Leadership optimize

Exploring Underweb forums: How cybercriminals communicate

Those who steal our financial information are able to conduct business in underground markets, but how does this "Underweb" criminal network operate? Michael Kassner does some digging.

Last week, I received a call from Visa. "Hello, Mr. Kassner, are you currently in Uzbekistan?" Huh. Ignoring me, the unflappable representative continued, "What's your mother's maiden name?" By then, I got it. Someone pilfered my credit card number...again.

As I shredded my credit card, a thought came to me. Do members of the Internet's dark side steal from each other?

Everything I read suggests -- unlike above ground -- there's an economic boom taking place in the digital netherworld. And, that doesn't happen if stealing from each other is the prime directive. So, what do they know that we don't? I had to find out, but where to start?

"Mutually distrustful parties"

Then I remembered "An Analysis of Underground Forums" written by a University of California, San Diego research team of Marti Motoyama, Damon McCoy, Kirill Levchenko, Stefan Savage, and Geoffrey M. Voelker. Having worked with one of the authors -- Stefan Savage -- on a previous article, I knew the paper would be worth the read.

I was right:

"Unlike traditional online social networks such as Facebook, in underground forums, the pattern of communications does not simply encode pre-existing social relationships, but captures the dynamic trust relationship forged between mutually distrustful parties."

There it is: "relationships forged between mutually distrustful parties." I kept reading, hoping to find an answer on how - but didn't.

To be fair, that was not the goal of the research team. Their intent was to analyze activity records (I'll get back to this later) from several underground forums: BlackhatWorld (BH), Carders (CC), L33tCrew (LC), Freehack (FH), HackSector (HS), and HackeL1te (HL) and quantify the following:

  • The social makeup of forums.
  • How users interacted.
  • How individual reputations were established.
  • How reputations changed over time.

For example:

Exploring the Underweb

Not giving up, I asked Brian Krebs, a leading authority on computer crime and long-time hero of mine for his help.

Why Brian?

Brian has experience infiltrating questionable underground organizations. I first read about his exploits when he worked for the Washington Post (Security Fix), then later at his blog Krebs on Security.

I contacted Brian, telling him about my proposal. He responded:

"There is so much to learn, and so many twists that I am still learning about them. Most of the boards that last have a fairly rigid social structure, and can be quite ruthless to members, even longtime members, who have shown themselves untrustworthy in some way. "

And, Brian agreed to help. Yes!

Kassner: Brian, I thought it best to start with some basic questions.

We hear a lot about the underworld, but know very little about it. The research team's paper: "Analysis of Underground Forums" offers the following description:

"Users of underground forums participate in many activities similar to those found on traditional online social networks: they maintain profiles, add fellow users to buddy lists, and engage in conversations via private messaging.

However, the "raison d'etre" for such forums is not simply for social contact, but to support criminal (or at best "grey hat") activities. Thus, users of these forums regularly engage in the buying, selling and trading of abusive services and illegally obtained goods such as credit-card numbers, online currencies, compromised accounts, and even drugs."

Brian, do you agree with that? Did they miss anything?

Krebs: That's an accurate summary. The modern crime forum is really what makes the Underweb such a potent force. Criminals selling to criminals (crook-to-crook or C2C services) helps even the least experienced of the members get off the ground quickly. And most forums have tutorials and sections for newbies. But this "selling into the market" really lowers the bar for participation in the Underweb economy.

One thing I'd add is that while a great deal of criminal commerce does take place through private messages on the boards, increasingly members are insisting that transactions be consummated via instant message, and that principally is Jabber these days.

Kassner: I mentioned earlier that I had no idea about this. How does one go about finding and joining underground forums? Krebs: There are three main ways. One is that you build up a reputation on one board and use it to leverage your way into another. More common is the vouch: An existing member vouches for a new member, and if that member turns out to be a noob, a ripper (person who scams other members), or a snitch, then that may jeopardize the membership of the voucher.

A third way is not as uncommon as you might think: Hijacked and stolen accounts. Many forum members, despite the obvious risks, are human and therefore lazy, and tend to pick easily guessed passwords. There have been countless breaches of forum databases that show many members even use the same passwords at multiple forums.

Kassner: How does one prepare, technically, to infiltrate an underground forum? Krebs: It would depend greatly on the forum. Some forums have multiple layers of physical and operational security: They require browser certs, specific OS language settings, and knowledge of specific ports, and they may pay attention to your IP address logins. Others don't care about any of that, and even let users log in via http:// (unencrypted) connections.

