{"id":20876,"date":"2022-12-21T05:20:57","date_gmt":"2022-12-21T13:20:57","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2022\/12\/21\/news-14609\/"},"modified":"2022-12-21T05:20:57","modified_gmt":"2022-12-21T13:20:57","slug":"news-14609","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2022\/12\/21\/news-14609\/","title":{"rendered":"The scammers who scam scammers on cybercrime forums: Part 3"},"content":{"rendered":"

Credit to Author: Matt Wixey| Date: Wed, 21 Dec 2022 11:00:08 +0000<\/strong><\/p>\n

\n

In the first chapter of this series<\/a>, we provided an overview of the hidden sub-economy of scammers who scam scammers, and in the second<\/a> we examined the wide variety of scams and tricks within it.<\/p>\n

The third chapter is a little different. It covers a specific scam we uncovered during our research, which we highlight because of its scale, levels of coordination, and apparent success.<\/p>\n

The curious case of twenty fake marketplaces<\/h2>\n

During our research into Genesis Market<\/a>, we found a clearnet site (genesismarket[.]org<\/strong>) that looked nothing like the genuine Genesis Market site but appeared prominently in search engine results.<\/p>\n

\"A<\/a><\/p>\n

Figure 1: The fake Genesis Market site<\/em><\/p>\n

We quickly determined that the site didn\u2019t seem to be connected to the genuine Genesis Market. For one thing, the site demands a $100 USD deposit, whereas the real Genesis is invitation-only.<\/p>\n

\"A<\/a><\/p>\n

Figure 2: The deposit demand on the fake Genesis site<\/em><\/p>\n

The site asks users to pay in Bitcoin or Monero:<\/p>\n

\"A<\/a><\/p>\n

Figure 3: The fake site’s deposit page<\/em><\/p>\n

This, and a few other elements (such as the \u2018lost password\u2019 button not redirecting anywhere, and some falsified \u2018forum posts\u2019) led us to assume it was a crude, low-effort, one-off scam, designed to take advantage of inexperienced researchers, would-be threat actors, and the generally curious.<\/p>\n

\"A<\/a><\/p>\n

Figure 4: Some of the low-effort fake forum posts<\/em><\/p>\n

But three things piqued our curiosity.<\/p>\n

The first was that the onion link on the homepage doesn\u2019t link to an onion site at all, but to genesismarket[.]org\/benumbiernqlud55izbw4mdubush4zhzpg4rw3c2j6ew3ggpzbb7gdqd[.]onion<\/strong>. Benumb is a carding site, and we wondered if someone from that marketplace was running the scam and had made a mistake with the link.<\/p>\n

The second thing was that the Copy address<\/strong> button on the deposit page triggers some JavaScript, which copies a different Bitcoin address to the clipboard:<\/p>\n

\"A<\/a><\/p>\n

Figure 5: Clicking the ‘Copy address’ button results in a different address being copied to the clipboard<\/em><\/p>\n

And the third was that someone had actively advertised this site on Reddit, which suggested the scam might be more coordinated than we first thought:<\/p>\n

\"A<\/a><\/p>\n

Figure 6: A now-deleted Reddit post advertising the fake site<\/em><\/p>\n

We visited the \u2018Benumb\u2019 link and found a site set up in exactly the same way, with the same demand for $100 (albeit with different Bitcoin and Monero addresses):<\/p>\n

\"A<\/a><\/p>\n

Figure 7: The fake Benumb page, with an ironic phishing warning<\/em><\/p>\n

\"A<\/a><\/p>\n

Figure 8: The fake Benumb’s wallet page<\/em><\/p>\n

And when we looked at the credit card numbers on the homepage, we discovered that they were identical to the ones listed on the fake Genesis site.<\/p>\n

\"The<\/a><\/p>\n

Figure 9: The credit card numbers and details on the fake Benumb homepage…<\/em><\/p>\n

\"The<\/a><\/p>\n

Figure 10: …which are exactly the same as those on the fake Genesis site<\/em><\/p>\n

We started querying search engines for portions of the text, the credit card details, and the cryptocurrency addresses, to find other sites created by the same scammer.<\/p>\n

