{"id":20803,"date":"2022-12-14T05:23:30","date_gmt":"2022-12-14T13:23:30","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2022\/12\/14\/news-14536\/"},"modified":"2022-12-14T05:23:30","modified_gmt":"2022-12-14T13:23:30","slug":"news-14536","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2022\/12\/14\/news-14536\/","title":{"rendered":"The scammers who scam scammers on cybercrime forums: Part 2"},"content":{"rendered":"

Credit to Author: Matt Wixey| Date: Wed, 14 Dec 2022 12:00:20 +0000<\/strong><\/p>\n

\n

Following on from the first chapter of our investigation into scammers who scam scammers<\/a>, we turn to the variety of scams on criminal marketplaces \u2013 which range from crude \u2018rip-and-runs\u2019 to sophisticated, long-term efforts.<\/p>\n

Rip-and-run<\/h2>\n

One of the most common scams, a \u2018rip-and-run\u2019 can work in two ways: A buyer receives goods but doesn\u2019t pay for them, or a seller receives payment but doesn\u2019t deliver. That\u2019s the \u2018rip.\u2019 The \u2018run\u2019 part means that the scammer goes dark, refusing to answer messages or disappearing from the forum altogether.<\/p>\n

Rip-and-runs usually involve small amounts, but there are exceptions.<\/p>\n

\"A<\/a><\/p>\n

Figure 1: A simple example of a rip-and-run scam on BreachForums, involving $200 USD<\/em><\/p>\n

\"A<\/a><\/p>\n

Figure 2: A higher-value rip-and-run on Exploit, for $1500<\/em><\/p>\n

There\u2019s not much arbitrators can do about rip-and-runs; they usually ban the scammer, but it doesn\u2019t have much impact as the scammer is long gone. From the scammer\u2019s perspective, they lose their profile (and any associated reputation points), so they\u2019ll have to start from scratch if they want to run the scam again.<\/p>\n

\"A<\/a><\/p>\n

Figure 3: An example of a scammer apparently creating a new profile to commit further rip-and-run scams<\/em><\/p>\n

Fake leaks and tools<\/h2>\n

A scam that embodies the warning caveat emptor<\/em>, this attack can take various forms, although it\u2019s especially common with database trades. A scammer offers a database for sale, which is actually publicly available or previously leaked.<\/p>\n

\"A<\/a><\/p>\n

Figure 4: A BreachForums scam report concerning a fake database<\/em><\/p>\n

This type of scam is prevalent on BreachForums (and was also very popular on its predecessor, RaidForums).<\/p>\n

\"A<\/a><\/p>\n

Figure 5: Another scam report, this one involving a publicly available database<\/em><\/p>\n

The moderator\u2019s response to the above report finds in favor of the complainant, citing the forum\u2019s rules, despite the accused disputing the claim:<\/p>\n

\"A<\/a><\/p>\n

Figure 6: The moderator’s response<\/em><\/p>\n

But it\u2019s not just databases. Here\u2019s an example from Exploit, where one user paid $200 USD to another user to bind an executable (presumably malware) to a PDF. The buyer raised a scam report because, rather than binding the executable, the user simply gave the file a PDF icon.<\/p>\n

\"A<\/a><\/p>\n

Figure 7: The PDF\/exe scam report<\/em><\/p>\n

And, in another example from Exploit, stolen credit card data turned out to be invalid.<\/p>\n

\"A<\/a><\/p>\n

Figure 8: A scam report involving higher percentages of invalid card data than advertised. Note that the complainant in this case was subsequently banned for scamming!<\/em><\/p>\n

We saw numerous examples of users buying services, tools, and frameworks which were not as advertised or which did not meet requirements. The accused don\u2019t usually do a runner after pulling these scams, but instead, as one commenter pointed out in the PDF\/exe thread, hope that their \u2018marks\u2019 don\u2019t understand what they\u2019re paying for. It\u2019s attempted deception, rather than explicit scamming.<\/p>\n

