands of between 10 and 200 BTC (at the time, approximately $4,500 to $90,000). In March 2016, reporting of Armada Collective activity re-emerged with campaigns launched against a number of financial institutions in Switzerland. Slight differences in the emails sent in this new round of attacks indicate that this is likely a copycat actor seeking to capitalize on the previous successes of Armada Collective. The absence of an actual attack or any proof of capability reinforces this theory.

And finally, the dark web criminal forum Hell, where hackers and criminals share stolen data and hacking tips, came back online in January 2016 after a six-month hiatus. The site was discovered to be unavailable in July 2015, coinciding with the arrest of PING, a prominent forum member and administrator. Hell achieved notoriety when it was revealed that the personal information and sexual preferences of approximately four million users of Adult Friend Finder had been posted on the site. The new version of the site uses the same logo and tag line but it has been re-designed and incorporates tighter security measures, likely in an attempt to thwart law enforcement operations targeting such forums. Analysis reveals that Hell seems to have lost a portion of its user base, probably due to suspicions among some users that the site is being operated by law enforcement and used as a honeypot.

In each of these instances, news of a shutdown typically causes security professionals and organizations to breathe a collective sigh of relief. Another cybercriminal has been defeated. But as history has shown, when a criminal operation has been profitable defenders need to remain alert.

The nature of cybercrime is naturally very volatile so maintaining a keen awareness of this naturally changing landscape is key for organizations. This is where cyber situational awareness can help. When done right it can provide the understanding required to stay ahead of emerging threats, monitoring millions of unique sources in multiple languages across the visible, dark and deep Internet using advanced natural language and machine learning technologies. But this volume of information can be overwhelming so it must be tailored to your organization, so you only see the intelligence that is relevant to you. Understanding the most active actors and campaigns that you should concern yourself with, the level of threat they pose, a timeline of their activity and links to other actors and campaigns will allow you to connect the dots to discover threats that have re-emerged—those you thought you no longer had to worry about.

As recent events have shown, you shouldn’t let your guard down because a threat actor or operation appears to have been shut down. When there is money involved, the same or other criminals will find a way to bring back a sequel. With cyber situational awareness you can remain vigilant – always on the lookout for the next iteration of a threat or campaign.

Written By

Click to comment

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.