Security Experts:

Localization in the Underground: When Fraudsters from the Same Locale Get Together

Cooperation in the Undergound Economy 

One of the great dangers in the underground economy is that it acts as a catalyst for fraud. A fraudster in Russia who masters the art of phishing can team up with another fraudster who already has the infrastructure of cashing out compromised online banking accounts of US banks. This now enables him to turn a profit from targeting phishing attacks against US banks. Yet, while the underground does provide fraudsters the ability to go global, it is interesting to note that there are certain characteristics to fraudsters from the same countries (or more accurately – to communities of fraudsters from the same country). Everybody knows that the Russian fraudsters are more sophisticated than their English-speaking counterparts. However, this isn’t the only geographic-related difference between fraudsters.

Cybercrime UndergroundTake Romanian fraudsters for example. While the world of fraud is vast and there are opportunities-a-plenty, Romanian fraudsters mostly focus on ATM fraud. In the past, some US-based banks didn’t check for any CVV mismatch. Not to be confused with CVV2, the CVV is a three-digit value within a card’s magnetic stripe. The idea is that as the card holders don’t know their CVV values, they wouldn’t be able to provide it to the fraudster if asked. Without the CVV, fraudsters could clone cards simply based on information that could be requested from the card holder by means of phishing and cash them out at the ATM – and when the banks didn’t check this value during transactions, it is exactly what they did. In many, if not most cases encountered of fraudsters using this “loophole,” the ATM fraud originated from Romania. The news of these “loopholes” were shared among various Romanian fraudsters, but to other members of the communities, they told a different story. They invented a story that they had special “algos” that allowed them to exploit the cards – them and no one else – urging other fraudsters to work with them for a 50% cut.

While many Romanian fraudsters shared the same M.O., the Germans built their own underground communities, much like the Russians. Unlike the English or Russian speaking underground, the Germans focus mainly on targeting Germans citizens. They focus on trading with German credit cards and use special mail-reception units available in Germany as “item drops” (an address which can receive items bought with stolen cards). The German underground also has a huge focus on narcotics, with multiple vendors and websites offering to sell various types of drugs to other members of the communities – something that doesn’t exist in any of the other communities. Interestingly, some German anti-carding hacker groups such as “The Happy Ninjas” focus on German forums, mostly ignoring Russian and English forums of the same type.

Fraudsters are also susceptible to prejudice based on their origin. Many fraudsters would not conduct any business with Nigerians, as many of them used to rip off other fraudsters and beg for credit cards. Even though some Nigerians are extremely prolific in their craft, their origin alone may already be a deterrent for many members of the underground.

The era after the DarkMarket and CardersMarket busts is quite different from the era which preceded it. As Mega-boards become a rare breed in the underground (as they usually have a bullseye on their back from international law enforcement) new forums that pop up need to distinguish themselves from the rest. Focusing on fraudsters who speak certain languages or are from certain geographies is one way to do so. Going forward, we may see the underground becoming ever more segregated, with different resources catering to different niches. In such a scenario, you can expect more “local” communities popping up, with unique traits and customs of their own.

Related Column: Where do Fraudsters Learn About New Attacks? From the Good Guys.

view counter
Idan Aharoni is the Head of Cyber Intelligence for the FraudAction Intelligence team at RSA where he is responsible for gathering, analyzing and reporting intelligence findings on cybercrime and fraud activity. Mr. Aharoni joined Cyota (later acquired by RSA) in February 2005 as an analyst at the Anti-Fraud Command Center. During his service, he founded the FraudAction Intelligence team, which he leads today. Between his work at the Anti-Fraud Command Center, as well as the unique insight he has gained by the intelligence and discoveries gathered by his team, Mr. Aharoni offers vast expertise into the underground fraud economy and how cybercriminals operate.