Referral scams<\/h2>\n

Often a variation of the first two scam types, referral scams involve two or more scammers working in tandem. The first, who may have a reasonable reputation score and feedback (possibly through \u2018alt repping\u2019), builds rapport with the victim throughout the sales process, and then introduces them to the second scammer, who they claim can complete the work in question. As shown in the example below, this usually ends with both scammers disappearing with the victim\u2019s money.<\/p>\n

\"A<\/a><\/p>\n

Figure 9: A referral scam report on Exploit<\/em><\/p>\n

In this case, despite clear misgivings about the trustworthiness of the second scammer, the first scammer\u2019s reassurances were enough to convince the victim to hand over money:<\/p>\n

\"A<\/a><\/p>\n

Figure 10: A screenshot from a private chat between the first scammer and the victim, concerning the second scammer<\/em><\/p>\n

Referral scams can also involve dedicated infrastructure. In the example below, the first scammer contacted the victim and convinced them to contact a second scammer on a separate forum, which was a scam site (see Typosquatting, phishing, and ripper sites<\/strong>, below). To access the site, the victim had to pay a deposit and registration fee, losing $350 in total.<\/p>\n

\"A<\/a><\/p>\n

Figure 11: A referral scam involving a scam forum site<\/em><\/p>\n

Alt repping and impersonations<\/h2>\n

\u2018Alt repping\u2019 is a variation on referral scams; rather than two separate scammers, one scammer operates multiple accounts, usually to artificially inflate their reputation score (a key metric for many users when deciding who to trade with).<\/p>\n

\"An<\/a><\/p>\n

Figure 12: A BreachForums moderator accuses a user of alt repping<\/em><\/p>\n

Occasionally, scammers will use multiple profiles for other purposes. In one Exploit report, for example, a user claimed that an individual was operating accounts on both Exploit and XSS under different names to sell the same product, an AaaS listing, multiple times (we briefly examined reselling in our recent white paper on multiple attackers<\/a>).<\/p>\n

\"A<\/a><\/p>\n

Figure 13: One individual, operating accounts on different forums, attempts to sell the same AaaS listing twice<\/em><\/p>\n

And in a stranger case, a user was banned on XSS for creating a trade between two sockpuppet accounts, and then opening an arbitration case about it (possibly because they incorrectly assumed the forum itself would compensate them):<\/p>\n

\"An<\/a><\/p>\n

Figure 14: Two sockpuppet profiles are banned for trying to cheat the XSS forum<\/em><\/p>\n

A variation on alt repping is scammers impersonating users with high reputations, or jumping in on in-progress negotiations and attempting to pass themselves off as the seller:<\/p>\n

\"A<\/a><\/p>\n

Figure 15: A user warns the XSS forum that someone is attempting to impersonate them<\/em><\/p>\n

Fake guarantors<\/h2>\n

Guarantors and \u2018middlemen\u2019 are typically optional on criminal forums, but moderators and senior users often recommend them. They function as an escrow service, holding funds until they receive confirmation from the buyer that the goods have been received and are as advertised. They usually take commission for this, although the BreachForums administrator offers it as a free service.<\/p>\n

A refusal to use a guarantor if asked is a bannable offense on some forums.<\/p>\n

\"An<\/a><\/p>\n

Figure 16: A user is called out in an XSS scam report for refusing a guarantor<\/em><\/p>\n

Some scammers weaponize the concept of guarantors. Typically, this involves some form of impersonation attack, where a scammer impersonates an administrator or registers a misleading Telegram or Jabber name, as in the examples below:<\/p>\n

\"A<\/a><\/p>\n

Figure 17: An example of a misleading Jabber name designed to impersonate the Exploit guarantor service<\/em><\/p>\n

\"A<\/a><\/p>\n

Figure 18: A malicious Telegram handle designed to impersonate XSS administrators<\/em><\/p>\n

A scammer who successfully impersonates a guarantor is likely to then disappear with the buyer\u2019s funds.<\/p>\n

