Security Experts:

Localization in the Underground: When Fraudsters from the Same Locale Get Together

Cooperation in the Undergound Economy 

One of the great dangers in the underground economy is that it acts as a catalyst for fraud. A fraudster in Russia who masters the art of phishing can team up with another fraudster who already has the infrastructure of cashing out compromised online banking accounts of US banks. This now enables him to turn a profit from targeting phishing attacks against US banks. Yet, while the underground does provide fraudsters the ability to go global, it is interesting to note that there are certain characteristics to fraudsters from the same countries (or more accurately – to communities of fraudsters from the same country). Everybody knows that the Russian fraudsters are more sophisticated than their English-speaking counterparts. However, this isn’t the only geographic-related difference between fraudsters.

Cybercrime UndergroundTake Romanian fraudsters for example. While the world of fraud is vast and there are opportunities-a-plenty, Romanian fraudsters mostly focus on ATM fraud. In the past, some US-based banks didn’t check for any CVV mismatch. Not to be confused with CVV2, the CVV is a three-digit value within a card’s magnetic stripe. The idea is that as the card holders don’t know their CVV values, they wouldn’t be able to provide it to the fraudster if asked. Without the CVV, fraudsters could clone cards simply based on information that could be requested from the card holder by means of phishing and cash them out at the ATM – and when the banks didn’t check this value during transactions, it is exactly what they did. In many, if not most cases encountered of fraudsters using this “loophole,” the ATM fraud originated from Romania. The news of these “loopholes” were shared among various Romanian fraudsters, but to other members of the communities, they told a different story. They invented a story that they had special “algos” that allowed them to exploit the cards – them and no one else – urging other fraudsters to work with them for a 50% cut.

While many Romanian fraudsters shared the same M.O., the Germans built their own underground communities, much like the Russians. Unlike the English or Russian speaking underground, the Germans focus mainly on targeting Germans citizens. They focus on trading with German credit cards and use special mail-reception units available in Germany as “item drops” (an address which can receive items bought with stolen cards). The German underground also has a huge focus on narcotics, with multiple vendors and websites offering to sell various types of drugs to other members of the communities – something that doesn’t exist in any of the other communities. Interestingly, some German anti-carding hacker groups such as “The Happy Ninjas” focus on German forums, mostly ignoring Russian and English forums of the same type.

Fraudsters are also susceptible to prejudice based on their origin. Many fraudsters would not conduct any business with Nigerians, as many of them used to rip off other fraudsters and beg for credit cards. Even though some Nigerians are extremely prolific in their craft, their origin alone may already be a deterrent for many members of the underground.

The era after the DarkMarket and CardersMarket busts is quite different from the era which preceded it. As Mega-boards become a rare breed in the underground (as they usually have a bullseye on their back from international law enforcement) new forums that pop up need to distinguish themselves from the rest. Focusing on fraudsters who speak certain languages or are from certain geographies is one way to do so. Going forward, we may see the underground becoming ever more segregated, with different resources catering to different niches. In such a scenario, you can expect more “local” communities popping up, with unique traits and customs of their own.

Related Column: Where do Fraudsters Learn About New Attacks? From the Good Guys.

view counter
Idan Aharoni is the Co-Founder & CEO of threat intelligence provider IntelFinder. He is a cyber security and intelligence veteran, with over 15 years of experience developing and managing cyber intelligence operations. In 2019, Idan received a “Legends of Fraud” award for his role in creating one of the world’s first fraud intelligence services, which monitored the Dark Web on behalf of financial institutions worldwide, as part of his work as Head of Cyber Intelligence at RSA, The Security Division of EMC.