1. page 1R S A M O N T H LY F R A U D R E P O R T
F R A U D R E P O R T
MO’ MONEY MO’ PROBLEMS
Ever since the Liberty Reserve takedown in May of last year and the confiscation of all
accounts by law enforcement, fraudsters have been busy finding a solid currency to
which they can entrust their spoils without the risk of losing them in a bust. The obvious
choices were Perfect Money and BitCoin, but both currencies carry inherent risk. Perfect
Money is of questionable background, while BitCoin does not provide fraudsters the
required level of anonymity and is not immune to seizure. These risks have pushed the
underground to adopt—or really create—unique currency systems to help protect the
financial security of its dwellers.
In a recent on-going investigation, RSA’s Fraud Intelligence agents have identified and
have been tracking the growing adoption of forum-specific currencies. These financial
platforms allow users to safely transact within their own community, under the
supervision of the forum administrator, avoiding the use of the more public currency
options such as Perfect Money and BitCoin. In some instances different forums shared
the same currency further widening the use and adoption of these platforms.
The MUSD currency is used in a single underground board, and has been active since
November 2013. Forum members can use the currency to purchase items/services from
each other, as well as pay for advertising on the board itself. The currency provides a
built-in escrow-service and guarantees anonymity. The forum administrator vouches for
the currency system and is responsible for all its operations.
One can exchange funds to or from MUSD through exchange agents. Two verified
exchange agent services currently work with MUSD in this board, with one offering to
cash out MUSD for hard currency in person at an office in Kiev, Ukraine. Exchange rates
are linked to the US dollar and are set at 1 MUSD = $1 USD.
2. page 2R S A M O N T H LY F R A U D R E P O R T
UNITED PAYMENT SYSTEM
The United Payment System currency appears to be shared by four different Russian
language forums, with each forum designating its own sub-currency with the forum’s
initials. For example, DM RUR and MM RUR (DM and MM are initials of forum names, and
“RUR” indicates Russian Ruble). Each forum has its own official exchange agent, and
each exchange agent has an administrator. To make sure the exchange agent stays
“honest”, a senior forum member is appointed to supervise and review the activities of
the exchange agent. Funds can be added or cashed out via the exchange agents with
cash out options including refilling different pre-paid cards.
The interesting thing about this currency is that it is shared across a number of forums
allowing members from different forums to transact.
UAPS has been in use for over a year and is used with two of the most powerful boards in
the Russian-language cybercrime community and in fact is referred to as the ‘First
Commercial Bank’ on one of them. Of the three currencies discussed here, it appears to
be the most advanced and secure option for fraudsters, with ongoing improvements and
upgrades being implemented by a dedicated software team. Adding funds and cashing
out is available directly from the UAPS system.
The system emphasizes maintaining end-user security and privacy, implementing a strict
data retention policy of just two months.
The advent of new private financial systems and currencies in the Russian-language
cybercrime community is a trend indicating a stronger level of collaboration, cooperation
and sophistication amongst individual fraudsters and between fraudster boards in the
These new internal currencies are carefully administered and secured, ensuring a high
level of anonymity in transaction and hiding the user identities, making it more difficult
for law enforcement to trace, block, or seize funds and accounts.
MUSD exchange rates
United Payment System icon
UAPS currency system login screen
3. page 3R S A M O N T H LY F R A U D R E P O R T
Phishing Attacks per Month
RSA identified 36,883 phishing attacks in
February, marking a 21% increase from
January’s attack numbers. This also
represents a 35% increase from the
number of attacks a year ago.
US Bank Types Attacked
Nationwide banks continued to be the
most targeted by phishing with 68% of total
volume in February, and credit unions saw a
sharp spike in attacks – jumping from 16%
to 27% compared to January.
Top Countries by Attack Volume
The U.S. remained the most targeted
country in February with an overwhelming
77% of total phishing volume, followed by
the UK, South Africa, the Netherlands, and
Source: RSA Anti-Fraud Command Center