Beyond that, it helps to know the language of the forum. Many crime forums are in Russian, and some of those will become alarmed if they see some moron in the channel asking questions in English. It's also not terribly useful to simply get on these forums as an English speaker and try to communicate using Google Translate. Translate is great for what it is, but most of these guys on the forums can spot a non-native speaker from a mile away.

I've been learning Russian for many years now, and I still get called out (usually in the context of my having reached out to a member to learn more about his services/tools/offerings) and that member will simply switch to English because he wants to make a sale and can tell Russian isn't my first language.

Also, you'd better be familiar with the etiquette of the forums, or you could find your hard-won new member account banned or set to "deer/noob" status.

Kassner: The research paper refers to:

"Dynamic trust relationships forged between mutually distrustful parties."

Brian, you must have run into this. How do "mutually distrustful parties" engage in online relationships? Is there a vetting process that you had to go through?

Krebs: Yes, many forums will put new members through a brief membership vetting process, where existing members are encouraged to vet the newcomer, test their knowledge, probe their history, etc.

Beyond that, the core trust component of crime forums is the same as regular forums or places like eBay: Reputation. If you make a sale on the underground, you get reputation or "rep" points. If you help a member out, by responding to a request or question, they may be able to award you reputation points (if they themselves have been on the forum long enough to earn that right).

Conversely, if you act like a moron, rip people off, flood other members' threads with off-comment observations or sales pitches of your own, you're going to lose points. It's worth noting that if you have no points, it's akin to having no credit: It's difficult for forum members to trust you, since they have no basis or history on which to determine the appropriate trust level.

Kassner: Apparently, not all is perfect in the netherworld. It appears underground forums have members who misbehave, and on occasion, get banished. Ironically, the paper claims banishment is usually due to a lack of scruples. The following chart lists the top three reasons for getting banned:

Spammer and malware are self-explanatory. The others aren't:

  • Duplicate accounts (dup. acc): Trying to circumvent a prior ban.
  • Inflammatory posts (Infl. Posts): People tagged as being "trolls."
  • Misuse: Abusing forum regulations.
  • Rippers: Deceiving other members.
  • Trade-related issues (Trade-rel.): Bartering restricted objects.

Brian, did you come across any occurrences of people being banned? What happened?

Krebs: Probably the most common reason is ripping. The person who was ripped will usually post a copy of the instant message transcript(s) of the transaction and subsequent conversations as proof of the infraction(s). If the forum admins agree, the violator will be bumped to ripper status. This happens all the time, every day on many forums. Kassner: So, underground forums do have problems. But, they still exist, even flourish. Were you able to see anything below ground that might help improve security/privacy for us topside? Krebs: Good question. I'd say it's a reminder that things that threaten our security also hound the bad guys. For example, poor security practices (sloppy passwords), and social engineering (wanting something without doing due diligence on the source or its reputation).

The forums can be good indicators of what's going on or coming up soon topside. For example, often times you can find sales of major hacked sites, or specific databases that provide early warning of compromises. To the extent that some trading in exploits and software/hardware/process vulnerabilities takes place on the underground, it may be an indicator of where to look for flaws or upcoming attacks.

There is a great deal of intelligence to be gleaned from the Underweb, but not all of it is accurate, timely, genuine, or what it appears to be.

Activity records

I mentioned that I'd get back to how the research team garnered so much information about six well known underground forums. Since that was not spelled out in the paper, I decided to ask the team. And, researcher Marti Motoyama was kind enough to answer.

Kassner: The paper mentions how you received the leaked activity records:

"In this study we have the luxury of "ground truth" - complete records of six underground forums via SQL dumps of their underlying databases."

And:

"For a more comprehensive list of the available data, please refer to the Invision Power Board (for L33tCrew) and vBulletin database schemas. We briefly describe the purpose of each forum."

I am curious and I'm betting the readers are as well. How did you obtain actual activity records from these forums?

Motoyama: We don't know the true origin of the databases in the same way one doesn't know the precise provenance of data appearing at WikiLeaks.

Our understanding is that rival criminal groups -- who hack into, then post their competitor's databases publicly (simultaneously an act demonstrating their abilities and demeaning their competitors) -- have acquired much of it.

We typically found these database dumps either through our own underground sleuthing or with help from third parties who actively monitor Internet criminal activity.

Final thoughts

Thanks to the research team and Brian, we have a better idea as to the goings on in the digital underground. The jury is still out on whether it's an honor system or if they've built a better mouse trap.

