{"id":20913,"date":"2022-12-28T05:20:57","date_gmt":"2022-12-28T13:20:57","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2022\/12\/28\/news-14646\/"},"modified":"2022-12-28T05:20:57","modified_gmt":"2022-12-28T13:20:57","slug":"news-14646","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2022\/12\/28\/news-14646\/","title":{"rendered":"The scammers who scam scammers on cybercrime forums: Part 4"},"content":{"rendered":"

Credit to Author: Matt Wixey| Date: Wed, 28 Dec 2022 12:00:01 +0000<\/strong><\/p>\n

\n

It\u2019s the last chapter in our \u2018Scammers who scam scammers\u2019 series! (Missed the previous instalments? Part 1<\/a> introduced the ecosystem, Part 2<\/a> looked at the different types of scams, and Part 3<\/a> covered a specific, large-scale scam.). In this final article, we\u2019ll look at why scammers on criminal marketplaces (inadvertently) provide useful strategic and tactical intelligence.<\/p>\n

Many criminal marketplaces demand proof when a scam is alleged, and victims are only too happy to oblige. While a minority of reporters redact this evidence, or restrict it so it\u2019s only visible to a moderator, most don\u2019t \u2013 and sometimes leave a treasure trove of cryptocurrency addresses, transaction IDs, email addresses, IP addresses, victim names, source code, and other information.<\/p>\n

This is in contrast with other areas of criminal marketplaces, where operational security is often very good. Maybe scam victims assume nobody is paying attention to arbitration rooms \u2013 or they\u2019re so ticked off about being scammed that their usual precautions take a backseat.<\/p>\n

To give you an idea of how prevalent this is, we looked at the most recent 250 scam reports on all three forums. 39% included screenshots, and 53% contained text-only accounts of the incident (often going into considerable detail). Only 8% of reports restricted access to evidence, or offered to submit it privately to an arbiter.<\/p>\n

Receipts<\/h2>\n

Here\u2019s a typical scam report with evidence (we\u2019ve redacted the forum\u2019s address, which appears as a watermark on uploaded images, but the screenshots themselves are unredacted). The attachments include private messages on two platforms, as well as identifiers.<\/p>\n

\"A<\/a><\/p>\n

Figure 1: A typical scam report, with proof<\/em><\/p>\n

Here\u2019s just a small selection of the kinds of things we saw in screenshots and chat logs.<\/p>\n

Bitcoin addresses and transaction details<\/h3>\n

Criminal marketplaces often serve as advertising boards, with negotiations and sales usually occuring in other channels, such as Telegram, Tox, forum DMs, and so on. Sellers and buyers stick to this rule of thumb out of operational security concerns. But when it comes to scam complaints, these concerns can fall by the wayside. We saw numerous screenshots of negotiations and sales, complete with cryptocurrency addresses and links to transactions \u2013 which could be of significant use when investigating specific incidents or threat actors (either individuals or networks). Of course, threat actors may still apply anonymizing measures to their transactions, but it\u2019s better than nothing.<\/p>\n

\"A<\/a><\/p>\n

Figure 2: In this screenshot of a chat log, the scam victim posts a transaction link (containing their Bitcoin address)<\/em><\/p>\n

\"A<\/a><\/p>\n

Figure 3: Another example of a transaction link, this one via Telegram and for Ethereum<\/em><\/p>\n

\"A<\/a><\/p>\n

Figure 4: Transaction details from another scam complaint. Note this screenshot also includes date, time, weather, and the user’s taskbar<\/em><\/p>\n

Email addresses and more…<\/h3>\n

Some scam reporters are particularly lax about redacting information. In one case, a complainant uploaded a series of screenshots (an example is shown below) containing information about the applications installed on their system, the date and time, their email address, their Outlook name, and usernames of other individuals with whom they were communicating on Telegram.<\/p>\n

\"A<\/a><\/p>\n

Figure 5: A screenshot posted by a scam complainant, containing a wealth of information<\/em><\/p>\n

\"A<\/a><\/p>\n

Figure 6: An invoice for purchase of an exploit builder, posted by the same complainant<\/em><\/p>\n

\"A<\/a><\/p>\n

Figure 7: A screenshot posted by another scam complainant, this one relating to a ripper marketplace. Note the tabs open, the applications on the taskbar, the date\/time\/weather\/language, and the other chats open<\/em><\/p>\n

MAC and IP addresses<\/h3>\n

While not common, we did see MAC and IP addresses in complainants’ screenshots, often from troubleshooting malware or AaaS listings with an alleged scammer.<\/p>\n

\"A<\/a><\/p>\n

Figure 8: A scam complainant posts details of a WiFi adapter, including its MAC address<\/em><\/p>\n

\"A<\/a><\/p>\n

Figure 9: An excerpt from a chat log in a scam complaint, containing an IP address, country, and hostname being tested by the scammer and complainant<\/em><\/p>\n

\"A<\/a><\/p>\n

Figure 10: Two IP addresses revealed in a scam complaint<\/em><\/p>\n

Malware source code<\/h3>\n

While relatively rare, we did observe at least one instance of a scam complainant sharing malware source code.<\/p>\n

\"A<\/a><\/p>\n

Figure 11: A screenshot of malware source code, posted as part of a scam report. Note that this screenshot also includes the Windows taskbar, which shows some of the applications installed, the language, and the date and time<\/em><\/p>\n