All in all we found twenty<\/em> sites, registered between August 2021 and June 2022, which we assess with high confidence are operated by the same individual or group. Virtually all of them imitate existing or defunct criminal marketplaces (including multiple scam versions of Genesis, Benumb, UniCC, and Pois0n), ask for an activation deposit of $100, and have a similar look and feel. Some employ the same clipboard substitution quirk, and some don\u2019t. We also observed a few other minor differences, like background color or slight modifications to the spiel.<\/p>\n

\"The<\/a><\/p>\n

Figure 11: A scam version of YaleLodge, a criminal marketplace<\/em><\/p>\n

\"The<\/a><\/p>\n

Figure 12: A scam version of another marketplace, WWH Club<\/em><\/p>\n

\"The<\/a><\/p>\n

Figure 13: A scam version of Brian’s Club, yet another criminal marketplace<\/em><\/p>\n

\"The<\/a><\/p>\n

Figure 14: A scam version of the UniCC carding site (the genuine site closed in January 2022<\/a>). Note that this site also contains a link to the fake Benumb site<\/em><\/p>\n

\"The<\/a><\/p>\n

Figure 15: A scam version of Pois0n, another criminal marketplace<\/em><\/p>\n

Along the way, we found evidence that the scammer was advertising other sites on Reddit:<\/p>\n

\"A<\/a><\/p>\n

Figure 16: A Reddit post promoting one of the fake Benumb sites<\/em><\/p>\n

We did find one anomaly \u2013 a site called \u2018Cashout Guide\u2019, which claims to teach users carding and fraud (for a fee, naturally) \u2013 which nonetheless has a similar appearance to the scam marketplaces:<\/p>\n

\"The<\/a><\/p>\n

Figure 17: Available tiers on the Cashout Guide site<\/em><\/p>\n

Of the twenty sites we found, thirteen are no longer active. Most are clearnet sites, although we discovered three onion sites (and one clearnet site masquerading as an onion site).<\/p>\n

Here\u2019s a full list, along with the associated Bitcoin addresses and registration information (where available):<\/p>\n

Table 1: The sites we discovered<\/em><\/p>\n

When we collated information from all the Bitcoin addresses (by design, the balances of Monero addresses are hidden), we found that this scam network has been lucrative. Together, those addresses have received over $132,000 \u2013 and most of it has been withdrawn, leaving a total balance of only $1,633.34.<\/p>\n

We can\u2019t say for certain whether all the inputs to those addresses are related to the scam (i.e., we don\u2019t know if the scammer has used them for other business), and in a few cases, the timelines didn\u2019t add up (a few addresses made their first transaction before the associated site(s) were registered, so some inputs may have been unrelated to the scam). But even taking those examples out, there was still $87,676 going into those wallets.<\/p>\n

One big question remained: who was behind the scam?<\/p>\n

We found something we thought might be a clue: on some sites, the footer contains a link to a website called darknet[.]markets<\/strong> (there appear to be a few versions of this site with very similar content, including darknetmarket[.]org<\/strong> and dark[.]markets<\/strong>).<\/p>\n

\"A<\/a><\/p>\n

Figure 18: A link to darknet[.]markets on the scam site unic[.]cards<\/em><\/p>\n

These sites are indexes of dark web criminal marketplaces, for visitors interested in drugs sales, carding, and cryptocurrency exchanges. Not only do they look similar to the scam marketplaces (and with similar hosting\/registration details), they also list several of the fake marketplaces we discovered.<\/p>\n

\"The<\/a><\/p>\n

Figure 19: The ‘carding’ section on dark[.]markets<\/em><\/p>\n

Most of the activation notices on the scam marketplaces mention a carding forum on the criminal marketplace Dread (also known as Caf\u00e9 Dread). We searched the names of the index sites on Dread, and found a post by a user called waltcranston <\/strong>(the username is likely inspired by the television series Breaking Bad<\/em>), who claimed to have created them:<\/p>\n

\"A<\/a><\/p>\n

Figure 20: waltcranston’s post (now deleted)<\/em><\/p>\n

We also found at least one Dread user who seemed to fall for one of the scams:<\/p>\n

\"A<\/a><\/p>\n

Figure 21: A Dread user’s post\u00a0<\/em><\/p>\n

We dug further into the index sites, and found waltcranston listed prominently in the \u2018Drug Markets\u2019 section:<\/p>\n