Personal Note: My dear friend and writing mentor made me promise something before he left. Never, never forget the responsibility entrusted a wordsmith. I'll try, but need your help.

Peace, man.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

37 comments
JCitizen
JCitizen

I get to see two of my favorite reporters working together!! Michael and Brian! It doesn't get any better than this! :) P.S. - It took me long enough to get here.

seanferd
seanferd

Sorry for the mostly OT post, but I've already tried to post twice (last night), and gave up in exasperation. Sorry about the credit card, Michael. You might find something related interesting at Danchev's blog for Oct 31 (Mindstreams, not ZD). I won't attempt to post a link or domain name as that is apparently verboten (except for spammers) without notice.

hippiekarl
hippiekarl

One's 'business reputation' is really MUCH more important in the criminal underground than elsewhere; that community (by its very nature) is the one that cannot seek legal redress in any contract dispute(!). If an associate in any outlaw-venture welshes, blows the gaff, tattles, or just fails to come through, the aggrieved party could be up against serious consequences beyond their original risk/reward actuary (such as exposure, prison time, etc), and retribution is likely to be more direct and severe than that which is granted by the courts. An excellent superimposition of 'honor amongst thieves' upon (as pgit noted) their 'total disdain for their targets' can be found in Michael Mann's epic outlaw movie, 'Heat'.

pgit
pgit

In part your question requires knowing how often a deal goes bad, how often does the "trust" burn the average participant? If I had to guess, I'd believe there is a very high degree of honor among those ranks, so far as free market transaction among the group goes. Of course they have total disdain for their targets.

GavGavGav
GavGavGav

I think it's a big mistake to equate criminal activity with a lack of trust. Almost all Internet-based communities tend to build up surprisingly robust hierarchies and frameworks, and the members of those communities -- if they're at all serious about belonging and getting anything from the environment they're in -- will typically align with that framework wholeheartedly. The bottom line is that most people want to be there, building a reputation is paramount, and therefore conforming to the internal trust (protocols if you like) of the community is both necessary and desirable for the majority of its members. In that way of course there is honour among thieves, within a given community. I would expect that just as with our topside communities, most of the underground's problems will undoubtedly come from outsiders wheedling their way in, or disenfranchised individuals trying to make a mess during an ignominious exit. So it is no surprise to me that business transactions work in these environments. Most players would quite simply have too much invested to make ripping off any one given deal worthwhile. -- Gavin

lsl-temp
lsl-temp

Although somewhat interesting, it really doesn???t suggest how our habits affect the communication of criminals. A more interesting article would have been how your credit card information was taken a second time, when you should have learned from the first time. Especially when you have access ???leading??? authorizes on computer crime. Rather than attending to a cottage industry that focuses on the criminal after the fact, maybe more attention should be used in determining the cause of the crime and what can be done to reduce the crime.

Michael Kassner
Michael Kassner

New Post How is that possible where everyone distrusts each other.

pgit
pgit

"apotheon" nailed the nature of the bug recently; it does sometimes fail to post when a link is in the message body. It's not supposed to be the case, I think the board is supposed to check the link somehow, maybe against a blacklist. It seems that 'feature' is failing. BTW the links that do get posted are usually nike shoes at a bargain basement price or for viagara... maybe the forum coding has a "isTrue" where there should be a "isFalse?"

SmartAceW0LF
SmartAceW0LF

To live outside the law, you must be honest. ~Bob Dylan

AnsuGisalas
AnsuGisalas

Did NATO trust the USSR? Did the USSR trust NATO? Maybe the trick is to narrow the field enough; no, we didn't trust the reds in the normal senses, but often we did rely on them not wanting to destroy the world... as that was all that was left if they'd have done certain things. And the opposite was true as well. That's what Eisenhower saw so well, both sides are fidgety, both need to spy on the other, so let's keep that surveillance as open and "friendly" as possible - but neither side was really ready for that, I guess. For criminals, maybe there are things they'd be willing to trust another criminal NOT to do. A criminal reputation is more than a track record of not betraying the other one... it's also a record of transgressions against the law, a record of vulnerability. So the criminal is saying : "Yeah, that one would go to jail for 343 years if he was caught, he's not going to risk messing around if I offer him this stuff." Sort of how criminal gangs force newly included members to incriminate themselves, get their hands dirty. That way "We're all in the same boat"-rules apply.

Michael Kassner
Michael Kassner

I was hoping that someone would mention that retribution methodology underground is different than many of us are used to. Great movie and I see what you are referring to. Thanks for pointing that out.