Names of victim organizations<\/h3>\n

Sellers do not typically mention victim names in their AaaS listings, as they\u2019re concerned about organizations being tipped off. However, we saw several examples where scam complainants posted detailed chat logs, such as the one below, which included victim names.<\/p>\n

\"A<\/a><\/p>\n

Figure 12: An excerpt from a Tox chat log about the purchase of an AaaS listing affecting a specific, named victim (which we have redacted)<\/em><\/p>\n

\"A<\/a><\/p>\n

Figure 13: Excerpt from a chat containing a username, password, and organization name as a sample (which we have redacted)<\/em><\/p>\n

Detailed information about negotiations and planned attacks\/projects<\/h3>\n

We observed several cases where scam complainants posted detailed chat logs about projects and attacks.<\/p>\n

\"A<\/a><\/p>\n

Figure 14: A scam complainant posts an excerpt from a chat log which reveals detailed information about the project they were working on<\/em><\/p>\n

The example below not only includes detailed information about a possible sale of exploits (although note that this is a scam complaint), but the alleged scammer\u2019s GitHub profile and a website featuring one of their vulnerabilities (which could be used to identify the scammer). The screenshot also shows applications installed on the complainant\u2019s machine, their Tox name, the date and time, and the temperature and weather at the time of the post (\u201cZonnig\u201d is Dutch, meaning \u201csunny\u201d).<\/p>\n

\"A<\/a><\/p>\n

Figure 15: A screenshot of a Tox chat posted by a complainant as part of a scam report<\/em><\/p>\n

One caveat: since these details are posted in arbitration threads, they can\u2019t always be relied upon to be representative of the underground economy as a whole. However, they do provide a starting point. And since scam reports are created by both buyers and sellers, there\u2019s material from \u2018legitimate\u2019 users on both sides of transactions.<\/p>\n

It\u2019s also worth noting that some forum users are more circumspect about the details they share in scam reports. However, in our experience these users were very much in the minority; in the scam reports we looked at, only 8% restricted access to evidence.<\/p>\n

\"A<\/a><\/p>\n

Figure 16: A user doesn\u2019t share evidence in their scam report, but instead offers to share it in a private message to moderators<\/em><\/p>\n

Conclusion<\/h2>\n

Threat actors \u2013 including some very prominent ones \u2013 don\u2019t always practice what they preach, or learn from their victims\u2019 mistakes. This has two important implications. First, the underground economy is riddled with a wide variety of (successful) scams, netting scammers millions of dollars a year and resulting in an effective \u2018tax\u2019 on criminal marketplaces.<\/p>\n

And second, threat actors are not immune to deception, social engineering, and fraud \u2013 in fact, they\u2019re as vulnerable as anyone else. So certain kinds of defensive techniques \u2013 honeypots, decoy and canary data, and similar measures \u2013 are probably worthy of more attention, investigation, and research and development.<\/p>\n

There\u2019s also a huge diversity of scams on criminal marketplaces. Some, like fake guarantors, are specific to those platforms, whereas others are more generic. It\u2019s likely that there are other, more sophisticated scams running which threat actors have not yet detected and\/or reported. It\u2019s also likely that scams against threat actors will continue to develop and evolve.<\/p>\n

While this is an interesting topic, we were initially doubtful as to whether our research could be of any practical use. However, we quickly realized there are two key applications:<\/p>\n

1) Scam reports can be a rich source of intelligence. While threat actors on \u2018elite\u2019 criminal forums may have solid operational security, this seems to fall by the wayside when they\u2019re scammed. We found numerous instances of sensitive data and verbose details in screenshots and chat logs attached to scam reports. In some cases, evidence included discrete identifiers which researchers could use in specific investigations. In others, it included more general information about negotiations, sales, attacks, and projects. Scam reports in general can also be useful for strategic intelligence, providing researchers with information about rivalries and alliances, wider trends, and forum culture.<\/p>\n

2) We hope that this research will help prevent inexperienced researchers, analysts, journalists, law enforcement agents, and others who monitor criminal marketplaces from falling victim to some of these scams themselves (whether that\u2019s giving away credentials to fake sites or paying to access \u2018closed\u2019 forums which are actually ripper sites).<\/p>\n

Our dive into the world of scammers scamming scammers is an exploratory one, but we hope it\u2019s the start of more research on this topic. There\u2019s a lot more we want to investigate \u2013 including more detailed quantitative studies, looking at a broader range of marketplaces, and exploring other scamming techniques used against criminals.<\/p>\n<\/p><\/div>\n

http:\/\/feeds.feedburner.com\/sophos\/dgdY<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

<\/p>\n

Credit to Author: Matt Wixey| Date: Wed, 28 Dec 2022 12:00:01 +0000<\/strong><\/p>\n

A shadowy sub-economy is more than just a curiosity \u2013 it\u2019s booming business, and also an opportunity for defenders. In the fourth and final part of our series, we look at how scammers scamming scammers can benefit researchers<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10378,10377],"tags":[28039,11638,129,28040,10574,27030,16771,15775],"class_list":["post-20913","post","type-post","status-publish","format-standard","hentry","category-security","category-sophos","tag-breachforums","tag-exploit","tag-featured","tag-marketplaces","tag-scams","tag-sophos-x-ops","tag-threat-research","tag-xss"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/20913","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=20913"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/20913\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=20913"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=20913"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=20913"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}