Dark Motives Online: An Analysis of Overlapping Technologies Used by Cybercriminals and Terrorist Organizations


Trend MicroCybercriminal activities have always involved the abuse of legitimate online tools and services. Examples of these activities come in many forms and can be found everywhere—from using vulnerabilities in software, websites, and web applications as attack vectors, hosting malicious components in cloud services, to leveraging clickbait posts and links on social networking sites to lure hapless users into falling for their schemes. No matter what technology or service rolls out in the future, there will always be room for abuse.

During the course of our research on cybercrime, we found that one particular group appears to share the same level of proficiency as cybercriminals in abusing legitimate services: terrorist groups who can be considered as cybercriminals in their own right, as their online activities also run afoul of the law. The two groups have different motives though, as cybercriminals are motivated by financial gain, while terrorists aim to spread propaganda instead of malware.

This research is about how cybercriminals and terrorists overlap in their abuse of technology and online platforms to benefit their cause. We will focus on their methodologies, the services they abuse, and the tools they’ve homebrewed to streamline said abuse so that their followers can facilitate their activities much more easily.

Aiming for Anonymity

Due to the obviously illegal nature of their goals, cybercriminals and terrorists share the need to remain untraceable and anonymous online. Both groups are known to abuse tools and services that have been developed to help those who have a legitimate reason to hide their identities (such as journalists, whistleblowers, and activists). Some examples of these tools include anonymizing programs such as TOR, and certain encryption tools found in the Deep Web.

Another example of a web service we saw being abused by terrorists is the DDoS mitigation service, Cloudflare. A legitimate service designed to provide a working mirror for websites that are either experiencing heavy traffic or being subjected to denial of service attacks, Cloudflare is abused to hide the real hosted IP address of the website. We’ve seen this used time and again by cybercriminals looking to distract or delay authorities from being able to track the location of their hosted servers. We found that terrorists have also begun to adopt Cloudflare to give propaganda websites another level of anonymity.

Besides this, we’ve also spotted terrorists adopting and distributing ‘anonymizing’ guides. Originally meant for activists and journalists, these guides are being distributed to their followers, evidently to teach new or uninitiated members ways to avoid being spied on. Some of these guides even mention the National Security Agency and how to avoid surveillance…Click HERE to read more about this article