Security Experts:

Remaining Stealthy in the Underground is Becoming Ever Simpler

Playing in the Shadows: Remaining Stealthy in the Underground is Becoming Ever Simpler

Several years ago, fraudsters congregated in mega crime boards which boasted thousands of members in order to find partners and trade their goods. ShadowCrew, DarkMarket and CardersMarket were just a few of those boards, and they all ended badly – for the fraudsters. ShadowCrew was taken down in “Operation Firewall”. DarkMarket was turned into a sting site by the FBI and the fate of CardersMarket was sealed after the arrest of its founder, Max “iceman” Butler.

Black Market CybercrimeEver since those days, the underground has changed. Driven by the fraudsters’ interest to maximize profits and catalyzed by the development of e-currency services, which offered the ability to automatically pay merchants a-la Paypal, the underground moved away from the centralized trading hubs. Instead, many vendors set up their own stores outside of the forums, completely automated, open for business twenty-four by seven.

While today forums continue to be an important part of the underground, providing important community aspects, more and more threads actually contain links to stores where the trading actually happens. In other words, today’s underground has become much more fragmented. While the catalyst of this trend was increased revenue and not extra security from the big bad law enforcement agencies, there are also implications to the underground’s fragmentation in that regard. In today’s underground, it’s easier for fraudsters to remain stealthy, flying below the law enforcement radar. Let’s consider the following scenarios, in which we follow two fraudsters with the nicknames “Bob” and “Jason” (all characters appearing in this scenario are fictitious. Any resemblance to real fraudsters, living or dead, is purely coincidental). Bob is into carding – obtaining stolen credit card numbers that were lifted from hacked merchants and using the cards to purchase items online. As Bob is no hacker, he turns to the underground to get his card numbers. In the old days, Bob would have to go to a crime board to meet up with some vendors. He’ll have to talk to them and would be urged to leave feedback on the vendor’s page, thus letting the whole board know that he has purchased stolen cards. For protection, Bob connects to the board only through proxies. However, as previous arrests have shown, these do not always provide bulletproof protection.

Today, Bob doesn’t need to speak to anyone to obtain stolen cards. He logs into one of a staggering amount of automated credit card stores, funds his account using e-currency, picks the cards he wants to purchase – and voila! If he requires a proxy near the card holder’s physical location to make sure the transaction would be blocked, he just logs into a store that sells proxies. If he wants to test the validity of the cards he just purchased, he can use a credit card checking service that’s also available. We’ve even seen stores, although not all of them automated, that offer mule services, fake USPS labels and stolen online banking credentials. Everything a fraudster needs is available today outside of the forums and chat rooms. As underground forums become more like small gated communities to protect their members, many buyers have already moved to purchasing items from these independent stores, without the need to post even one message in the forums, the ones that they still have access to. In case Bob’s favorite store is taken down, he can simply move to one of the many alternatives. Since the payment is always up front, he doesn’t need to prove his worth and create a reputation for himself – he can use a different pseudonym for each store, making his tracks harder to follow.

The fraudster “Jason”, on the other hand, isn’t interested in buying – he’s interested in selling. Jason is a script kiddie, following tutorials he found online to gain administrator access to small online merchants which use outdated shopping cart software with known exploits. Once he gains access, he siphons all the credit card data that appears in the merchant’s orders log, for the purpose of selling them in the underground. In the old days, he’d have to send samples to the forum moderators in which he’s interested in becoming a vendor. Only if he passed their review of his wares he’d be allowed to vend, chatting with various interested clients on ICQ and receiving public feedback on his services. Today, he can approach one of the operators of credit card stores, use a unique vendor’s panel to upload the stolen cards to the store - which will immediately be offered for sale - and wait for a percentage of the profits to automatically be transferred into his account. Alternatively, he can obtain the script for a credit card store platform, buy a domain and hosting plan on a bulletproof service and start vending. Jason’s store doesn’t have a minimum amount that can be loaded to the buyer’s account using e-currency. The reason is simple – allow buyers to purchase one or two sample cards to test their validity. Thus, the need for a long-standing reputation decreases. Even still, there will always be those who will post feedback in forum threads where the link to the store appears, enough to get business going and build a regular customer base.

Hiding in Cybercrime UndergroundThe real risk is in the store being shut down, but as it contains no information that can link it to Jason, other than an ICQ number provided for support, the risk of apprehension is lower. Jason can simply take his backed up database and script and open up shop somewhere else.

Vendor-specific websites always existed. However, years ago they were only “fronts” – advertising vendors’ services along with their contact information – and not real stores. As the legitimate and reputable vendors traded in the forums, the “front” websites were almost always used by those who couldn’t vend in the forums. These were fake vendors who ripped off other fraudsters.

Mainly vendors, but also buyers, had to build a reputation for themselves if they wanted to trade in the underground communities, and do so in a very public way within the community. The new order of the underground economy, where automated stores vend products while their owners don’t even have to be near the computer at the time, proved not only to be profitable – but also more secure.

ShadowCrew’s tagline was “For Those Who Like to Play in the Shadows”. Today, fraudsters have even more capabilities to do just that.

Idan Aharoni is the Head of Cyber Intelligence for the FraudAction Intelligence team at RSA where he is responsible for gathering, analyzing and reporting intelligence findings on cybercrime and fraud activity. Mr. Aharoni joined Cyota (later acquired by RSA) in February 2005 as an analyst at the Anti-Fraud Command Center. During his service, he founded the FraudAction Intelligence team, which he leads today. Between his work at the Anti-Fraud Command Center, as well as the unique insight he has gained by the intelligence and discoveries gathered by his team, Mr. Aharoni offers vast expertise into the underground fraud economy and how cybercriminals operate.