magine checking your bank account and finding that $5,000 had been transferred to someone you’d never heard of. That recently happened to a friend of mine who logged on at work to find a massive hole in her account balance. I encouraged her to report it to the bank, and we started investigating.
Later that day, we discovered that another woman had been duped into accepting the stolen money. She’d met some people in a Russian chat room who said they’d give her 500 euros to transfer the money into accounts in Turkey and Russia…
You won’t be surprised to know that there’s a thriving underground economy online, a place where tools and techniques are advertised and sold — even given away — and where stolen data is laundered to facilitate online crime. What might surprise you is how many of these underground economies there are and how well-established they have become.
This is a sophisticated and highly profitable global industry. In 2016, ransomware alone generated more than $1 billion in profit for criminals. The FBI is now calling “business email compromise,” where scammers intercept suppliers and payment transfers, the $5 billion scam.
With the wide availability of the Tor network and other dark web services, which offer extra layers of anonymity to website hosts and their visitors, a large amount of online criminal activity has moved into the dark web. Mutual trust is a rare commodity among criminals, so these marketplaces rely on a system of vouching: New members are introduced through an existing member, who is rated for accuracy and, ironically, trustworthiness of whatever data or services they are selling.
Law enforcement focuses on these criminal watering holes. Recently, two of the largest criminal marketplaces, AlphaBay and Hansa, were taken down in a globally coordinated activity involving the FBI, the DEA, Europol’s EC3, and the Dutch National High Tech Crime Unit. Estimates for the size of these two businesses are as high as 350,000 commodities, including drugs, firearms, and malware.
Russia: The Original Underground
The Russian underground market was the first to offer crimeware to cybercriminals. Established back in 2004, it continues to evolve and thrive despite the evident drop in market prices as competition has grown.
Born out of forums where cybercriminals anonymously swapped tips and tricks, these communities quickly evolved into full-blown marketplaces as budding criminals joined to offer products and, more recently, services.
The Russian online underground is characterized by very high levels of specialization. Some groups offer malware, such as remote access Trojans (RATs) or ransomware, charging between $100 and $500.
Another may focus solely on “crypting services” designed to render malware undetectable by security software. These cost around $10 for a basic crypter or $60 for more advanced polymorphic services.
A made-to-order distributed denial of service (DDoS) attack, where a target is bombarded with multiple requests until the server collapses, start at just $2 per hour, compared to the average $2.5 million cost to the victim. Faced with this level of cleanup cost, the obscene asymmetry of attackers and defenders becomes painfully clear.
Criminal VPNs are priced roughly the same as legal VPNs and hosting services. They also offer so-called bulletproof hosting, which will ignore legitimate requests to remove criminal content, from child abuse to copyright infringement.
Traffic direction systems (TDS), which artificially boost traffic to websites, start at $150 per 1,000 installations of whatever malicious software the criminal is actively pushing.
These kind of traffic-boosting services have evolved into a cornerstone of the Russian online criminal marketplace. By buying artificial traffic, criminals make it look like their websites have more visitors, which in turn increases their performance on search engines so their malicious sites appear higher up in search results, attracting more visitors and potential victims. Traffic can be sorted and redirected against a wide array of different identifiers — geography, language, subject, or browser — allowing the attackers to accurately and efficiently target the exploits and malicious payloads they deliver.
And marketplaces also offer more traditional criminal handicrafts, including passport scans for a dollar apiece; stolen credit cards for $1 to $5, depending on the source (U.S. cards are the cheapest, indicating the glut of card details on the market); and hacked accounts from popular email and social media services.
There’s a Market Near You
Thriving criminal marketplaces across Germany, France, Brazil, Japan, North America, and China all offer a similar range of goods and services, but with some distinct regional characteristics.
Escrow services, which allow proven marketplace members to vouch for new members, are known as treuhand in Germany. The preferred currencies of their sellers has been bitcoin, although some ask for vouchers or online gift cards, because they believe this adds another layer of anonymity to the transaction. German criminals have taken advantage of an efficient national parcel delivery system, delivering illicit goods or goods paid for with stolen cards through Germany’s legal packstation network (essentially a mailbox service offered by firms such as DHL) and registered using a fake ID.
Compared to other underground communities, the cybercriminal underground in North America isn’t as hidden or exclusive. Cybercriminal operations are treated like regular businesses, and sites, forums, and marketplaces are easy to access. In effect, the North American underground is more like a glass tank where business goes on in full view of both cybercriminals and law enforcement, making it unique compared to the dark mazes and solid walls put up to hide cybercriminal communities in other regions.
The FBI is particularly active in cybercrime law enforcement and often acts in partnership with other national agencies, such as the UK’s National Crime Agency, Interpol, Europol, or the Dutch National High Tech Crime Unit, for effective prosecution of the typically cross-border offenses.
China’s cybercrime economy has been thriving for years. Traditional malware, services, and even mentorship are all on sale, but the market is uniquely skewed toward mobile and hardware services such as point-of-sale (PoS) card devices or ATM skimmers designed to harvest credit card details for theft or resale. Some modified skimmers will now even intercept PINs as they are entered on card device — and will immediately text the PIN to the criminal.
In Japan, meanwhile, the underground is younger but still enjoying rapid growth. Brazil has long been the “spiritual home” of banking malware, software designed to steal online banking credentials and payment card details or to lurk in your browser and intercept and modify your otherwise legitimate online banking transactions. The Middle Eastern and North African underground mixes ideology and online crime with a sense of shared “brotherhood” in the enterprise.
In France, the underground operates under a shroud of suspicion and distrust, with every criminal forum featuring a “hall of shame,” and forum admins jealously guarding their members from participating in other communities. Not much honor among thieves after all.
Make no mistake, the threat actors inhabiting these forums are as established and experienced as many of the legitimate business you encounter every day and are just as determined to make a profit.
Global law enforcement and the private-sector security industry continue to cooperate, sharing intelligence and crucial expertise, actively taking the fight to the bad guys. Where online criminals once felt they could operate with impunity, the number and scale of enforcement activities and arrests continue to grow year every year through effective cooperation.
And the mule from my earlier story? She had been persuaded — by her friend in the chat room — to give them her son’s bank account details. The morning after the transfer, they called her every 10 minutes, prompting her to send the money on. She had to pull her son out of school and take him to the bank — by which time the victim had reported the theft and the bank refused to forward the money. The Russians were still calling, even while she was at the bank.
She then went to the police, feeling worried, shaken, and rather ashamed of her naivety in being dragged into a scam by organized criminals. My friend, meanwhile, was left with no access to her cash and no way to pay her bills until the investigation was complete.
Get real time update about this post categories directly on your device, subscribe now.