|Home » Industry Watch » The Technological
Web Fraud 2.0
On the Security Fix series.
Today Internet crime is mostly automated, says Brian Krebs of the Washington Post's Security Fix. Brian's done extensive research into the online organised crime community.
Brian lurked for months on some of the more popular (and even by invitation only) criminal forums.
Following is a summary of his findings; use the links at the end of this article to read the full story.
Web Fraud 2.0: Cloaking Connections
'Even the greenest cyber crook knows you never use your own Internet connection', writes Brian. Crooks used to use 'open proxies' but those servers are today an endangered species. For a minimal fee you can download software to give you all the anonymous connections you need.
Such is the attraction of sites such as infecter.net, 5socks.net and anyproxy.net. Ancillary software can change the connecting IP so crooks can appear to be coming from a new address.
The flashiest product on the market, says Brian, is XSOX. It costs $50. But you can't pay with Visa or MasterCard - these people accept only WebMoney, a payment system run out of Belize by 'WM Transfer Ltd'.
Their 'currencies' are 'WMZ' for USD, 'WMR' for rubles, 'WME' for euros, and 'WMU' for Ukraine hryvnias.
Using XSOX the crook is able to circumvent rudimentary IP checks by online banking sites. 'If your victim lives in Indianapolis, no problem', writes Brian. 'Just scroll down the list of available proxies, or sort by state and country, and double click the Internet address in Indianapolis.'
Web Fraud 2.0: Validating Your Stolen Goods
'If there is any truth to the old saying there is no honour amongst thieves then it is doubly true for thieves who transact with one another yet never actually meet face to face', writes Brian. Thus a new type of criminal service: the website that checks whether stolen accounts are legitimate and still active.
Such a site is sh0pp0rtal.net. 78,628 stolen Visa and MasterCard accounts were available.
'There are Some Things Money Can't Buy. For Everything Else there are Credit Cards.' - sh0pp0rtal.net
The ambition of sh0pp0rtal.net is grandiose - and totally necessary in the hard core world populated by plastic card companies with their ginormous behavioural databases. Clients can choose cards from particular cities or countries to circumvent consistency checks [which they coordinate with spoofed IPs natch].
Brian searched for available accounts in his home state in the US and found 2,149 cards for sale. Each item comes with an account number; an expiration date; and an account holder's name, address, and phone number.
The price? $1.20 per card.
Or sh0pp0rtal.net clients can search by 'BIN' - bank identification number. And if you don't know the BIN of the bank you're gutting no problem either: sh0pp0rtal.net offers listings of thousands of BINs.
Don't want to ruin a bank this week? Prefer PayPal? No problem either. Prices fluctuate from $3 to $50 depending on a number of factors. The priciest accounts are the 'dormant' ones: the reasoning is the real owners are relatively clueless and won't be logging back in for a while.
But why trust sh0pp0rtal.net? They're thieves too - right? Precisely. So there are sites that check your fellow thieves for you: they check the validity of the stolen accounts you're planning on buying.
Prices start at about $25 for 50 checks; pay at least $1500 up front and you can conduct as many checks as you want.
And how do they do it without attracting attention? They serve up 'pre-auth' requests spoofed to appear to come from the stolen accounts.
Web Fraud 2.0: Digital Forgeries
'Positively identifying someone online - by name, or physical location - is extremely difficult', Brian reminds his readers. 'Many Internet firms seek to verify the identity of customers by requesting scanned copies of their driver's licenses, passports, or utility bills.'
'But what if services aimed at creating counterfeit versions of these documents became widespread? How long could businesses continue to rely on this method of identification?'
Amongst the most active such services are scanlab.name. Pay €35; tell scanlab.name what type of credential you're after and the ID info you want on it; and scanlab.name send you back a really good digital forgery.
[And right now they're having a sale: €25 only!]
The institutions holding the funds may require a scans of your drivers licence and a utility bill with your name and address; no problem! For
€35; €25 scanlab.name make it a walk in the Парк.
You can even create 'legitimate' US corporations with banking accounts protected by the FDIC. And scanlab.name have all you need.
Web Fraud 2.0: Distributing Your Malware
But at the end of the day it's all about distribution - infection in other words. Certainly Bill Gates has been a true philanthro-pisser here, giving millions of cybercrooks the ultimate sucker system to exploit.
[Does Bill Gates get a commission? Perhaps he's a majority stockholder? Intentionally or not - or through pure arrogance - he's the 'gray eminence' behind it - the one factor organised online crime are ABSOLUTELY dependent on.]
loads.cc: a website that loads your own home grown malware onto 264,552 Windows PCs in more than a dozen countries. The service gains over 1,000 new infected Windows PCs per hour.
Price: about $0.10 per propagation. Getting into all 264,552 Windows boxes costs you about $25 K.
Other sites arriving on the scene such as loadsforyou.biz offer competitive rates - get 10,000 Windows PCs under your control for only $120! And some of these new sites accept PayPal as well!
At this point Brian pauses for a bit of sober thought.
'If a know-nothing cyber crook can pay $120 and infect 10,000 already hacked PCs in the US, what does that say about the sheer number of systems under control of the bad guys? To me it says that compromised machines or bots as they are more commonly known have become a commodity - undifferentiated goods characterized by a low profit margin.'
Web Fraud 2.0: Thwarting Anti-Spam Defenses
CAPTCHAs - or 'completely automated public Turing tests to tell computers and humans apart' - are supposed to thwart spammers trying to infect Web 2.0 sites. Certainly crooks have technologies to sidestep them - but do you need such technologies when dimwitted surfers will do it cheaper?
We work with tens of thousands of people from all over the world who are ready to work for a small payment to convert text pictures sent by you. You give the CAPTCHAs to our server which hands it to the workers. In a few seconds our server will receive the converted CAPTCHA as text and relay it back to you. As a rule this time does not exceed 20 seconds and that's quite fast enough for a successful registration anywhere CAPTCHA is in use.
Such is the business portfolio of anti-captcha.com. Price? $1/1000 CAPTCHAs.
You can also purchase new and used Gmail and Yahoo webmail accounts in bulk - 1,000, 10,000, or 100,000 accounts all at once.
1,000 new Gmail accounts: $8; 10,000 new Gmail accounts: $64; 50,000 new Gmail accounts: $280; 100,000 used Yahoo accounts: a mere $150-$200.
So what are you waiting for? Microsoft still have over 90% of the PC market; your opportunities are not going to disappear overnight!
Security Fix Web Fraud 2.0: Cloaking Connections
Security Fix Web Fraud 2.0: Validating Your Stolen Goods
Security Fix Web Fraud 2.0: Digital Forgeries
Security Fix Web Fraud 2.0: Distributing Your Malware
Security Fix Web Fraud 2.0: Thwarting Anti-Spam Defenses