A _declassified Look Inside the Dark Economy of Cybercrime

Key Takeaways

• Cybercrime operates as a highly organized, corporate-style economy with specialized departments like HR, IT, and Quality Assurance.
• Scam centers often hide behind legitimate businesses, generating millions annually through tech support, BEC, and subscription scams.
• Threat actors are actively leveraging generative AI to create convincing deepfakes, fake passports, and automated robocalls.
• Defenders are utilizing AI personas (e.g., O2's Daisy) and automated systems (rescam.org) to waste scammers' time and resources.
• A practical defense against deepfake video calls is asking the caller to hold up three fingers to test if the facial overlay breaks.

Affected Systems

• General Users
• Financial Institutions
• Telecommunications

Attack Chain

Cybercriminals establish organized call centers, often fronting as legitimate businesses, to execute tech support, BEC, and subscription scams at scale. Operators use spoofed phone numbers and social engineering tactics to deceive victims into transferring funds or providing sensitive information. Advanced operations incorporate generative AI to create deepfake identities and automated robocalls, increasing the sophistication and success rate of their social engineering campaigns.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No

No technical detection rules are provided in the article, as the focus is on social engineering and cybercrime business operations.

Detection Engineering Assessment

EDR Visibility: None — The threats described rely on voice calls, deepfakes, and social engineering outside the scope of traditional endpoint telemetry. Network Visibility: Low — Scam communications often occur over standard telecommunications or encrypted video conferencing platforms, making network-level inspection difficult. Detection Difficulty: Hard — Detecting these threats relies heavily on user awareness and identifying social engineering tactics rather than technical signatures.

Required Log Sources

• Telephony/Call Logs
• Email Gateway Logs

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Users receiving inbound calls from numbers closely resembling legitimate financial institutions may be targeted by number-spoofing subscription scams.	Telephony logs	Initial Access	High

Control Gaps

• Lack of deepfake detection capabilities on standard video conferencing platforms
• Inadequate verification mechanisms for inbound tech support or banking calls

Key Behavioral Indicators

• Slight delays in voice responses indicating potential AI robocalls
• Visual artifacts or overlay failures in video calls when users are asked to perform specific physical actions (e.g., holding up fingers)

False Positive Assessment

• Low

Recommendations

Immediate Mitigation

• Educate users on the 'three fingers' test to identify deepfake video calls.

Infrastructure Hardening

• Implement strict verification protocols for inbound communications claiming to be from IT, HR, or financial institutions.

User Protection

• Deploy AI-based email and communication filtering to catch sophisticated BEC and phishing attempts.

Security Awareness

• Train employees on the corporate structure of modern cybercrime to dispel the 'lone hacker' myth and increase vigilance.
• Encourage immediate reporting of suspicious tech support pop-ups and unsolicited phone calls.

MITRE ATT&CK Mapping

• T1566.004 - Phishing: Spearphishing Voice
• T1589.001 - Gather Victim Identity Information: Credentials
• T1586 - Compromise Accounts