The Exploit administrators have implemented a safeguard for this \u2013 a \u2018fake Jabber checker,\u2019 where users can submit Jabber names to check if they\u2019re legitimate.<\/p>\n

Blackmail<\/h2>\n

We noted one allegation of blackmail in the scam reports we examined, and it didn\u2019t appear to be a particularly egregious one. The complainant, a database seller, alleged that a buyer threatened to accuse him of being a scammer if he didn\u2019t send more data for free.<\/p>\n

\"A<\/a><\/p>\n

Figure 19: An Exploit scam report alleging blackmail<\/em><\/p>\n

What this case does show is how seriously marketplace users take their reputation. An accusation of scamming can put a serious dent in a vendor\u2019s credibility, and therefore impact their earnings.<\/p>\n

What we didn\u2019t see \u2013 although that\u2019s not to say it doesn\u2019t happen \u2013 were any outright examples of blackmail, where users dox others and threaten to expose them or report them to law enforcement (although there have been public accusations of this nature<\/a> involving high-profile threat actors).<\/p>\n

Backdoored malware<\/h2>\n

Moving on to more sophisticated attacks, we saw several scam reports about backdoored malware \u2013 that is, malware sold or distributed on the forums which contains code designed to covertly attack its operators and steal their data.<\/p>\n

\"A<\/a><\/p>\n

Figure 20: An XSS scam report alleging that a RAT sold by a user installs a backdoor<\/em><\/p>\n

\"A<\/a><\/p>\n

Figure 21: An Exploit user accuses the author of BitRAT of backdooring their malware<\/em><\/p>\n

A particularly interesting example involves an Exploit user who purchased a (deliberately) fake copy of Axie Infinity \u2013 an NFT-based game \u2013 with the intent of defrauding legitimate users by distributing it and passing it off as genuine. The fake copy contained a backdoor which stole the stolen cryptocurrency.<\/p>\n

\"A<\/a><\/p>\n

Figure 22: A scam report about a backdoored fake copy of Axie Infinity<\/em><\/p>\n

As with virtually every scam report we read, the irony of this situation was apparently lost on the victim.<\/p>\n

Backdoored malware isn\u2019t unique to criminal marketplaces. Security researcher BushidoToken<\/a> reported in June 2022 that a software piracy site was serving up malware builders and panels backdoored with an infostealer<\/a>. And research by security firm JFrog in February 2022 revealed that some malicious npm packages contained code designed to steal secret tokens from threat actors<\/a>, who themselves steal tokens from legitimate users.<\/p>\n

Typosquatting, phishing, and ripper sites<\/h2>\n

We noted numerous instances of typosquatting, phishing, and scam forum sites designed to either trick users out of a \u2018registration fee\u2019 or to steal credentials for genuine criminal marketplaces (with possible motivations including theft of cryptocurrency, impersonating users for future scams, or ruining users\u2019 reputations).<\/p>\n

In many cases, scammers adopted similar approaches to those used by traditional threat actors to target individuals and organizations, with some context-specific differences.<\/p>\n

For example, we observed several cases where scammers had set up clones of current or former criminal marketplaces. Here\u2019s a fake version of the Exploit site, which uses the misspelling \u2018explolt\u2019 in the domain name, but is otherwise an identical clone:<\/p>\n

\"A<\/a><\/p>\n

Figure 23: The fake Exploit homepage<\/em><\/p>\n

This site is probably intended to harvest credentials, or trick users into paying false registration fees, and appears to be well-constructed, redirecting to the genuine Exploit site.<\/p>\n

Amusingly, some Exploit users, on becoming aware of this fake site, tested its security and found an XSS vulnerability:<\/p>\n

\"An<\/a><\/p>\n

Figure 24: An Exploit user’s screenshot of an XSS vulnerability in the fake Exploit site<\/em><\/p>\n

