Radware Study: Analysis of Over 26,000 Web Forum Threads Reveals Cyber Threats to Financial Services

The cybersecurity landscape is witnessing a significant transformation with threat actors adopting increasingly sophisticated approaches to bypass security measures. In 2024, Radware's research team conducted extensive analysis on 46 deep-web hacker forums and over 26,000 threat actors' forum threads. This research provides new insights into emerging cyber threats and their potential impact on the financial services industry.

1. The Rise of the Infostealer Economy

Radware's analysis reveals a thriving underground economy centered around information-stealing malware. On average, we observed 3-4 daily mentions of unique "infostealer-as-a-service" across each monitored deep web forum. The content analysis showed a clear split in the ecosystem: 56% of mentions relate to infostealer-as-a-service offerings, while 44% of mentions consist of breached credentials freely being shared to boost seller reputations.

We've observed several common factors across most of the new info-stealer ads:

1. Compatibility with other hacking tools: As threat actors' toolsets get more sophisticated each year, it affects how they decide what tools to produce. Infostealer developers aim to add features that align with the most important factor that influences the hacker's buying process: compatibility with other hacking tools.

2. Modularity: By providing plug-ins and modules, threat actors can tailor their stealer offerings to meet the specific needs of their customers. According to our review of the new 2024 features collected from infostealer ads, it appears that developers are targeting different user segments:

   a. Individual threat actors: Info-stealer developers offer individual threat actors low-price plans, enhanced and simple UIs, as well as full technical support.

   b. APT groups: Infostealer developers offer APT groups dedicated features for their primary targets, which are corporate accounts. For example, Mystic Stealer (see screenshots below) offers a dedicated feature to steal passwords from Outlook, since most corporate organizations use it. We will soon hear more about ransomware attacks that establish initial access to an organization's network using software such as Mystic Stealer.

2. Credential-as-a-Service Clouds

A particularly concerning trend is the emergence of credential-as-a-service platforms, which operate on a subscription model. On a daily or weekly basis, these services provide customers with freshly breached credentials sorted by industry and geographic location.

For instance, one prominent service, Combo Cloud, saw a 46% increase in mentions between 2022 and 2024 while simultaneously experiencing a 22% decrease in credentials distributed as text files-indicating a shift toward more sophisticated distribution methods.

3. The OTP Bot Revolution

One of the most significant developments of 2024 is the rise of "OTP (One-Time Password) bots"-underground and illegal services operated via Telegram that enable threat actors to automate social engineering.

How do OTP Bots Work?

1. Threat actors begin with a credential stuffing attack, using previously leaked username-password combinations to attempt logins on various online services. When login attempts fail due to two-factor authentication (2FA) requirements, the attackers log these accounts as potential targets for an OTP bot attack.

2. Using an external OTP bot service-operated via Telegram bots (see screenshot)-the threat actors input a victim's name and the name of a bank associated with the target (obtained from the credential stuffing attack).

3. The OTP bot, using pre-recorded or AI-generated voice calls and SMS messages, impersonates a legitimate entity (e.g., a bank, online service, or customer support). Victims receive urgent requests to provide the OTP sent to their device, often under the guise of fraud prevention or account verification.

4. Many victims, unaware that the request is fraudulent, disclose the OTP. The threat actors retrieve the 2FA (Two-Factor Authentication) code for the targeted account. They then change the password and the 2FA phone number in the account and thus lock out the actual account holder without a chance to reset the password. The victim is now unable to recover access, and the attackers gain full control over the account.

According to ads collected from multiple forums, 38 OTP bot services are currently available for $10 to $50 per attack. These services have seen a 31% increase in mentions between 2023 and 2024, with 1,354 references recorded during our research period alone.

These bots represent a sophisticated evolution in social engineering attacks. Rather than requiring attackers to personally engage with victims, the bots impersonate legitimate financial services and manipulate targets into sharing their two-factor authentication codes. Automating this process has made these attacks more scalable and more challenging to detect.