Searching Images on Underground Forums | Intel471 Skip to content

Searching Images on Underground Forums

Mar 05, 2023
Adobe Stock 259562543

Intel 471 collects intelligence from a variety of sources, including marketplaces, forums and instant messaging platforms. An important aspect of intelligence collection is not only what threat actors and cybercriminals are saying to one another, but also what they’re showing one another with images. We’re pleased to announce the release of Images, which is an image collection and search feature for the TITAN intelligence platform.

Images that are collected are processed using Optical Character Recognition (OCR) to extract text. Images will also be scanned for company logos, which will allow the holders of those brands to know when threat actors are using their marks on underground forums.

Images can be searched several ways within TITAN. A free text search will collect any results containing text a user specifies that has been extracted by OCR. Users can also search within the images library for a specific text phrase or logo. It’s also possible to search by an image’s hash to check if an existing image is being shared by others in the underground. Finally, users can set up “watchers” – queries with specific search terms – and receive email notifications when matching material is collected. The OCR function, which recognizes handwriting, supports the following languages: Arabic, Farsi, French, German, Hebrew, Italian, Mandarin, Polish, Portuguese, Romanian, Russian, Spanish, Turkish and Ukrainian.

Images can be searched in the TITAN intelligence platform by free text or logo.

Collecting images from underground forums and chats poses challenges because not every image is safe for work. However, Intel 471 has developed an extensive process to filter out objectionable material. Images will only be turned on for customers who explicitly request to use this functionality. Before an individual user can use Images, they must accept a pop-up in TITAN with the terms and conditions. This confirms that they understand and accept the potential risks. Every image in TITAN has a button that lets users flag those that are concerning for moderation. Flagging an image has the effect of immediately blocking it for all TITAN users while it is under review by a moderator.

The image collection capability will satisfy many use cases. For example, in the U.S., there’s a thriving trade in stolen and counterfeit checks. Threat actors often advertise the checks with photographs. OCR can extract the relevant information from those checks, such as the paying entity, allowing fraud teams to launch investigations and take mitigation steps. The logo recognition feature can allow companies to monitor their brand image.

Screenshot 2023 04 21 at 3 05 51 pm
An example of a check recently offered for sale by a threat actor. Although this image is redacted, OCR captured all elements of the check, including the cursive writing.

Aside from text, the OCR can also pull other data points out of images, such as bitcoin addresses, which are extremely useful in cybercriminal investigations ranging from fraud to ransomware. Images can also augment other use cases, such as deep investigations into threat actor groups, particularly when their chat channels may have been deleted.

For questions and comments on Images, existing Intel 471 customers can reach out to their dedicated Collection Manager or Customer Engagement representative. For general inquiries about Intel 471, please contact us here.