{"id":20737,"date":"2022-12-07T15:22:21","date_gmt":"2022-12-07T23:22:21","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2022\/12\/07\/news-14470\/"},"modified":"2022-12-07T15:22:21","modified_gmt":"2022-12-07T23:22:21","slug":"news-14470","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2022\/12\/07\/news-14470\/","title":{"rendered":"The scammers who scam scammers on cybercrime forums: Part 1"},"content":{"rendered":"

Credit to Author: Matt Wixey| Date: Wed, 07 Dec 2022 17:00:36 +0000<\/strong><\/p>\n

\n

A scam lurks around every corner on criminal marketplaces. Way back in 2009, Microsoft pointed out that the underground economy was rife with dishonesty<\/a>, and in 2017, Digital Shadows reported on a database of \u2018rippers\u2019 (fraudsters who con criminals) created by marketplace users. In our recent coverage of Genesis Market<\/a>, we noted at least one scammy imitation of Genesis, designed to separate na\u00efve would-be cybercriminals (and possibly inexperienced security researchers and journalists) from their money.<\/p>\n

But generally, the topic hasn\u2019t received much attention. After all, why should it? If scammers target criminals, so much the better, right? At least they\u2019re attacking each other, not organizations or the general public.<\/p>\n

We thought there might be more to it, so we spent a few weeks digging into scammers who scam scammers on three prominent cybercrime forums \u2013 research we don\u2019t think has been done before. And we found five surprising things.<\/p>\n

1. It\u2019s big business \u2013 a sub-economy in itself.<\/strong> In the last 12 months, cybercriminals have lost over $2.5 million USD to scams, just on those three forums. In fact, it\u2019s such a long-standing and prominent problem that forum administrators have created dedicated \u2018arbitration rooms\u2019 for users to report scams, attacks, and rippers.<\/p>\n

2. Money isn\u2019t the only motive, and it\u2019s not just lower-tier threat actors involved.<\/strong> Personal beefs, rivalries, and wanting to destroy (or sometimes enhance) reputations can all result in scams. And it\u2019s not just small-time crooks. We saw prominent threat actors either accused of scamming or falling victim to scams themselves.<\/p>\n

3. The attacks go beyond the usual \u2018rip-and-run.\u2019<\/strong> We saw referral cons, fake data leaks and tools, typosquatting, phishing, \u2018alt rep\u2019 scams (the use of sockpuppets to artificially inflate reputation scores), fake guarantors, blackmail, impersonated accounts, and backdoored malware. We even found instances where threat actors got revenge by scamming the scammers who scammed them.<\/p>\n

4. We found examples of long-term, large-scale fraud.<\/strong> One of the biggest surprises came when we dug into that imitation Genesis site. With some detective work, we uncovered nineteen other sites all created by the same person or group, all imitating criminal marketplaces, and all intended to trick users into forking over a $100 \u2018activation fee.\u2019 We don\u2019t know for sure who\u2019s behind all those sites, but we discovered tentative links to a drug vendor who operates on several dark web sites.<\/p>\n

So far, so schadenfreude<\/em> \u2013 but the big question is still: who cares? Why does it matter if criminals attack each other? This is where things get really fascinating.<\/p>\n

5. Scam reports are a rich, and underexplored, source of intelligence.<\/strong> Threat actors are aware that criminal forums are monitored, and so often employ good operational security. When they\u2019re victims of crime themselves \u2013 well, not so much. Because forum rules demand proof to support scam allegations, wronged threat actors will often happily post screenshots of private conversations and source code, identifiers, transactions, chat logs, and blow-by-blow accounts of negotiations, sales, and troubleshooting.<\/p>\n

This hidden sub-economy isn\u2019t just a curiosity. It gives us insights into forum culture; how threat actors buy and sell; their tactical and strategic priorities; their rivals and alliances; their susceptibility to deception \u2013 and specific, discrete intelligence about them.<\/p>\n

Over the next few weeks, we\u2019ll share the findings of our extended investigation into this topic – starting with an overview of the forums involved, how they deal with scams, who\u2019s scamming who, and the size of the sub-economy.<\/p>\n

