CXO

Exploring Underweb forums: How cybercriminals communicate

Those who steal our financial information are able to conduct business in underground markets, but how does this "Underweb" criminal network operate? Michael Kassner does some digging.

Last week, I received a call from Visa. "Hello, Mr. Kassner, are you currently in Uzbekistan?" Huh. Ignoring me, the unflappable representative continued, "What's your mother's maiden name?" By then, I got it. Someone pilfered my credit card number...again.

As I shredded my credit card, a thought came to me. Do members of the Internet's dark side steal from each other?

Everything I read suggests — unlike above ground — there's an economic boom taking place in the digital netherworld. And, that doesn't happen if stealing from each other is the prime directive. So, what do they know that we don't? I had to find out, but where to start?

"Mutually distrustful parties"

Then I remembered "An Analysis of Underground Forums" written by a University of California, San Diego research team of Marti Motoyama, Damon McCoy, Kirill Levchenko, Stefan Savage, and Geoffrey M. Voelker. Having worked with one of the authors — Stefan Savage — on a previous article, I knew the paper would be worth the read.

I was right:

"Unlike traditional online social networks such as Facebook, in underground forums, the pattern of communications does not simply encode pre-existing social relationships, but captures the dynamic trust relationship forged between mutually distrustful parties."

There it is: "relationships forged between mutually distrustful parties." I kept reading, hoping to find an answer on how - but didn't.

To be fair, that was not the goal of the research team. Their intent was to analyze activity records (I'll get back to this later) from several underground forums: BlackhatWorld (BH), Carders (CC), L33tCrew (LC), Freehack (FH), HackSector (HS), and HackeL1te (HL) and quantify the following:

  • The social makeup of forums.
  • How users interacted.
  • How individual reputations were established.
  • How reputations changed over time.

For example:

Exploring the Underweb

Not giving up, I asked Brian Krebs, a leading authority on computer crime and long-time hero of mine for his help.

Why Brian?

Brian has experience infiltrating questionable underground organizations. I first read about his exploits when he worked for the Washington Post (Security Fix), then later at his blog Krebs on Security.

I contacted Brian, telling him about my proposal. He responded:

"There is so much to learn, and so many twists that I am still learning about them. Most of the boards that last have a fairly rigid social structure, and can be quite ruthless to members, even longtime members, who have shown themselves untrustworthy in some way. "

And, Brian agreed to help. Yes!

Kassner: Brian, I thought it best to start with some basic questions.

We hear a lot about the underworld, but know very little about it. The research team's paper: "Analysis of Underground Forums" offers the following description:

"Users of underground forums participate in many activities similar to those found on traditional online social networks: they maintain profiles, add fellow users to buddy lists, and engage in conversations via private messaging.

However, the "raison d'etre" for such forums is not simply for social contact, but to support criminal (or at best "grey hat") activities. Thus, users of these forums regularly engage in the buying, selling and trading of abusive services and illegally obtained goods such as credit-card numbers, online currencies, compromised accounts, and even drugs."

Brian, do you agree with that? Did they miss anything?

Krebs: That's an accurate summary. The modern crime forum is really what makes the Underweb such a potent force. Criminals selling to criminals (crook-to-crook or C2C services) helps even the least experienced of the members get off the ground quickly. And most forums have tutorials and sections for newbies. But this "selling into the market" really lowers the bar for participation in the Underweb economy.

One thing I'd add is that while a great deal of criminal commerce does take place through private messages on the boards, increasingly members are insisting that transactions be consummated via instant message, and that principally is Jabber these days.

Kassner: I mentioned earlier that I had no idea about this. How does one go about finding and joining underground forums? Krebs: There are three main ways. One is that you build up a reputation on one board and use it to leverage your way into another. More common is the vouch: An existing member vouches for a new member, and if that member turns out to be a noob, a ripper (person who scams other members), or a snitch, then that may jeopardize the membership of the voucher.

A third way is not as uncommon as you might think: Hijacked and stolen accounts. Many forum members, despite the obvious risks, are human and therefore lazy, and tend to pick easily guessed passwords. There have been countless breaches of forum databases that show many members even use the same passwords at multiple forums.

Kassner: How does one prepare, technically, to infiltrate an underground forum? Krebs: It would depend greatly on the forum. Some forums have multiple layers of physical and operational security: They require browser certs, specific OS language settings, and knowledge of specific ports, and they may pay attention to your IP address logins. Others don't care about any of that, and even let users log in via http:// (unencrypted) connections.

