Law enforcement has set its sights on criminal marketplaces like Genesis Market over the last year as ransomware gangs have increased their reliance on stolen login credentials and malware-as-a-service to launch their attacks.

The big picture: Genesis stood out to law enforcement because it facilitated sales of stolen passwords, as well as access to bot computers already infected with so-called infostealer malware, which could be used to steal a victim’s information.

• Last year, nearly three in 10 ransomware attacks started with attackers using a stolen password, according to Sophos' "State of Ransomware" report.

Why it matters: Infostealer malware gives cybercriminals a low-cost, guaranteed way of obtaining usable passwords and cookie information — and interest in the malware has been soaring on dark web hacker forums over the last year.

• Rather than combing through the hordes of old passwords dumped on the dark web to find a combination that still works, cybercriminals can instead deploy this malware themselves to get fresh data — or turn to markets like Genesis to buy new data other gangs obtained using this malware.
• While the U.S. Department of Justice seized 11 domain names tied to Genesis last month, a few reports this week suggest that the infostealer malware ecosystem is still thriving despite law enforcement's efforts.

How it works: Infostealer malware is often deployed through malicious apps or phishing links.

• One example is a recent ChatGPT-related app scam: Hackers were able to embed infostealer malware into a fake ChatGPT browser extension that quickly siphoned any data stored in someone's browser within minutes of being installed.
• Researchers estimated that the malware collected upward of 4 million login credentials from personal and corporate accounts.

Between the lines: Infostealer malware has been around for years, but the difference now is how many criminals are relying on the data stolen through it.

• Before the 2021 ransomware attack on Colonial Pipeline, a lot more attacks started through malicious deployment tools, such as cracked versions of Cobalt Strike, Don Smith, vice president of threat research at SecureWorks, told Axios.
• Now, most gangs have ditched those tools — which have also attracted law enforcement and private sector attention — in favor of stolen passwords and infostealer malware.
• "It's growing significantly," Smith said. "It's healthy; you would almost argue that it's mature."

State of play: Genesis was one of the three go-to marketplaces for such malware and the data that criminals have stolen using it.

• Despite the takedown, Genesis' dark web site is still operational, and criminals are still publishing new sale listings, although at a slower rate than before, researchers at SecureWorks said in a report this week.
• Russian Market is the largest marketplace, and researchers are watching closely to see if criminals bring their business there, instead of Genesis, after the takedown. At the end of February, more than 5 million data logs were for sale on Russian Market, per the SecureWorks report.
• 2easy — another infostealer marketplace — has been around since 2018, and as of February, as many as 750,000 browser logs were being sold on the site, SecureWorks researchers said.

Yes, but: Law enforcement's Genesis takedown still had a significant impact on trust among the marketplace's buyers and sellers, Andras Toth-Czifra, senior analyst of global intelligence at Flashpoint, told Axios.

• "People don't know who operates it, and they're afraid that it's a honeypot," Toth-Czifra said. "Even if it's not a takedown, I don't think Genesis will come back from this."

An often-overlooked cybercrime tactic is getting more sophisticated and growing in popularity among criminal gangs, Microsoft warned in a report released today.

Why it matters: Business email compromise — where a criminal poses as someone a victim regularly interacts with in their daily lives to lure them into sending money or confidential information — remains one of the most lucrative tactics for cybercriminals.

• Last year, the FBI saw nearly 22,000 complaints about business email compromise cases and reported losses of more than $2.7 billion tied to these scams.
• However, this tactic is often eclipsed in public conversations about cybercrime by ransomware and data theft.

The big picture: Microsoft detected and investigated 35 million attempted cases of business email compromise between April 2022 and last month, according to the report. The company also warned that "nearly all forms of BEC attacks are on the rise."

• Attackers in these scams have started adopting new tools and tricks to avert traditional email security tools, such as those that flag when an employee is sending an email from a different location, Microsoft warned.

What they're saying: "Microsoft shares federal law enforcement and other organizations' concern that this trend can be rapidly scaled, making it difficult to detect activity with traditional alarms or notifications," Vasu Jakkal, corporate vice president of security at Microsoft, wrote in a blog post.

The intrigue: One of the new tools attackers have latched onto is BulletProftLink, which helps users do everything from setting up email templates to hosting malicious sites linked in the phishing emails.

• The attackers will also purchase IP addresses from third parties to create "residential IP proxies" that allow cybercriminals to "mask their origin" so it looks like the email came from the same place their victims are based, the Microsoft report said.
• After those tools are in place, attackers need only rely on their social engineering skills to craft a believable message, per the report.

Be smart: Microsoft suggests organizations set up their email systems to flag messages sent from external parties and retrain employees to spot the warning signs of a malicious email.

Software transparency startup Manifest Cyber landed two key government contracts and closed a $6 million seed round to help agencies and critical infrastructure organizations understand what's in the software they run, the company first told Axios.

Why it matters: Few organizations understand what components or open-source programs are running in the software they use, making it difficult to know what security flaws actually affect them.

• The Biden administration has been pushing agencies and critical infrastructure in recent years to invest in what's known as a software bill of materials (SBOM) that acts as an ingredients list for their tech stacks.

Driving the news: Manifest Cyber — a one-year-old startup founded by former Pentagon and Palantir employees — unveiled two contracts on Thursday with the Department of Homeland Security and the Air Force that will help federal agencies and the military figure out how to properly maintain their new SBOMs.

• Under the DHS contract, Manifest will help develop tools for federal agencies to read, update and study the SBOMs they create.
• As part of the Air Force contract, Manifest is partnering with Tufts University's Fletcher School to study the Air Force's current software stack and research new tools Manifest might need to develop to help the military branch maintain its own SBOMs.

The big picture: Manifest specializes in helping organizations update and scan generated SBOMs.

• While it doesn't take much effort to create an initial SBOM, they do require routine maintenance as new security vulnerabilities are discovered and malicious hackers start exploiting those flaws.
• "When we looked around, we saw that there wasn't really anybody who is handling the end-to-end lifecycle of an SBOM," Marc Frankel, co-founder and CEO of Manifest, told Axios.

Go deeper

@ D.C.

❌ Five TikTok creators are suing Montana's attorney general over the state's plans to ban residents from using the social media platform. (Axios)

😬 An FTC investigation found that a popular fertility tracking app repeatedly shared sensitive information with third parties without users' permission. (CyberScoop)

👀 Customs and Border Protection is using an AI-powered tool to surveil the social media posts of travelers, including U.S. citizens, refugees and asylum seekers, according to an internal agency document. (Vice)

@ Industry

🤖 OpenAI released a legitimate ChatGPT iPhone app amid a rise in malicious ChatGPT-themed apps. (Axios)

🧳 Cybersecurity consulting firm Krebs Stamos Group has laid off six employees. (TechCrunch)

💻 Security pros are concerned that Google's move to push .zip and .mov domains could be a boon for online scammers. (Ars Technica)

@ Hackers and hacks

🚇 A computer located in Russia was used to breach the D.C. area's metro system earlier this year, according to a watchdog report. (Washington Post)

💵 The U.S. is offering a $10 million reward for information about the Russian hacker believed to be behind the 2021 ransomware attack on the D.C. police department. (CNN)

🏫 Campus blueprints, alarm schematics and the location of surveillance cameras were all stolen during the ransomware attack on Minneapolis Public Schools earlier this year. (CBS)

I found this pretty interesting: A relatively new ransomware gang is putting a twist on traditional extortion methods and demanding victims send their ransom payments instead to a charity.

• Not sure that really outweighs the criminal hacking going on, but let's see how long this lasts 👀.