The Fraudster Economy Model - The Dynamics of Operating a Business in the Underground


Published on

This white paper provides a theoretical model of the supply and demand forces that exist in the underground, creating preferred targets and driving fraudsters to aim their efforts at attacking certain financial institutions or service providers.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

The Fraudster Economy Model - The Dynamics of Operating a Business in the Underground

  1. 1. White paper The Fraudster Economy Model: The Dynamics of Operating a Business in the Underground
  2. 2. Phishing first gained traction in 1996 with hackers trying to steal America Online passwords from unsuspecting users. Today, it has evolved into a far more menacing criminal enterprise, with bands of fraudsters working together to create schemes that dupe unsuspecting online users into divulging personal details— most often, their online banking credentials. And while the complexity and sophistication of phishing attacks grows, even more alarming are their numbers. According to Microsoft, 31.6 million phishing scams were identified in the first half of 2007— marking an increase of more than 150 percent over the previous six months. The popularity of phishing scams within fraudster circles is mainly driven by a low execution cost and the fact that little technical knowledge is required to set them up. These two elements are even more prolific due in part to online fraudster communities and public discussion forums, also known as “ the fraudster underground,” which is accessible to almost anyone. The activities within the underground often fuel the volume of phishing attacks occurring on a daily basis but can also determine the target, the type of attack, and the tools and methods used to commit an attack. This white paper serves to provide a theoretical model of the supply and demand forces that exist in the underground — creating preferred targets and driving fraudsters to aim their efforts at attacking certain financial institutions or service providers. We will focus on phishing specifically—even though it is only one tool in the arsenal of weapons fraudsters use to obtain compromised credentials. However, this model may also be applied to other threats, such as Trojans and pharming attacks, as it does not deal with the actual technique. $30. Another advantage of participating in the online fraudster community is the ability to partner with other fraudsters from all over the world. This is especially useful in cases where physical presence is needed, making the geographical location of the fraudster important. How the Fraudster Underground Operates The fraudster underground is a marketplace for selling compromised credentials and the technology and services used in the commission of fraud. Much like any free market, most fraudsters who participate in it are not “jacks of all trades,” but specialize in offering specific technologies or services. For example, one fraudster may specialize in obtaining lists for sending phishing emails while another fraudster may provide access to a botnet of compromised machines that are used as proxies. This unique characteristic of the fraudster economy lowers the barriers to entry for those seeking an induction into this criminal underworld as they only have to offer expertise in one specific area and can buy or partner for the rest of what they need. A fraudster seeking to set up a phishing attack, for example, does not need the technological know-how for hacking servers. Instead, he can simply purchase root access to compromised machines from another fraudster for around 2 RSA White Paper One of the most popular services offered in the underground is the cashout service. “Cashout” in fraudster terminology refers to the process of turning compromised credentials into cold hard cash. This is the point where cybercrime and realworld financial crime intersect as the credentials obtained online are used in the real world. The cashout service usually requires a “mule” —a fraudster, or someone who works for him, operating in the targeted country—in order to be successful. For example, consider a Romanian fraudster launches a major attack against a series of U.S. banks. His greatest chance of success will be using American-based fraudsters to cashout the credentials he obtains and receiving a share of the stolen proceeds (typically sent via Western Union or an online currency service). Fraudster Communities The fraudster underground utilizes two main channels for communication—IRC chat rooms and forums. Both communication vehicles essentially share the same characteristics but also offer significant differences, as well. Internet Relay Chat, or IRC, is a widely used protocol for conducting online conversation. Chat rooms in the fraudster underground can be compared to a bazaar of stolen goods, with vendors repeatedly “shouting” which products and serv-
  3. 3. ices they are offering and for what price. Much like a bazaar, there is very little personal chatter. It’s all business—when one is interested in purchasing a product or service, he sends a private message to the vendor where the terms of the deal are disclosed and the purchase is finalized. For as much as the IRC chat rooms can be compared to a bazaar, the fraudster forums are like a country club. Forums are much more organized and structured than the IRC channels, are usually populated by more influential and experienced fraudsters, and provide more community-based services for the well-being of their members. A requirement of most forums is for members to adhere to just one username in order to build their reputation. A fraudster looking to sell goods must first undergo a rigorous review to prove he offers quality products and services and is reliable in order to earn the title of a “verified vendor”—a seal of approval by the forum staff that a fraudster is legitimate (and not a “ripper”—a fraudster known for scamming others and/or backing out on deals). Further services are offered, such as escrow services, to ensure that members’ deals are completed in full. Finally, forums offer non-business related talk regarding scene news, members and events. Tutorials for newcomers and public assistance are also commonly found in the forums. Due to the more organized nature of forums, they experience considerably less cases of “ripping” or scamming. Some forum members actually look down on users of the IRC channel, calling them “IRC kiddies.” The Fraudster’s Business Model While each fraudster specializes in a different practice, those that participate in the various interactions in