\"The<\/a><\/p>\n

Figure 22: waltcranston’s onion link on one of the index sites<\/em><\/p>\n

waltcranston is a self-proclaimed methamphetamine dealer on both Dread and other marketplaces such as Alphabay. By their own admission they\u2019re based in the US:<\/p>\n

\"A<\/a><\/p>\n

Figure 23: waltcranston claims to be based in the US<\/em><\/p>\n

Their website appears to use a similar template to the scam marketplaces, and the clearnet version has similar hosting and registration details:<\/p>\n

\"waltcranston's<\/a><\/p>\n

Figure 24: waltcranston’s vendor site<\/em><\/p>\n

We also found that one of the fake forum posts on at least one of the scam marketplaces was written by a waltcranston:<\/p>\n

\"A<\/a><\/p>\n

Figure 25: A forum post on one of the fake Benumb marketplaces<\/em><\/p>\n

waltcranston uses both Bitcoin and Monero, as shown in this post:<\/p>\n

\"A<\/a><\/p>\n

Figure 26: In a post relating to their methamphetamine business, waltcranston confirms they use both Bitcoin and Monero<\/em><\/p>\n

And several of waltcranston\u2019s posts indicate a familiarity with criminal marketplaces and an open-minded attitude towards phishing and scamming, particularly when it comes to imitating specific marketplaces:<\/p>\n

\"A<\/a><\/p>\n

Figure 27: waltcranston recommends Genesis Market to another user<\/em><\/p>\n

\"A<\/a><\/p>\n

Figure 28: waltcranston passes on some advice regarding phishing sites “tailor-made to a specific market or shop”<\/em><\/p>\n

\"A<\/a><\/p>\n

Figure 29: waltcranston suggests running a phishing site to another user<\/em><\/p>\n

\"A<\/a><\/p>\n

Figure 30: waltcranston with a tongue-in-cheek quote about vendors turning to scamming<\/em><\/p>\n

A Dread user had come to the same conclusion as us, publicly posting this accusation:<\/p>\n

\"A<\/a><\/p>\n

Figure 31: A Dread user calls out waltcranston for running some of the scam marketplaces we discovered<\/em><\/p>\n

waltcranston did not confirm or deny the allegation in his responses, although other Dread users chipped in:<\/p>\n

\"Reactions<\/a><\/p>\n

Figure 32: Some Dread users condemned scammers<\/em><\/p>\n

In the above conversation, the accuser suggests a possible motivation for waltcranston running these scamming sites \u2013 retirement from dealing methamphetamine.<\/p>\n

Other Dread users were more apathetic about the situation:<\/p>\n

\"More<\/a><\/p>\n

Figure 33: Two Dread users less concerned about scammers<\/em><\/p>\n

We should point out here that most of this evidence is circumstantial, and we didn\u2019t find any discrete identifiers which link waltcranston to the fake marketplaces.<\/p>\n

In the final part of our series, due out Wednesday 28 December, we\u2019ll show why this subject matters. Scam reports are a rich, and underexplored, source of intelligence; threat actors are aware that criminal forums are monitored, and so often employ good operational security \u2013 but when they\u2019re victims of crime themselves, not so much. Because forum rules demand proof to support scam allegations, wronged threat actors will often post screenshots of private conversations and source code, identifiers, transactions, chat logs, and blow-by-blow accounts of negotiations, sales, and troubleshooting. We\u2019ll share some case studies and wrap up our series with some recommendations and ideas for future research.<\/p>\n<\/p><\/div>\n

http:\/\/feeds.feedburner.com\/sophos\/dgdY<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

<\/p>\n

Credit to Author: Matt Wixey| Date: Wed, 21 Dec 2022 11:00:08 +0000<\/strong><\/p>\n

A shadowy sub-economy is more than just a curiosity \u2013 it\u2019s booming business, and also an opportunity for defenders. In the third part of our series, we look at the curious case of twenty fake marketplaces.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10378,10377],"tags":[28217,129,25788,28040,10574,27030,16771],"class_list":["post-20876","post","type-post","status-publish","format-standard","hentry","category-security","category-sophos","tag-dread","tag-featured","tag-genesis","tag-marketplaces","tag-scams","tag-sophos-x-ops","tag-threat-research"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/20876","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=20876"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/20876\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=20876"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=20876"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=20876"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}