Security Experts:

Living Under Watchful Eyes as a Fraudster

Fraudsters Know That When There’s a Chance Someone is Watching, Loose Talk Can Cost Cash.

The fallout from the news of the Global Payments breach may be just subsiding, but one thing can already be said – this probably isn’t the last processor that will be breached. It can be said because Global Payments isn’t the first one to be breached, either. Other processors - large processors - have already been victimized by sophisticated attackers interested in looting the coveted data that was stored within their corporate networks. Processors are not the only ones getting hacked for the purpose of obtaining payment card data; merchants are getting breached, as well. Whenever one of these breaches goes public, the estimations in most cases are that the compromised data will find its way to the underground economy – sold by vendors through the forums or dedicated credit card stores. This often begs the question from our customers whether there’s any underground chatter that would link a certain credit card vendor to the breach. Our answer is usually the same.

Fraudsters know that they are being monitored by various organizations. They read Krebs’ blog, which often contains posts from the underground, they follow Dancho Danchev as he exposes specific underground resources, and some of them are probably avid readers of SecurityWeek as well! Add to that the fact that law enforcement has the tendency of shutting down forums, and from time to time even take them over, and they don’t have to be double-O-seven to realize that they are being watched.

Not only that, but fraudsters claim to one another that whatever is caught by the watchful eyes of white hats and law enforcement would immediately lead to action. As one fraudster noted, once a vulnerability (in a bank’s process) becomes public knowledge and is posted for everyone to see, it will no longer work soon afterwards. This belief has led those who participate in the public channels of the underground to be more guarded. If in the past fraudsters posted highly detailed tutorials on how to defraud specific banks, now the only tutorials that can be found are extremely generic instructions for conducting fraud. Whenever a newbie fraudster posts a statement or a question about a vulnerability, it would be deleted by the administrator the moment he sees it, in hopes to maintain the usability of the technique.

For the same reason fraudsters would never intentionally disclose the sources of the goods and services they offer. Whether these are credit cards from a large breach, cards from a small hacked merchant or SSN lookup services that piggyback legitimate online services, fraudsters would not reveal their sources. In some cases, fraudsters don’t only keep this secrecy to protect themselves from white hats, but from their peers as well.  If fraudsters knew about the legitimate services used by certain fraud vendors, they wouldn’t need the vendors anymore – they would just go to the source. 

Other measures taken by fraudsters to protect their communication channels are also used to keep out other types of persona non grata, such as rippers. These include closing down the websites to new members, unless they are vouched for by fraudsters whose legitimacy has already been proven. Even requiring a registration fee is enough to weed out many researchers-bloggers-reporters and law enforcement agents.

The chances that fraudsters would openly discuss the source of a certain batch of credit cards that is offered for sale in the underground are slim. Fraudsters know that they are watched and while some chatter may exist in closed circles, they know that when there’s a chance that someone is watching – loose talk can cost cash.

Idan Aharoni is the Head of Cyber Intelligence for the FraudAction Intelligence team at RSA where he is responsible for gathering, analyzing and reporting intelligence findings on cybercrime and fraud activity. Mr. Aharoni joined Cyota (later acquired by RSA) in February 2005 as an analyst at the Anti-Fraud Command Center. During his service, he founded the FraudAction Intelligence team, which he leads today. Between his work at the Anti-Fraud Command Center, as well as the unique insight he has gained by the intelligence and discoveries gathered by his team, Mr. Aharoni offers vast expertise into the underground fraud economy and how cybercriminals operate.