Beyond that, it helps to know the language of the forum. Many crime forums are in Russian, and some of those will become alarmed if they see some moron in the channel asking questions in English. It's also not terribly useful to simply get on these forums as an English speaker and try to communicate using Google Translate. Translate is great for what it is, but most of these guys on the forums can spot a non-native speaker from a mile away.

I've been learning Russian for many years now, and I still get called out (usually in the context of my having reached out to a member to learn more about his services/tools/offerings) and that member will simply switch to English because he wants to make a sale and can tell Russian isn't my first language.

Also, you'd better be familiar with the etiquette of the forums, or you could find your hard-won new member account banned or set to "deer/noob" status.

Kassner: The research paper refers to:

"Dynamic trust relationships forged between mutually distrustful parties."

Brian, you must have run into this. How do "mutually distrustful parties" engage in online relationships? Is there a vetting process that you had to go through?

Krebs: Yes, many forums will put new members through a brief membership vetting process, where existing members are encouraged to vet the newcomer, test their knowledge, probe their history, etc.

Beyond that, the core trust component of crime forums is the same as regular forums or places like eBay: Reputation. If you make a sale on the underground, you get reputation or "rep" points. If you help a member out, by responding to a request or question, they may be able to award you reputation points (if they themselves have been on the forum long enough to earn that right).

Conversely, if you act like a moron, rip people off, flood other members' threads with off-comment observations or sales pitches of your own, you're going to lose points. It's worth noting that if you have no points, it's akin to having no credit: It's difficult for forum members to trust you, since they have no basis or history on which to determine the appropriate trust level.

Kassner: Apparently, not all is perfect in the netherworld. It appears underground forums have members who misbehave, and on occasion, get banished. Ironically, the paper claims banishment is usually due to a lack of scruples. The following chart lists the top three reasons for getting banned:

Spammer and malware are self-explanatory. The others aren't:

  • Duplicate accounts (dup. acc): Trying to circumvent a prior ban.
  • Inflammatory posts (Infl. Posts): People tagged as being "trolls."
  • Misuse: Abusing forum regulations.
  • Rippers: Deceiving other members.
  • Trade-related issues (Trade-rel.): Bartering restricted objects.

Brian, did you come across any occurrences of people being banned? What happened?

Krebs: Probably the most common reason is ripping. The person who was ripped will usually post a copy of the instant message transcript(s) of the transaction and subsequent conversations as proof of the infraction(s). If the forum admins agree, the violator will be bumped to ripper status. This happens all the time, every day on many forums. Kassner: So, underground forums do have problems. But, they still exist, even flourish. Were you able to see anything below ground that might help improve security/privacy for us topside? Krebs: Good question. I'd say it's a reminder that things that threaten our security also hound the bad guys. For example, poor security practices (sloppy passwords), and social engineering (wanting something without doing due diligence on the source or its reputation).

The forums can be good indicators of what's going on or coming up soon topside. For example, often times you can find sales of major hacked sites, or specific databases that provide early warning of compromises. To the extent that some trading in exploits and software/hardware/process vulnerabilities takes place on the underground, it may be an indicator of where to look for flaws or upcoming attacks.

There is a great deal of intelligence to be gleaned from the Underweb, but not all of it is accurate, timely, genuine, or what it appears to be.

Activity records

I mentioned that I'd get back to how the research team garnered so much information about six well known underground forums. Since that was not spelled out in the paper, I decided to ask the team. And, researcher Marti Motoyama was kind enough to answer.

Kassner: The paper mentions how you received the leaked activity records:

"In this study we have the luxury of "ground truth" - complete records of six underground forums via SQL dumps of their underlying databases."

And:

"For a more comprehensive list of the available data, please refer to the Invision Power Board (for L33tCrew) and vBulletin database schemas. We briefly describe the purpose of each forum."

I am curious and I'm betting the readers are as well. How did you obtain actual activity records from these forums?

Motoyama: We don't know the true origin of the databases in the same way one doesn't know the precise provenance of data appearing at WikiLeaks.

Our understanding is that rival criminal groups — who hack into, then post their competitor's databases publicly (simultaneously an act demonstrating their abilities and demeaning their competitors) — have acquired much of it.

We typically found these database dumps either through our own underground sleuthing or with help from third parties who actively monitor Internet criminal activity.

Final thoughts

Thanks to the research team and Brian, we have a better idea as to the goings on in the digital underground. The jury is still out on whether it's an honor system or if they've built a better mouse trap.

Personal Note: My dear friend and writing mentor made me promise something before he left. Never, never forget the responsibility entrusted a wordsmith. I'll try, but need your help.

Peace, man.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

Editor's Picks