We’ve written a number of articles about different aspects of the underground economy, the online platform that facilitates the sale of stolen goods such as credit card credentials. We’ve also discussed different ways the underground has evolved, such as the introduction of automated online stores that enable the sale of stolen credentials 24/7. Now, we want to take a look at how the underground economy differs in different regions of the world, and also at a new development that’s changing a characteristic of the underground economy that has existed since its inception over a decade ago.
Profiling Cyber Criminals – Characteristics Based On Location:
First, let’s start with the underground in different parts of the world. It should be noted that, before the underground existed, there never existed such an accessible platform for crime, which is one of the reasons cybercrime is now so widespread. Understanding the behavior of cybercriminals from different parts of the world can give some interesting insight into the trends observed in each underground market.
Russian Cyber Criminals
Russian cybercriminals are considered the most sophisticated in the world. The majority of the most sophisticated cyberattacks, tools and methods have originated from Russia. The Russians are also responsible for the development of some of the most advanced Trojan Horses and botnets, enabling them to conduct criminal operations that are massive both in terms of scope and revenues. With this, it’s no wonder Russians have their own underground forums and circles, which are usually more closed-off to newcomers than their English-language counterparts. Finally, Russians typically target victims from all over the world, except for other Russians. Often, this gives them some immunity from getting arrested.
Brazilian Cyber Criminals
Brazil is the second biggest originator of malware after Russia. Brazilian cybercriminals are also associated with some of the more sophisticated attacks we’ve seen, such as exploiting a vulnerability that enabled them to clone Chip-and-PIN cards. Unlike their Russian counterparts, Brazilian cybercriminals tend to focus on Brazilian victims, typically targeting local banks. While Russians have their own circles, they are also quite active in English-speaking forums. Brazilians, however, rarely participate in underground circles that are not local.
German Cyber Criminals
Much like Brazilian cybercriminals, German cybercriminals target mostly German banks and victims. They have their own German-speaking circles that contain a lot of localized content such as how to use Packstations (automated machines that can receive items ordered online) for fraudulent use.
Nigerian / Ghanaian Cyber Criminals
Nigerians have a bad reputation in the underground. Many fraudsters label them as “rippers,” or fraudsters who rip off other fraudsters, and are unwilling to deal with them. That, of course, is a generalization; there are many Nigerians who are quite capable cybercriminals, and they use their control over the English language to perform various types of scams across the Internet. However, most Nigerians aren’t very sophisticated scammers. They focus on email-based scams rather than operating large botnets and malware. It’s worth noting that many of cybercriminals who are labeled as Nigerians by other fraudsters are, in fact, from the neighboring country of Ghana.
What’s Changing in the Underground
The underground economy—no matter which region we’re looking at—was always designed to be more than just a marketplace. It was designed to be a community where members help each other out.
For example, fraudsters provided their peers with tutorials. More experienced fraudsters answered beginner questions that came in from less experienced ones. Cybercriminals didn’t shy away from educating one another; if anything, allowing new blood to come into the game also created new customers, which was never bad for business. But that community-like characteristic is now fading as fraudsters discovered they could gain from their knowledge.
A few years ago, cybercriminals trading goods in the underground realized that they’re not the only participants in underground forums and marketplaces. Law enforcement agencies, security companies and even reporters are participating these forums as well, monitoring public discussions. With this, any methods that fraudsters were sharing for free usually ended up being flagged and “burnt” immediately.
As a result, open forums where lower-tier fraudsters were operating started dying down with fewer participants and fewer goods being sold on them. More sophisticated fraudsters—those who operated in secretive, closed forums—still shared information among themselves. But to the majority of fraudsters, especially the newer ones, underground forums stopped being a stepping stone into the world of cybercrime.
With this change, cybercriminals realized that they had something in their arsenal besides stolen credit cards that could earn them money: their knowledge. They came to understand that knowing how to commit fraud and how to execute cybercrimes was the real gold. After all, having compromised bank account details only goes so far—one also needs to know how to actually get money out of the compromised account, and should also have information related to the specific bank, such as how much money they should transfer at a time and what information they need for authentication.
This is how a new product—one that’s changing the core of the underground—was born: the method. Fraudsters are now selling methods for targeting specific organizations, and their methods cost various amounts of Bitcoins depending on how profitable they are. For example, one type of method a cybercriminal might sell explains how to reach key management at a specific firm, which might allow a hacker to inject malware into that firm’s systems. Knowledge is power, and power costs money; with this development, the underground economy just became even more capitalist, and less of a place for fraudsters to educate and help one another.
By selling their methods instead of sharing them, fraudsters tick off two boxes simultaneously. First, they make money, which naturally supports the entire point of their operating in the underground to begin with. Second, by keeping their methods secret from the general fraudster population and providing them only to paying customers, cybercriminals are able to keep these methods from being discovered by law enforcement agencies. This also gives them additional incentives for continuing to poke and prod at financial institutions, merchants and other organizations in order to discover new opportunities for committing fraud, i.e., new methods to eventually sell.
Considering how long the underground has been around, it’s no surprise that fraudsters’ methods for making money are evolving. It will be interesting to see what other ‘goods’ they discover are profitable besides our stolen credentials as time goes by and the playing field continues to change.
Did you enjoy this post? If so, subscribe to get a weekly roundup from BlogDOG.
The LogDog anti-hacking and privacy tool protects the most popular online account types including Gmail, Facebook, and Dropbox by detecting unusual access activity and alerting users so they can take control of their accounts before hackers do.