We observed another fake Exploit domain \u2013 this one misspelled as \u2018exlpoit\u2019 \u2013 used in conjunction with a Jabber phishing attack. Judging by the conversation, this scam was designed to dupe users into paying a deposit fee, although the target didn\u2019t fall for it on this occasion.<\/p>\n

\"A<\/a><\/p>\n

Figure 25: An excerpt of the Jabber conversation between scammer and target<\/em><\/p>\n

Other users aren’t so canny:<\/p>\n

\"A<\/a><\/p>\n

Figure 26: A user was fooled by a fake Exploit forum and entered their credentials<\/em><\/p>\n

We saw a few other typosquatting examples, like \u2018explolit\u2019 and \u2018exploti\u2019, used with varying degrees of success. Some users spotted the scam, others fell for it.<\/p>\n

XSS isn\u2019t immune either. We observed an XSS clone (spelled as \u2018xsss\u2019) which was previously reported by journalist Lawrence Abrams<\/a>. Upon entering credentials, the clone redirects to hxxps:\/\/fe-avv18[.]ru\/send.php, which presumably processes and stores the harvested credentials.<\/p>\n

We also noted a website, named \u2018xsx\u2019, which doesn\u2019t look anything like the genuine XSS site but may be designed to fool inexperienced users. This site demands a $100 registration fee (a very common scam amount, as we\u2019ll see in Part 3 of this series), and is reported on the XSS forum as a ripper site.<\/p>\n

\"A<\/a><\/p>\n

Figure 27: The ‘xsx’ scam site<\/em><\/p>\n

More commonly, we saw scams using domains similar to now-defunct criminal marketplaces, particularly Mazafaka (compromised in March 2021<\/a>) and Direct Connection.<\/p>\n

\"A<\/a><\/p>\n

Figure 28: A user falls for a scam which plays on the name of a defunct criminal marketplace<\/em><\/p>\n

\"A<\/a><\/p>\n

Figure 29: A user falls for another Direct Connection scam<\/em><\/p>\n

\"Another<\/a><\/p>\n

Figure 30: Yet another Direct Connection scam<\/em><\/p>\n

Other examples include typosquatting domains relating to the prominent criminal forum Verified, with misspellings such as \u2018verifeid.\u2019<\/p>\n

Sometimes, scammers create sites which don\u2019t imitate known marketplaces but use the same methodology, i.e., charging a registration fee:<\/p>\n

\"A<\/a><\/p>\n

Figure 31: Two alleged scam sites reported by an Exploit user<\/em><\/p>\n

\"A<\/a><\/p>\n

Figure 32: A scam site reported by an XSS user<\/em><\/p>\n

Most of these scams involve fake registration fees, although we saw some variations of other scams, like rip-and-runs and fake tools, connected to scam sites. For instance, one XSS user rented malware from a site, which worked for two days before the C2 panel disappeared (followed shortly by the site\u2019s owner):<\/p>\n

\"A<\/a><\/p>\n

Figure 33: A user reports being scammed by a malware rental site<\/em><\/p>\n

\"The<\/a><\/p>\n

Figure 34: The malware rental site in question<\/em><\/p>\n

Scammers scamming the scammers who scammed them<\/h2>\n

Unsurprisingly, while scamming threat actors might be lucrative, it can also be a dangerous game. We observed a few instances where threat actors weren\u2019t just indignant about being scammed \u2013 they wanted to get even.<\/p>\n

An XSS user annoyed at an alleged scammer for selling non-working tools and sending scam invites, doxed them \u2013 revealing their name, address, mobile phone number, and social media profiles, and their mother\u2019s name, phone number, and passport number. The accuser threw in a couple of photographs for good measure.<\/p>\n

\"A<\/a><\/p>\n

Figure 35: An alleged scammer is doxxed on XSS<\/em><\/p>\n

Over on Exploit, a scammer who phished new users with a fake Direct Connection marketplace link (see Typosquatting, phishing, and ripper sites<\/strong>) got short shrift from a user who recognized the scam:<\/p>\n

