Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Remaining Stealthy in the Underground is Becoming Ever Simpler

Playing in the Shadows: Remaining Stealthy in the Underground is Becoming Ever Simpler

Playing in the Shadows: Remaining Stealthy in the Underground is Becoming Ever Simpler

Several years ago, fraudsters congregated in mega crime boards which boasted thousands of members in order to find partners and trade their goods. ShadowCrew, DarkMarket and CardersMarket were just a few of those boards, and they all ended badly – for the fraudsters. ShadowCrew was taken down in “Operation Firewall”. DarkMarket was turned into a sting site by the FBI and the fate of CardersMarket was sealed after the arrest of its founder, Max “iceman” Butler.

Black Market CybercrimeEver since those days, the underground has changed. Driven by the fraudsters’ interest to maximize profits and catalyzed by the development of e-currency services, which offered the ability to automatically pay merchants a-la Paypal, the underground moved away from the centralized trading hubs. Instead, many vendors set up their own stores outside of the forums, completely automated, open for business twenty-four by seven.

While today forums continue to be an important part of the underground, providing important community aspects, more and more threads actually contain links to stores where the trading actually happens. In other words, today’s underground has become much more fragmented. While the catalyst of this trend was increased revenue and not extra security from the big bad law enforcement agencies, there are also implications to the underground’s fragmentation in that regard. In today’s underground, it’s easier for fraudsters to remain stealthy, flying below the law enforcement radar. Let’s consider the following scenarios, in which we follow two fraudsters with the nicknames “Bob” and “Jason” (all characters appearing in this scenario are fictitious. Any resemblance to real fraudsters, living or dead, is purely coincidental). Bob is into carding – obtaining stolen credit card numbers that were lifted from hacked merchants and using the cards to purchase items online. As Bob is no hacker, he turns to the underground to get his card numbers. In the old days, Bob would have to go to a crime board to meet up with some vendors. He’ll have to talk to them and would be urged to leave feedback on the vendor’s page, thus letting the whole board know that he has purchased stolen cards. For protection, Bob connects to the board only through proxies. However, as previous arrests have shown, these do not always provide bulletproof protection.

Today, Bob doesn’t need to speak to anyone to obtain stolen cards. He logs into one of a staggering amount of automated credit card stores, funds his account using e-currency, picks the cards he wants to purchase – and voila! If he requires a proxy near the card holder’s physical location to make sure the transaction would be blocked, he just logs into a store that sells proxies. If he wants to test the validity of the cards he just purchased, he can use a credit card checking service that’s also available. We’ve even seen stores, although not all of them automated, that offer mule services, fake USPS labels and stolen online banking credentials. Everything a fraudster needs is available today outside of the forums and chat rooms. As underground forums become more like small gated communities to protect their members, many buyers have already moved to purchasing items from these independent stores, without the need to post even one message in the forums, the ones that they still have access to. In case Bob’s favorite store is taken down, he can simply move to one of the many alternatives. Since the payment is always up front, he doesn’t need to prove his worth and create a reputation for himself – he can use a different pseudonym for each store, making his tracks harder to follow.

The fraudster “Jason”, on the other hand, isn’t interested in buying – he’s interested in selling. Jason is a script kiddie, following tutorials he found online to gain administrator access to small online merchants which use outdated shopping cart software with known exploits. Once he gains access, he siphons all the credit card data that appears in the merchant’s orders log, for the purpose of selling them in the underground. In the old days, he’d have to send samples to the forum moderators in which he’s interested in becoming a vendor. Only if he passed their review of his wares he’d be allowed to vend, chatting with various interested clients on ICQ and receiving public feedback on his services. Today, he can approach one of the operators of credit card stores, use a unique vendor’s panel to upload the stolen cards to the store – which will immediately be offered for sale – and wait for a percentage of the profits to automatically be transferred into his account. Alternatively, he can obtain the script for a credit card store platform, buy a domain and hosting plan on a bulletproof service and start vending. Jason’s store doesn’t have a minimum amount that can be loaded to the buyer’s account using e-currency. The reason is simple – allow buyers to purchase one or two sample cards to test their validity. Thus, the need for a long-standing reputation decreases. Even still, there will always be those who will post feedback in forum threads where the link to the store appears, enough to get business going and build a regular customer base.

Hiding in Cybercrime UndergroundThe real risk is in the store being shut down, but as it contains no information that can link it to Jason, other than an ICQ number provided for support, the risk of apprehension is lower. Jason can simply take his backed up database and script and open up shop somewhere else.

Vendor-specific websites always existed. However, years ago they were only “fronts” – advertising vendors’ services along with their contact information – and not real stores. As the legitimate and reputable vendors traded in the forums, the “front” websites were almost always used by those who couldn’t vend in the forums. These were fake vendors who ripped off other fraudsters.

Mainly vendors, but also buyers, had to build a reputation for themselves if they wanted to trade in the underground communities, and do so in a very public way within the community. The new order of the underground economy, where automated stores vend products while their owners don’t even have to be near the computer at the time, proved not only to be profitable – but also more secure.

ShadowCrew’s tagline was “For Those Who Like to Play in the Shadows”. Today, fraudsters have even more capabilities to do just that.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Cybercrime

A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.

Cybercrime

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.