Michael Kassner
Michael Kassner

I tried, but as you can expect, that sort of information is not readily available. I have visions of what could happen, but that's all speculation.

Michael Kassner
Michael Kassner

You made some very good points. Reputation is something mentioned more than once by Brian as well. Thanks for sharing.

Michael Kassner
Michael Kassner

There are multiple ways for financial information to get stolen. In my case, the card was a back up -- never used. The information was obtained from a database out of my control. And, if you search, you will find I have written numerous articles on how credit-card information is stolen and methods to avoid it. The intent of this article was to try and understand how and why underground transactions appear to be successful among distrusting sources. And if that methodology could be used elsewhere for good. I also may humbly add that I would not consider this an cottage industry, millions of dollars a year is not small-scale.

Michael Kassner
Michael Kassner

How does a business transaction take place with out trust? Is that something we could use above ground?

HAL 9000
HAL 9000

The Forum is seeing the Black List as Perfectly OK and everything else to be Rejected. But who cares site traffic is up so that's all that matters. ;) Col

pgit
pgit

Funny, I often make the same point myself, though the reciprocal; "the law is designed to make criminals out of everybody." To avoid scrutiny or retribution, people are forced to be dishonest in their dealings with one another. Think tax returns. It stems from the idea of "limited liability," about the only real "service" government can provide. The opposite is individual, personal responsibility, which in this day and age is actually "outlawed" to a large extent.

pgit
pgit

If you could actually poll the criminals for "social" data like that. Maybe someone ought to try. These types of criminal should be able to determine that their response to a poll is "secure" (anonymous) to them, what harm could come from providing the world with a little insight into their way of doing business? If the questions were crafted such that responses would be seen as bragging, or 'rubbing it in' I'd imagine the targets could be coaxed into seeing value in their participation. Imagine solid proof that among their business associates they are 7,450 times less likely to rip off one another than are "legitimate" businesses, or that 99.76% of all conflicts are settled to the mutual satisfaction of all parties, as opposed to, say, 21% for matters that go through a "legitimate" court. I know a lot of Russians with a great sense of humor... http://www.cheboksaryrussia.net/immigrate-to-russia

JCitizen
JCitizen

I now use an online secure card that even helped me point to the original vendor who was compromised the first and last time I got cracked. Now, the crooks can have my credit card number if they like, it won't do them any good!! I very much appreciate you advice on that - it was golden!!

RobKraft
RobKraft

I trust Amazon a lot. I trust 3rd-parties on Amazon a little less; and Ebay a little less than that; and craigslist even less. But if I want something bad enough and it doesn't cost me too much, I will do the transaction on Craig's list. So I think this is partially of a matter of degree of trust. Secondarily, people can build reputations through recommendations of others. It is obviously hard for a newbie to build trust; but obviously it is happening.

bboyd
bboyd

Please do run if given the opportunity. I'm sure even a corrupt Pgit is better than the vast majority of politicians! Funny how discussion of crime can bring us to freedom. I think that the only valid political law-making is one of acting to remove laws from the current system. Complexity is not a solution. Forced systems are not stable. My freedom is mine to guarantee. And good luck with the health issues, I had a son in for major surgery this year and can empathize with them.

pgit
pgit

Paine was the spark that lit the American Revolution. Too bad he was pushed out of the limelight with the religious "scandal" leveled against him. I'm sure he would have been able to muster enough opposition to the constitutional convention to have prevented that coup... I'm not quite sure what all you are saying regarding my taking "public" money to pay my bills. But if I read you right, you're saying that if I get forced into that box, then I should hit back, run for office and agitate to reverse the trend into the cradle-to-grave nanny state we are becoming. I would not be eligible for a run for public office UNLESS they were to somehow force (by ENforcing one or more of their administrative directives) my status as part of that body politic. And if that ever happens, you can bet I WILL reach for the microphone, get on the soap box and fill the people in on how they are being ripped off by a set of private corporations DBA "government." If one knows how to read court cases, it becomes clear the supreme court is well aware of this fact. "Government" is not government, at least not the thing created by any constitution. "People who are unaware are unaware that they are unaware." ~Merrill Jenkins

bboyd
bboyd

My favorite of the libertarian writings. I like writers who quote him also. pgit's ideals can be twisted. Pragmatically take the funds he would pay to keep his ideals, and the time, turn it into political ambition. Run for office and push to reform the system cause who else will do it. (This is the "evil" of ends justifying the means.)