You can also check out our Black Hat talk<\/a> on this research.<\/p>\n

Welcome to the jungle<\/h2>\n

To kick off our investigation, we examined scams on two of the oldest and most prominent Russian-language cybercrime forums, Exploit and XSS. We also included scams from BreachForums, the successor to RaidForums, which launched in April 2022.<\/p>\n

The forums<\/h3>\n

Exploit is relatively exclusive, and is a popular marketplace for Access-as-a-Service (AaaS) listings<\/a>, where initial access brokers (IABs) sell access to compromised networks<\/a>. But threat actors buy and sell a lot of other illicit content there too \u2013 malware, data leaks, infostealer logs, credentials, and more. Historically, ransomware groups and affiliates frequented Exploit, although that became more covert after the Colonial Pipeline attack in 2021, when both Exploit and XSS publicly banned ransomware discussion to avoid negative attention<\/a>. Nowadays, ransomware affiliate recruitment continues on both forums, although it tends to be under the cover of euphemisms like \u2018pentesters.\u2019<\/p>\n

XSS, formerly known as DaMaGeLaBs, is also well-established, although membership is less exclusive than Exploit. It also hosts a lot of AaaS listings and various other content.<\/p>\n

Finally, BreachForums is the successor to RaidForums, a marketplace that ran for seven years before it was seized by law enforcement earlier in 2022<\/a>. Like RaidForums, BreachForums is an English-language cybercrime forum and marketplace specializing in data leaks, including personal data, credit cards, credentials, and identity documents.<\/p>\n

All three sites have dedicated arbitration rooms \u2013 Exploit (with approximately 2500 reported scams) and XSS (with around 760) have had them since the mid-2000s, and BreachForums since its creation in April 2022. Other criminal marketplaces, such as Verified, have them too.<\/p>\n

In fact, Exploit has two rooms \u2013 one for open claims, and another, called the \u2018Black List,\u2019 which documents confirmed scam cases.<\/p>\n

\"A<\/a><\/p>\n

Figure 1: Exploit’s arbitration section<\/em><\/p>\n

In addition to a dedicated arbitration room, XSS also maintains a long \u2018ripper list,\u2019 an index of scam sites.<\/p>\n

\"A<\/a><\/p>\n

Figure 2: XSS’s ripper list<\/em><\/p>\n

An overview of scam statistics<\/h3>\n

We looked at all scam reports citing monetary amounts in the last 12 months. (With BreachForums we went back to the first recorded scam, as the forum hasn\u2019t been around that long.)<\/p>\n

Table 1: A summary of 12 months of scam reports (all amounts in USD)<\/em><\/p>\n

While this is only a snapshot, it does give us some useful insights. First, the total amount lost to scams (and remember, this only involves scam reports which mention specific amounts \u2013 some don\u2019t) is $2,538,945. That\u2019s a significant amount, bearing in mind it\u2019s on just three forums.<\/p>\n

Second, Exploit is the worst for scams, both in terms of numbers of reports and money lost to scammers. It does have around twice as many members as XSS, and may also attract more scammers because of its reputation.<\/p>\n

Third, the mean average amount reported as stolen is similar across all three forums, as is the range \u2013 which suggests that the scale of scams is consistent regardless of the forum.<\/p>\n

Victims have filed scam reports for as little as $2; threat actors seem to be as indignant about having their money stolen as anyone else, no matter the amount.<\/p>\n

At the higher end, scams on all three marketplaces go into six figures, although these are the exceptions. Many scams net relatively insignificant amounts.<\/p>\n

\"A<\/a><\/p>\n

Figure 3: Low claim amounts in the XSS arbitration room<\/em><\/p>\n

\"A<\/a><\/p>\n

Figure 4: Low claim amounts in the BreachForums arbitration room<\/em><\/p>\n

\"A<\/a><\/p>\n

Figure 5: An example of a larger scam claim on Exploit ($130,000). Note the amount of detail in this scam claim, which includes information about negotiations and projects<\/em><\/p>\n

Before we examine the arbitration process, it\u2019s worth looking at why scams are so prevalent. Back in 2009, Microsoft argued that the underground cybercrime economy was not an \u201ceasy money criminal Utopia\u201d but a \u201clemon market,\u201d in which the presence of rippers effectively introduced a tax on every transaction.<\/p>\n

