Much of the Russian cybercrime underworld is an enigma, but one technology serves as a crucial common link across all of it: Jabber.
In a space of cutting-edge tech, creativity and crime, the 18-year-old instant messenger is the most popular communication tool among Russian-speaking cybercriminals, according to new research from the security firm Flashpoint. It’s how hackers make deals, share intelligence and offer tech support on their malware products. While it already reigns in Russian communities, Jabber is simultaneously rising in popularity for cybercriminals around the world.
It’s a testament not only to the quality of the technology, but also to the influence of hacking trends set in Russia.
“In the cybercriminal economy, Jabber is seen as the gold standard for communication,” Leroy Terrelonge III, a senior researcher at the security firm Flashpoint, told CyberScoop.
Jabber (also known as XMPP or Extensible Messaging and Presence Protocol) is an open-source, federated instant messenger with thousands of independent servers and upwards of 10 million users around the world. The technology runs behind the scenes of major products like HipChat, the popular private communication platform, as well as video game chat apps on Sony’s PlayStation and Electronic Arts’ Origin. WhatsApp, with well over a billion users, runs on a variant of XMPP. Journalists and privacy activists alike often maintain accounts.
Long time in the field
With Russians as the vanguard, “Jabber has a bright future in the cybercrime community,” Terrelonge said.
A lot of what makes Jabber highly usable for enterprises also makes it ideal for criminals. The technology supports strong encryption and a range of high security features that, along with its openness, have boosted its appeal in a post-Snowden age.
Jabber was created in 1999 and has had millions of users for well over a decade. Starting in 2013, however, adoption rose strongly as the world became more acutely aware of the mass hacking and surveillance employed around the net. In Russia, users finally began to drop ICQ, the 1996-era instant messenger that dominated the country’s online communications for nearly two decades, in favor of the superior security offered by Jabber. It’s no big deal there to download and securely use the messenger with off-the-record encryption.
For less-sophisticated cybercriminals — especially in developing countries where police have limited technology — Microsoft’s communications app Skype is often enough. But even in places where Skype dominates cybercrime communities, Jabber has made inroads, with more sophisticated hackers integrating it into Skype.
Jabber’s federation means that anyone can open a server and run it as they see fit. That’s enormously attractive to criminals worried about companies cooperating closely with governments, especially in the United States. And some Jabber servers are set up specifically to cater to criminals.
Pyotr Levashov, the recently arrested alleged mastermind behind the Kelihos botnet, is typical of high-powered Russian-language users. To run his global business, Levashov operated an encrypted off-the-record Jabber server and account.
Most hackers don’t run their own Jabber servers, however, and instead rely on servers run by others. Among the underground faithful, it’s widely assumed that the Exploit.im Jabber server is a prime target of law enforcement.
Exploit.im is run by the community at Exploit.in, a semi-exclusive Russian-language cybercrime forum with a long-established pedigree of relative trust and authenticity. Joining the community requires a certain level of vetting or payment. An Exploit.im account, afforded only to approved members, is effectively a certification of prestige and confidence for its several thousand users. On top of all that, the server’s administrators promise users no logging, strong privacy and reliable service.
If you can manage to get an account, it’s a hacker’s dream.