\"A<\/a><\/p>\n

Figure 36: A user recognizes the Direct Connection\/Mazafaka scam and challenges the scammer<\/em><\/p>\n

The user then posted the scammer\u2019s information on Exploit, and invited other users to harass them:<\/p>\n

\"A<\/a><\/p>\n

Figure 37: The Exploit user invites others to harass the scammer on Telegram<\/em><\/p>\n

The most interesting examples of scammers who scammed scammers getting scammed come from BreachForums.<\/p>\n

Following the news that a scammer was pretending to be Omnipotent (one of the founders and administrators of RaidForums<\/a>) to trick users into paying $250 to join the \u2018new RaidForums,\u2019 the BreachForums administrator started a contest: $100 to whoever \u201ctrolls this man the hardest.\u201d<\/p>\n

\"An<\/a><\/p>\n

Figure 38: The BreachForums administrator announces a contest to troll a scammer<\/em><\/p>\n

\"An<\/a><\/p>\n

Figure 39: One of the entries to the trolling contest. A BreachForums user sent this screenshot to the scammer, saying they couldn’t access the fake RaidForums site<\/em><\/p>\n

The eventual winner convinced the scammer that their website was leaking sensitive information, by showing them a screenshot of the Apache Server Status page. The scammer ended up taking the site down because they thought it had been compromised.<\/p>\n

\"A<\/a><\/p>\n

Figure 40: Part of a long trolling thread targeting a BreachForums scammer<\/em><\/p>\n

According to recent posts, the same scammer is back at it again, and the BreachForums administrator has started another trolling contest \u2013 this time with a $300 prize.<\/p>\n

Finally, the BreachForums administrator scammed a scammer personally. An individual registered a Telegram username very similar to BreachForums, and was offering public databases for sale.<\/p>\n

The admin offered to buy the username from the scammer.<\/p>\n

\"An<\/a><\/p>\n

Figure 41: The BreachForums administrator contacts a scammer and asks them to sell their Telegram handle<\/em><\/p>\n

After some back and forth, they agreed on a price of $10,000, and the admin asked the scammer to transfer the group to his account. The scammer was concerned about being scammed, but the admin reassured them, citing their reputation:<\/p>\n

\"The<\/a><\/p>\n

Figure 42: The administrator reassures the scammer that they won’t get scammed<\/em><\/p>\n

Once the scammer transferred ownership, the admin removed the scammer\u2019s permissions and banned him. Without paying, naturally – making this a rip-and-run scam against a scammer.<\/p>\n

\"A<\/a><\/p>\n

Figure 43: The BreachForums administrator bans the scammer<\/em><\/p>\n

The scammer was not thrilled.<\/p>\n

\"The<\/a><\/p>\n

Figure 44: The scammer threatens the BreachForums admin<\/em><\/p>\n

According to the admin, the scammer later attempted to DDoS BreachForums, but there have been no other repercussions since.<\/p>\n

In the third part of our series, due out the same time next week (Wednesday 21 December), we\u2019ll look at a specific, curious large-scale typosquatting scam, which involved a coordinated network of twenty fake marketplaces.<\/p>\n<\/p><\/div>\n

http:\/\/feeds.feedburner.com\/sophos\/dgdY<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

<\/p>\n

Credit to Author: Matt Wixey| Date: Wed, 14 Dec 2022 12:00:20 +0000<\/strong><\/p>\n

A shadowy sub-economy is more than just a curiosity \u2013 it\u2019s booming business, and also an opportunity for defenders. In the second part of our series, we look at the different flavors of scams prevalent on criminal forums<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10378,10377],"tags":[28039,11638,28040,21828,10574,27030,16771,15775],"class_list":["post-20803","post","type-post","status-publish","format-standard","hentry","category-security","category-sophos","tag-breachforums","tag-exploit","tag-marketplaces","tag-raidforums","tag-scams","tag-sophos-x-ops","tag-threat-research","tag-xss"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/20803","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=20803"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/20803\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=20803"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=20803"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=20803"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}