(NOT) Lost in Translation – Why Your Language Doesn’t Matter to Cybercriminals
Irina Nesterovsky, Chief Research Officer
At KELA, we meet and work with companies from various geographies and languages, yet everyone keeps asking the same question: “Do you cover Spanish/French/Arabic/Younameit cybercrime sources?”. First, the answer is “yes” (isn’t that always the case?), but we also have a more in-depth one – such in which we say that a threat against any company, no matter the vertical, no matter the size, is not confined to a language or geography.
What’s interesting about cybercrime, especially one targeted at enterprises and their clients – is that the criminals perpetrating it don’t have to be your countrymen or even speak your language to pose a threat to your organization.
As an example, let’s look into some of the most high-profile cybercrime communities discussing various schemes and trading in network accesses, databases, and others just for monetary gain. Those – taking as an example the Exploit and XSS forums – happen to be run by Russian-speaking threat actors, who will also use English to correspond with their fellow foreign cybercriminals. The targets and victims discussed by those cybercriminals vary and can include any company worldwide – regardless of their residence. And while, as seen in KELA’s review of Initial Access Brokers trends, the leading country with companies compromised through network access is still the US, it is also followed by the UK, Brazil, Canada, and India.
Screenshots from the (mostly) Russian-language cybercrime forum Exploit – threat actors offer access for sale to corporations worldwide, doing so both in Russian and English – regardless of the organization’s location and language.
A similar example is the “heir” to the infamous RaidForums – BreachForums – which, as its predecessor, operates in English – as do most of its users, despite offering for sale multiple breached databases in various languages of companies worldwide.
Several offers documented by KELA of threat actors leaking breached databases – from France, Japan, and a global one
Automated underground marketplaces that offer a variety of services – from RDP servers to online shopping accounts to various credentials harvested from malware-infected machines – serve as an additional example of the “internationality” of the cybercrime ecosystem. By presenting an English user interface, those platforms enable cybercriminals from anywhere in the world to purchase their desired services – which would often be corporate access and email credentials – regardless of their or their victim’s location.
Let’s look into an automated marketplace called xLeet (stylized as x1337). The market has a specific “Business” section aimed at corporate credentials, not discriminating between the different geographies where stolen items originate from, hence not favoring a victim for its language. The offers include, among others, access to corporate email inboxes in Office365 for prices in the range of 10 – 30 USD. Those can be used for spamming, BEC (Business Email Compromise), and multiple other attacks. The offers on the market do not differentiate between the geographies and the interface is in English. Below is a small snippet from the marketplace – with accounts offered from Taiwan, Germany, France, and others – on an English-interfaced platform and by actors who probably speak none of those languages.
To make the case even more prominent, let’s dive into some cybercrime communities that operate in a language that is not English or Russian. CrimeNetwork is a German-language cybercrime forum where requests to buy and sell other countries’ related products are often seen:
From German: I’m looking for ready-made La Caixa accounts from Spain
Another European forum is Cebulka, a Polish-language cybercrime community. Various “international” offers can be found there, including the below offer to cooperate on a ransomware project. The author is seeking teammates who speak German, Russian, English, and other languages to perpetrate the scheme.
Screenshot from KELA’s cybercrime intelligence platform, documenting the above offer from February 2022.
Outside of Europe, some Chinese-language platforms are offering non-Chinese data:
The database of an Argentinian loans company is offered for sale on the Chinese-language market 交易市场 Exchange
Finally, as mentioned earlier, cybercriminals want to be a part of a thriving community where they can learn, share and trade information (and services). For this reason, we can see posts in (broken) Russian on Exploit or XSS forums, in Chinese on the RAMP forum (initially set up for Russian-speaking cybercriminals and now trying to attract Chinese speakers), and in other languages across all of the platforms.
A user of the fraud/carding-oriented forum WWHClub posted in Russian, offering a database of 1.5 million PII information of US citizens. For a native speaker, however, it is clear that this user is not one.
A response to the above post by a user named “ikaos” who did not bother using Russian or English for his question on whether Ploutos is selling this database
With the many examples shown above, it is even more clear that cybercriminals operate internationally. And while it is important to be familiar with, research, and monitor the local cybercrime ecosystem for the country in which organizations operate – this is not the sole indication of the threat level against them. The quality and relevance of sources in which cybercrime activities can be traced, regardless of the operation’s geography or language, are key for protecting your company and should be a top standard when choosing your cybercrime prevention tools.