the fraudster underground share the following: – Intent – Each fraudster has two main intentions—to make as much money as possible and avoid capture. These are the two characteristics that can be universally applied to every individual fraudster. – Means – Both knowledge and tools can be characterized as the means that allow a criminal to commit acts of fraud. While the means used to commit fraud may differ by the individual fraudster, they all share this common characteristic. By allowing fraudsters to communicate, share best practices and trade tools, the underground serves as a conduit that fosters the continued growth of online fraud and provides a direct impact on the means each fraudster The Facts on Phishing, Trojans and Malware – According to PhishTank, a unique phishing scam is launched every two minutes. – In April 2007, RSA reported that more than half of all phishing attacks were being hosted in the U.S. – About 80% of all phishing pages detected and tracked by Microsoft were written in English. – Symantec reports that 22% of all items advertised for sale in the fraudster underground were bank accounts, followed by credit cards and personal information profiles. – The U.S. hosted 58% of all fraudster underground economy servers, according to Symantec. – Malware damages in 2006 cost businesses $13.3 billion, according to technology research firm Computer Economics. – The latest Sophos Security Threat Report shows a web page is infected with malware every five seconds. In the first quarter of 2008, over 15,000 web pages were infected with malware; 80% of those pages were on legitimate websites. – More than 200,000 malware variants were discovered in the second half of 2007 and infected nearly 19 million computer users, according to Microsoft. has at his disposal to launch an attack. The underground provides fraudsters with access to the knowledge and tools needed to commit fraud and the ability to purchase or trade services for whatever he is missing. – Target – Every fraudster has a target. A target may be as narrow as a single financial institution or as wide as “U.S. merchants.” Even fraudsters who are not involved in actual cashout activities have certain targets. For example, a fraudster that sells “dumps” may sell credentials issued by U.S., Canadian and European financial institutions. Fraudsters that sell infrastructure, such as tools, tend to have the widest targets while fraudsters that deal with cashout operations tend to have the narrowest. The specific target(s) of a fraudster may be influenced by internal factors (i.e., resources available) or external factors (i.e., the forces of supply and demand). RSA White Paper 3
  4. 4. Fraudster operations can be classified into the following three groups: – Infrastructure – Infrastructure providers supply the resources necessary to commit fraud. Such infrastructure may include proxy servers, custom-made phishing kits, bulletproof hosting (a hosting service which ignores abuse requests), compromised servers, botnets and Trojan kits. – Obtaining Credentials – Fraudsters who specialize in obtaining credentials use various techniques in order to obtain credentials from the customers of the institution being targeted. Such techniques include setting up phishing attacks (“spammers” in fraudster terminology as they spam the phishing letter to potential victims) and infecting computers with keyloggers. – Cashout – Usually operating as local gangs or in bands of mules, these fraudsters offer to turn stolen credentials into cash. They may target financial institutions, online merchants or brick-and-mortar stores. In the underground, these fraudsters are sometimes known as “cashiers.” A “lifecycle” of fraud does not exist; in other words, the commission of fraud is not a constant series of events. In one case, a cashier may approach a spammer looking to purchase compromised credentials or even request the spammer attack a certain target in order to collect credentials. On the other hand, a spammer may contact a cashier in order to open mule accounts at a certain financial institution. In both examples, infrastructure providers may supply both the spammer and the cashier with the tools necessary to commit fraud with minimum risk and high success rates. The Forces of Supply and Demand The forces of supply and demand depend largely on the vulnerabilities that exist at a certain financial institution or card issuer. For example, if a certain type of credit or debit card is found to be easy to cashout, cashiers across the underground would offer cashout services for that specific institution. This RSA and the RSA logo are registered trademarks and/or trademarks of RSA Security Inc. in the U.S. and/or other countries. EMC is a registered trademark of EMC Corporation. All other products and/or services mentioned are trademarks of their respective companies. FRAECON WP 0508 H11935 would cause a surge in demand for compromised credentials that spammers would attempt to supply. Alternatively, a target which is considered difficult to cashout would have very little supply and demand for compromised accounts as cashiers prefer to target institutions that are easier to cashout. Simply, when a major vulnerability is uncovered at a financial institution, the amount of “buzz” and traded goods within the fraudster underground increase dramatically. Sometimes, dedicated IRC chat rooms are opened bearing the name of the institution in which the vulnerability exists. However, once the vulnerability is fixed, activity subsides dramatically. Conclusion Even though it is a criminal enterprise, the fraudster underground can draw the following comparisons to most legitimate businesses in operation today: – It’s all about the money. The bottom line is that no fraudster is assuming the high risk of getting caught without a handsome reward. – A division of roles. Just as a legitimate business has marketing and sales, R&D, engineering and finance departments, each fraudster assumes a specific “work” role—whether as an infrastructure provider or a cashier. – Performance is critical and there are rules and policies to follow. Even if fraudsters that have traditionally been reputable start to go astray, they are “fired” from their post within the community by their peers. – Reputation is the key to success. Like a legitimate business that thrives on being recognized for superior customer service, fraudsters with a demonstrated reputation are rewarded with more business. – The rules of supply and demand are always at work. When demand for a particular product or service increases, there is always a fraudster there to provide a supply.