HAL 9000
HAL 9000

That the Meatworks wants to be paid fast. They really don't give a Rats provided that they have the money in their hands and can spend it as they like when they like and how they like. If they have to wait it costs them lots. ;) Col

hippiekarl
hippiekarl

Based on what I just read, he's my new hero.....

pgit
pgit

I presently have a doozie of an example ongoing with a lawyer inserting himself between me and a hospital... He's thinking "the law," and his judge partners in agreement, are going to force me to relinquish my control over a rather large-ish debt to the hospital. I refuse to foist my debt onto society at large by applying for "benefits," medicaid, some state program or whatever. I take full responsibility for it, I consider such "benefits" amoral, and the wrong road politically. (though I do not condemn them, or fault anyone wishing to participate) If I were to submit fully to their "law" I would be forced to be irresponsible for mt debt, forced to make YOU responsible, payable by threat of your incarceration should you fail to pay "your fare share." The goobermint says my retention of personal responsibility is not in line with the law, that in order the hospital be payed more swiftly I must be compelled to do something I consider criminal and amoral (force you to pay my way) and technically, should I retain my rights (read "full liability.." see it?) I an an "outlaw." Problem is I am, and I don't care. They are going to lose, and I will pay my own debts, as swiftly as I am able. The issue is jurisdiction: what kind of "entity" can be forced to do that which it finds repulsive? How does my flesh and blood become such an entity? They don't want to answer that because to do so is to hand me actionable proof the governments whole "authority" is constructive fraud and racketeering. I took this same issue all the way through their supreme court, which agreed basically "nobody has any rights unless they claw them out of solid rock with their bare hands." Once you've done the research I have (over 10,000 studying law, theories of government, history and a slew of related) you see how simple a lot of the seemingly intractable problems of this world are. Take "gun rights." Every court that ever heard the matter has declared that the police, or any "law enforcement" is under NO OBLIGATION to protect you or anyone/anything. A positive assertion of my rights then is "I am going to carry a handgun anywhere I deem it necessary for my own protection." My right to basically BE, to live, trumps any "gun control" statute or regulation. If you know this, and claw through the courts you will finally get them to agree that statutes, codes, regulations etc are in fact NOT law. Everything that happens in court starts with the assumption the poor slob in the hot seat has watched a lot of television and therefore is totally clueless as to what really is "the Law." So I repeat, this lawyer ain't gonna win. I will retain all rights and assume full liability for all my actions. If I want insurance I will buy it on a competitive market from a private entity. I refuse to be forced to make you all assume my liabilities in any way. And this ain't blowing smoke; if ever there was a candidate for public medical assistance I'm it. Horrific back condition where I have no disks left, and where they were is filling in with bone. I have a broken wire fragment in my jaw that's infected and needs to be chopped out. Periodically the pressure builds and it has to drain the expended white cells (aka puss) out of a perpetual wound on the left side of my chin. I also need a ton of dental work. As you can see, I have every motivation to run to the state and make them make the rest of you pay for my medical care... all except one: the actual motivation. I am more motivated to live on my principles, to put my entire existence where my mouth is, and to make it known to "authorities" where I stand anytime they come-a-knockin'. EDIT: ...and I just happened to randomly come by this a half hour after I posted the above: http://www.strike-the-root.com/lemmings-and-pied-pipers

hippiekarl
hippiekarl

Personal responsibility........who'da thunk it?!

Michael Kassner
Michael Kassner

"Personal responsibility" being outlawed. I have to ponder that one, Pgit. Intersting.

Michael Kassner
Michael Kassner

I would be fascinated to get that kind of data. But, I suspect the person who was able to get far enough inside to communicate would ousted immediately upon asking. Or the answers would be skewed.

Michael Kassner
Michael Kassner

These are digital transactions that could emanate from anywhere. As others have alluded to -- you as well. It seems reputation is the cornerstone of underground commerce.

bsemma
bsemma

Just like in any other business, you have to buy and sell to make a living. There doesn't need to be trust if you're dealing with cash. After awhile, you know how to tell a "ripper" from someone who just wants to do business. Take Rob's point, if you want it cheap enough, you'll meet the creepy dude in the parking lot of Kmart at 8pm to buy an iPad for $200, and the same thing goes for the guy trying to sell the iPad.

Michael Kassner
Michael Kassner

It's an assumption on my part, but I suspect bad guys do not trust anyone. With that in play, how do they go about the business of selling their wares like stolen financial information?