Security Experts:

Many Cybercriminals Prefer Skype for Communications: Study

Cybercriminals are increasingly interested in ensuring that their communications are encrypted, and the favorite tool of many appears to be Microsoft’s Skype, according to a new report from threat intelligence firm Flashpoint.

Data collected by Flashpoint from deep and dark web cybercrime communities between 2012 and 2016 shows that ICQ, Skype, Jabber, PGP, AOL Instant Messenger, Telegram, WeChat, QQ, WhatsApp, and Kik have been the most widely used tools.

The company’s study is based on the number of mentions on Russian, Spanish, French, Arabic, Chinese, Persian (Farsi) and English language forums typically used by profit-driven cybercriminals. The study does not include Signal and Line due to the fact that these are common words in English and programming languages, but experts believe their usage by threat actors is insignificant.

An analysis of Russian underground websites showed that ICQ was the most popular back in 2012 and accounted for more than half of mentions. Skype and Jabber also accounted for 26% and 19% of mentions, respectively. By 2016, Skype became the most mentioned messaging tool, with Jabber and ICQ dropping to the second and third positions.

On Spanish-speaking forums, Skype was in the lead in 2012, but last year it dropped to second place. The most mentioned messaging platform in 2016 was ICQ, with more than half of mentions.

Researchers believe ICQ has become more popular among Spanish-speaking cybercrooks due to the influence of more sophisticated hackers from Russian communities. In fact, Russian actors are considered the most innovative and sophisticated, and they are often trendsetters.

As for French-speaking communities, PGP was the most referenced in 2012, with nearly 60% of the total mentions. While not actually a messaging service, Forcepoint decided to include it in its study due to its popularity.

PGP continued to be popular on the French underground, but Jabber took the lead in 2016. Experts believe cybercriminals had started using it alongside PGP.

Skype was the most popular on Arabic-language forums back in 2012. WhatsApp was the most referenced last year, but Skype still managed to remain one of the favorites.

The situation has been different in China, where cybercriminals prefer applications developed by local tech company Tencent. Its QQ and WeChat apps accounted for more than 90% of mentions, both in 2012 and last year.

Persian-language communities also don’t appear to be influenced by others as much. In 2012, Yahoo Messenger was the most popular, and the favorite in 2016 was Telegram, with nearly 90% of all mentions. It’s worth noting that Flashpoint’s analysis of the Iranian underground is more general and it does not focus on financially motivated cybercrime.

On English-language underground websites, Skype was and remains the most mentioned application. In fact, Skype appears to be the most popular overall, being included in the top five messengers in all language groups.

According to Flashpoint, its study also shows that cybercriminals are increasingly interested in encrypted communications, a trend that is likely due to recent revelations of NSA surveillance, the proliferation of secure chat apps, and the influence of more sophisticated actors.

“The results of this study underscore the interconnected, agile nature of the cybercriminal ecosystem. Regardless of their language, skills, location, or a liation, cybercriminal groups tend to share a strong desire to reap the benefits of cross-community collaboration, information sharing, and even mentorship,” Flashpoint said in its report.

“Such activities necessitate consistent access to reliable means of communication, which is why the digital communication tools examined within this study play such an integral role in facilitating cybercriminal behavior. In many instances, a cybercriminal’s livelihood may depend on his or her ability to communicate with peers while evading third-party detection. As such, the decision to utilize one communication tool over others is not taken lightly and often influenced by numerous contextual social, cultural, and geopolitical factors,” the company added.

Related: OPSEC in the Underground - A Look at Insider Trading

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.