The business risk intelligence firm Flashpoint studied the use of communications tools across Russian, Chinese, English, Farsi/Persian, Arabic and Spanish cyber criminals.
It found that among the English-speaking group, the percentage using Skype was about 63% in 2016. This was down from nearly 81% in 2012.
Among the messaging apps used by the different language groups were Telegram, AIM, QQ, ICQ, Jabber, Kik Messenger, Xfire, Zephyr, Yahoo! Messenger, WhatsApp, Wickr, Tox, Pretty Good Privacy and others.
Most Russian underground members used Skype but the elite criminals preferred Jabber. French speakers also went for Jabber, while Arabic speakers were found to be mainly WhatsApp users.
"Skype was among the top five messengers in all of the language groups, and only in the French, Persian, and Chinese language communities did Skype not constitute a significant share of the most mentioned messengers," the study said.
"Microsoft’s bundling of Skype with its devices has likely played a large role in the application’s popularity."
However, the study found that cyber criminals had become interested in end-to-end encrypted communications which are on offer from WhatsApp, Telegram and Jabber.
This was put down to the following factors:
- Revelations of NSA surveillance that likely prompted more users to adopt more secure communications practices;
- The proliferation of encrypted communications apps, particularly in the wake of Edward Snowden’s leaks; and
- Information sharing by connectors in more sophisticated underground communities, who have transferred knowledge about secure communication practices to other less-sophisticated communities.
The Flashpoint study came to the conclusion that Russian-speaking cyber criminals were the trendsetters for other cyber-crime communities.
"(They are) well-known for their prowess and universally considered the most innovative and sophisticated actors in the cyber crime ecosystem, the study said.
"For this reason, actors from other language communities often emulate Russian cyber criminals in an attempt to raise their own levels of competency."
It said that an example was the number of mentions of ICQ across many cyber-crime language communities. "Based on usage patterns of ICQ in the general population (where ICQ has fallen into disfavour except in the countries of the former Soviet Union), one would expect to see a commensurate drop in the share of mentions across the cyber crime underground.
"In contrast, there was a general uptick across a number of communities. Given that there is no security rationale for increased mentions of ICQ (the service does not natively offer end-to-end encryption), the most plausible explanation is criminals’ desire to model themselves more closely to Russian-speaking criminals or adopt the technology to facilitate communication with Russian-speaking actors," the study said.
The study relied on mentions of social media platforms in the underground communities monitored by Flashpoint. These observations were used as a proxy for gauging interest in and use of these messaging services. Communities who were studied are involved or interested in financially-motivated cyber crime, apart from the Iranians who form part of the study.