While times have changed, and cybercrime is more commoditized than it was, criminal marketplaces are still the perfect breeding ground for scammers and rippers. There\u2019s no recourse to law enforcement; it\u2019s a (semi) anonymous culture which emphasizes privacy; sites are exclusive enough that there\u2019s at least a degree of implicit trust; they\u2019re populated by criminals, who are arguably unlikely to consider themselves potential victims and may therefore be less wary of scams; it\u2019s an open market with no regulation or quality assurance; transactions are conducted with cryptocurrencies, which can be made effectively untraceable; and safeguards such as guarantors are optional (and, as we\u2019ll see in the next part of our series, can themselves be weaponized in the service of scams).<\/p>\n

What are criminal marketplaces doing about scams?<\/h3>\n

The administrators of criminal forums are well aware that scams are a problem. In addition to arbitration rooms, most marketplaces have visible warnings about scammers, and advocate using guarantors (sometimes called \u2018middlemen\u2019 or \u2018middles\u2019) during sales \u2013 a form of escrow.<\/p>\n

\"A<\/a><\/p>\n

Figure 6: A warning about scams on the front page of BreachForums<\/em><\/p>\n

Other forums go further. Verified, for example, explicitly warns users about fake links to its forum, and advocates using a custom plugin to detect such scams:<\/p>\n

\"A<\/a><\/p>\n

Figure 7: Verified’s scam warning<\/em><\/p>\n

In a similar vein, BreachForums publishes a list of all its legitimate domains, as well as a monthly \u2018transparency report\u2019, to confirm that the site and related infrastructure remain under its control and have not been compromised (although this is probably also a precautionary measure because of what happened to RaidForums<\/a>):<\/p>\n

\"A<\/a><\/p>\n

Figure 8: Details about BreachForums’ monthly transparency report<\/em><\/p>\n

But arbitration rooms are the main method for dealing with scams. The process is relatively simple. Users who wish to report a scam must create a new thread, call out the user who allegedly scammed them, and provide as much detail as possible about the incident. BreachForums provides a template for this, whereas XSS simply lists the details needed.<\/p>\n

\"A<\/a><\/p>\n

Figure 9: The BreachForums scam report template<\/em><\/p>\n

\"A<\/a><\/p>\n

Figure 10: The data required in XSS scam reports: nick, link to profile, contact details, evidence (chat logs, screenshots, wallets, transfers), any additional information<\/em><\/p>\n

A moderator then reviews the report, asks for more information if needed, and tags the accused, giving them a deadline by which to respond (commonly 24 hours, but can be between 12 and 72 hours).<\/p>\n

\"A<\/a><\/p>\n

Figure 11: An Exploit moderator gives an accused scammer 24 hours to respond to an allegation<\/em><\/p>\n

The accused may accept the claim, in which case they make restitution to the victim. This is rare. More commonly, the accused disputes the claim (in which case the moderator arbitrates) or doesn\u2019t respond at all (in which case they may be temporarily or permanently banned from the forum).<\/p>\n

\"Two<\/a><\/p>\n

Figure 12: A disputed claim on XSS relating to AaaS listings<\/em><\/p>\n

In disputed claims, the moderator may find for one party, or decide there is no case to answer due to a lack of evidence. In some cases, one or both parties will receive warnings, or temporary or permanent bans.<\/p>\n

\"An<\/a><\/p>\n

Figure 13: The BreachForums administrator closes a scam report due to lack of evidence<\/em><\/p>\n

\"Two<\/a><\/p>\n

Figure 14: A disputed claim on Exploit, regarding a crypter for use with Remcos<\/a><\/em><\/p>\n

These discussions are sometimes civil, and settled amicably to the satisfaction of both parties. We noted an example where the arbiter ruled that the accused should pay back 50% of the claimed amount:<\/p>\n

\"An<\/a><\/p>\n

Figure 15: An Exploit moderator gives the accused 24 hours to pay back 50% of the claimed amount<\/em><\/p>\n

In one case, the administrator of BreachForums even compensated a scam victim out of their own pocket:<\/p>\n

\"An<\/a><\/p>\n

Figure 16: The BreachForums administrator personally compensates a scam victim to the tune of $200<\/em><\/p>\n

But scam reports more commonly descend into insults and counteraccusations. In some cases, the alleged victims were themselves later banned for scamming.<\/p>\n

