Why Russian Cybercrime Markets Are ThrivingBetter Services + Declining Prices = Hot Marketplace
The prices for stolen payment card data and other cybercrime products and services on Russian underground forums continue to fall. But such marketplaces are thriving more than ever, in part, because they help attackers quickly and affordably organize their efforts.
Those findings are included in a new report, Russian Underground 2.0, written by Max Goncharov, a threat researcher at the security firm Trend Micro. He notes that while the price of many cybercrime goods and services continues to fall - due to a glut of what is on offer - the lower prices, as well as increased automation and reliability, make it easier than ever for fraudsters to profit from cybercrime.
"The barriers to underground market entry [are] lower than ever. Anyone who's interested in launching a cybercrime business can find partners and required tools online,' Goncharov says. At the same time, the cybercrime marketplace appears to be growing more professionalized via "largely automated sales processes and significant division of labor," he says. "The level of optimization resembles that of a legitimate business having undergone strategy consulting."
Want to purchase verified payment card data or Social Security numbers? Scans of passports or national identity cards? Credentials to online gaming sites found on malware-infected computers? Multiple sites offer these - and they appear to be well-trafficked, according to the new report.
In fact, Trend Micro says it has cataloged 78 underground Russian forums - of which 50 are active, and about 20 quite active. And each may have 20,000 to hundreds of thousands of registered users. Such forums offer, by Trend Micro's count, 38 types of cybercrime goods and services that include anonymizing VPNs, distributed denial-of-service attack attack services, spam and command-and-control services, Trojan malware, rootkits, social engineering services and ransomware.
"What you're seeing is not only the distribution of a myriad of new services, but you're seeing greater operational security paid to the forums themselves," says Tom Kellerman, vice president of cybersecurity at Trend Micro.
Responding to the report's findings, Bryan Jardine, vice president of U.S. operations and product management for anti-fraud firm Easy Solutions, says that while he cannot verify the metrics in the report, he finds its assessment of the state of the Russian underground quite accurate. He adds that many of these forums are also quite well secured. "It is sort of ironic that the bad guys seem to take security more seriously than many banks."
Money Laundering, As a Service
Cybercrime marketplaces continue to grow more automated and sophisticated. In the wake of the 2013 Target breach, for example, numerous security experts noted that stolen payment card data was being sold in batches on underground "carder" sites - such as Rescator - that allowed buyers to automatically check the validity of the card data being offered and get automatic refunds based on the percentage of cards that no longer appeared to be valid (see Banks Reacting Faster to Card Breaches).
Since then, underground forums have continued to evolve, in some cases restricting access to small numbers of pre-selected members - to help preserve customers' anonymity, as well as disguise where cards were obtained - as well as providing a bigger range of services.
In the past, for example, Goncharov says that to launder stolen card data, criminals often worked with "droppers" who would use stolen card data to purchase and sell physical goods, and then keep part of the profits. Now, however, dropper services are increasingly using stolen card data to buy and sell not physical goods, but such things as airline tickets or hotel reservations (see Airport Raids Target Fraudsters). In this scenario, a criminal might offer their peers - or consumers - a discount, for example charging $300 for a ticket worth $600. Because the goods have been paid for with stolen cards, whatever the criminal's "customer" pays, the criminal sees as a profit. "In effect, [the criminal] not only saves time but also effort in laundering money," Goncharov says.
Other significant changes, he says, include these new or updated services:
- Router exploitation: Criminals are increasingly infecting home routers to disguise their attack traffic via proxies, store stolen data, or handle rerouted domain name system traffic.
- Automated shell script uploading: Attackers find vulnerable servers and upload shell access tools, or iFrame attack capabilities, which allow attackers to display part of their site in an otherwise legitimate site, for example, to launch drive-by attacks.
- Professional translation services: To create more credible-looking spam or spear-phishing emails, some service providers will ensure attackers' text reads as if written by a native speaker.
- Fake identity approval call-receiving services: Such services pretend to be the legitimate cardholder when banks or online-payment service providers make "identity check" calls before authorizing a transaction or money transfer.
- Drop-as-a-service providers: "Drop controllers" can command between 10 and 10,000 droppers who will use stolen card data to buy and sell goods.
- Logs for sale: Data obtained from malware-infected services may be sold in 1GB logs, which criminals buy in the hope of finding passwords and credit card data.
Easy Solution's Jardine says his firm has likewise been seeing many of the trends and new services highlighted in the report. "The list of categories represents and validates a lot of what we are [seeing] as well - the 'hardened' hosting sites, social engineering, cards, malware, shells, RATs, and more mobile-focused attacks such as SMS, mobile fraud, [Android] APK, etc., are all heading in the direction we anticipate fraud to go."
Beyond Profits: Hacktivism
But not everything in the cybercrime underground revolves around profit.
"Between 2014 and 2015, we came across a number of groups that operate in the cyber-realm not for entrepreneurial purposes but in pursuit of political causes," Goncharov says. "Hacktivism used to be a means for the hacking community, with more or less liberal political ideas, to gain attention in cyberspace. We are increasingly observing hackers' partisanship with official authorities like nation-states or separatist groups in real political conflicts."
While some hacktivist activities may be organized on underground forums, he says it remains difficult to tell who is funding these "self-proclaimed 'cyberwarriors' or 'cyber armies,'" noting that the only connection may be the hacker's professed affiliation to a cause, rather than their own citizenship, place of residence or religion.
Mostly Carte-Blanche Hacking
Many security experts have long said that Russian authorities continue to look the other way when it comes to cybercrime, so long as criminals abstain from attacking Russian targets, and perhaps agree to occasionally assist the state's security services with their hacking-related requirements.
To date, Russia has also never extradited a hacker charged with operating on Russian soil (see How Do We Catch Cybercrime Kingpins?). And for cybercrime-as-a-service buyers and sellers, that relative carte blanche helped build, and continues to sustain, a thriving free-market underground that specializes in the buying and selling of related products and services.