\"A<\/a><\/p>\n

Figure 17: A scam report on Exploit results in the accuser accusing the accuser of scamming<\/em><\/p>\n

Consequences<\/h3>\n

Bans (and to a lesser extent, warnings) seem to be the most common outcome in arbitrations, but BreachForums takes a slightly different approach. Perhaps to deter future scammers, its moderators publish banned users\u2019 sign-up email addresses and registration and last-seen IP addresses, thus partially doxing them:<\/p>\n

\"A<\/a><\/p>\n

Figure 18: An example of a banned user, complete with published sign-up email address, and registration and last known IP addresses<\/em><\/p>\n

We noticed a couple of cases involving serial scammers who, after being banned, simply created a new profile with a new identity, paid a new registration fee, and began scamming again.<\/p>\n

Not just small-time crooks<\/h3>\n

We noted a few examples where more prominent threat actors were involved. For instance, here\u2019s a curious case which wasn\u2019t so much a scam, but involved a user who wanted to negotiate with the Conti ransomware group on behalf of a victim:<\/p>\n

\"A<\/a><\/p>\n

Figure 19: A user opens an arbitration claim to try and negotiate with the Conti groupabout decryption of a company’s assets<\/em><\/p>\n

This report was closed by Exploit moderators because it related to ransomware, which is ostensibly banned on that forum. But what\u2019s interesting is that the complainant appears to be a threat actor in their own right, and had joined the Exploit forum over three years before opening the above claim \u2013 with multiple posts expressing an interest in purchasing data. Their relationship to Conti\u2019s victim in this case isn\u2019t clear.<\/p>\n

\"A<\/a><\/p>\n

Figure 20: Some of the complainant’s previous posts on the Exploit forum<\/em><\/p>\n

Another case involved \u2018Alan Wake\u2019 (a name taken from a video game), who sponsored the most recent contest on XSS<\/a>, and was previously accused by a Lockbit operator of being the leader of the Conti and BlackBasta ransomware groups<\/a>. A user accused Alan Wake of not paying their salary for \u2018making traffic from shells\u2019:<\/p>\n

\"A<\/a><\/p>\n

Figure 21: The XSS scam report against ‘Alan Wake’<\/em><\/p>\n

Alan Wake disputed the allegation, and the case was closed by the administrator and the complainant banned \u2013 not for scamming, but for “insults, assaults, threats, etc\u2019 and \u2018extremely inappropriate behavior.”<\/p>\n

Finally, All World Cards (also a previous sponsor of XSS contests), a prominent carding group, were themselves victims of a scam involving a fake vulnerability, losing $2000 USD.<\/p>\n

\"A<\/a><\/p>\n

Figure 22: The All World Cards group report a scam in which they lost $2000<\/em><\/p>\n

If there\u2019s a takeaway from all this, it\u2019s that no user is immune; any trade on criminal forums involves an inherent risk of scams. While there are both proactive (warnings, plugins, guarantors) and reactive (arbitration rooms) measures in place, scammers are not only common, but \u2013 judging by the data we gathered \u2013 often successful. One of the reasons for their success is the sheer diversity of the scams they pull.<\/p>\n

In the second part of our investigation, due out this time next week (Wednesday 14 December), we\u2019ll cover the different types of scams we observed.<\/p>\n<\/p><\/div>\n

http:\/\/feeds.feedburner.com\/sophos\/dgdY<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

<\/p>\n

Credit to Author: Matt Wixey| Date: Wed, 07 Dec 2022 17:00:36 +0000<\/strong><\/p>\n

A shadowy sub-economy is more than just a curiosity \u2013 it\u2019s booming business, and also an opportunity for defenders. In the first of a four-part series, we look at the forums involved, and how they deal with scammers scamming scammers<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10378,10377],"tags":[28038,28039,11638,129,28040,21828,10574,27030,16771,15775],"class_list":["post-20737","post","type-post","status-publish","format-standard","hentry","category-security","category-sophos","tag-aaas","tag-breachforums","tag-exploit","tag-featured","tag-marketplaces","tag-raidforums","tag-scams","tag-sophos-x-ops","tag-threat-research","tag-xss"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/20737","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=20737"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/20737\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=20737"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=20737"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=20737"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}