Content material warning: Due to the character of among the actions we found, this sequence of articles incorporates content material that some readers might discover upsetting. This contains profanity and references to medicine, drug habit, playing, pornography, violence, arson, and intercourse work. These references are textual solely and don’t embrace photos or movies.
Following on from the third chapter of our five-part investigation into what cybercriminals do with their income, we now look at varied types of enterprise and revenue technology which can be, in threat-actor parlance, ‘black’ (unlawful).
We acknowledge that legality can differ relying on jurisdiction. Nevertheless, the breadth and depth of those actions are such that we have now to categorize them one way or the other, and utilizing the risk actors’ personal classes is a logical if imperfect alternative.
Key findings of Half 4
- As in our earlier experiences, we recognized a variety of enterprise pursuits on this class (outright felony actions, dubbed ‘black’ on the boards)
- In some instances, the felony enterprise pursuits we found had been comparatively low-level: fraud, pyramid schemes, and pretend items
- Nevertheless, different discussions appeared to narrate to extra critical felony exercise, together with counterfeit gold and forex, controlling prostitution, cultivating marijuana, tax evasion, and insider buying and selling
- We additionally famous that reinvesting in cybercrime could be a horny choice for risk actors with cash to spend. We noticed a number of funding alternatives and proposals regarding cybercrime
- In some instances, discussion board discussions revealed data and pictures that would probably be used to trace, geolocate, and/or determine risk actors.
Fraud and theft
Bots
We noticed a low-level fraud scheme involving the creation of a number of accounts to carry out “duties” beneath a outstanding firm’s rewards program. The risk actor suggested utilizing an “automation extension” to carry out the duties, and redeeming the income as reward playing cards. In addition they supplied recommendation on avoiding the detection of a number of accounts.
Pyramid schemes
We noticed a number of threads regarding pyramid schemes and scams, together with:
- “A outstanding method that lets you earn a considerable 3% curiosity per day in your base quantity…your entire funding and withdrawal course of is carried out in USDT [the Tether stablecoin]…probably permitting you to maintain your earnings with out the burden of taxes”
- An funding alternative in a pyramid scheme (i.e., to assist function the scheme, not an try to sucker discussion board customers into it)
- A number of makes an attempt to truly sucker discussion board customers into pyramid schemes/multilevel advertising applications – one “within the on-line coaching area of interest,” one other that the advertiser famous was “a well-known pyramid…nevertheless it actually works,” and an old school get-rich-quick scheme.
Determine 1: A risk actor tries to recruit different customers to an “associates program…[for] anybody who desires to earn a living promoting common academic merchandise”
Artificial identities
We famous a number of guides on creating ‘CPNs’ (Credit score Privateness Numbers) to ascertain artificial identities (typically referred to as ‘ghosts’) to use for loans and bank cards, purchase automobiles, and launder cash – or to promote to individuals as a part of fraud campaigns.
Determine 2: A part of an in depth information on CPNs on a felony discussion board
Refunds
One risk actor described a low-level scheme to fraudulently declare refunds from sports activities attire corporations, by claiming that deliveries didn’t arrive. The consumer outlined the scheme, offering recommendation on:
- Learn how to behave on the location when ordering
- The optimum worth of products to order
- Learn how to report the ‘failed’ supply
- Learn how to socially engineer buyer help staff
- Learn how to combine professional and fraudulent orders to keep away from “burning” your deal with and account.
Determine 3: A risk actor outlines a low-level refund rip-off
Categorised adverts
One other risk actor supplied a information to a low-level rip-off on Avito (a Russian categorised adverts market), whereby customers publish fraudulent listings, obtain cash from a purchaser, however don’t ship the merchandise and as a substitute get the client banned from the platform. The publish contains recommendation on the scheme, learn how to create a horny itemizing, and learn how to set a worth.
Intercourse work
Laundering
In a thread itemizing a number of concepts for cash laundering, a risk actor prompt: “Recruit (actual or pretend) escorts to ship you money of your personal cash after they declared their ‘revenue’ from intercourse work…the prostitute concept is within the Canadian context since prostitution is authorized to promote, not purchase.” One other concept from the identical consumer: “Fake you’re a hooker your self.”
In an identical vein, a consumer claiming to be from Australia famous in one other thread that since prostitution is authorized there, that they had the concept of “pretending to be an escort to wash money.”
Determine 4: A risk actor proposes pretending to be a male escort to launder cash
Controlling prostitution
A risk actor prompt making a “job website for escort ladies” – the place “critical escort companies…even brothels” can join with “girls who need to go to enterprise, however there isn’t a ticket there for the practice from the village or for the aircraft to Dubai or the rest.”
Some customers picked minor holes on this plan (rivals, difficulties in promoting site visitors to the location), with one arguing: “Why such a problem, should you actually need to do pussy, you make webcam studios.”
Determine 5: A risk actor proposes making a “job website for escort ladies,” sparking a protracted dialogue about intercourse work
One consumer stated: “I’ve the chance to arrange my very own brothel in Sochi…the Sochi cops are negotiable and received’t take very a lot…However you must make investments a ton.”
In the identical thread, we additionally noticed the next disturbing remark:
The ladies will should be trampled down, instilled in them with the concept that they’re no one and nothing and solely beneath your safety can they one way or the other earn one thing. This shall be particularly evident within the prostitution enterprise, the place the only and most conventional manner of controlling feminine staff is to make them drug dependent.
Stolen and counterfeit items
Counterfeit gold
A risk actor sought a enterprise associate with “an lively eBay vendor account” as a result of they “have a big provide of counterfeit gold and have been promoting it…the issue is…opening up new accounts.”
Determine 6: A risk actor seeks assist promoting “a big provide of counterfeit gold,” which they declare to have already been doing for some time
Pretend items
A risk actor sought recommendation on learn how to pretend the nation of origin for cheaply purchased Chinese language items that they deliberate to promote on-line. Alongside comparable traces, we famous a scheme to create a web based store and “promote excessive class fakes.” Different customers suggested them to “attempt to undergo moderation of merch as second hand…they won’t ask for invoices.” The identical consumer supplied in depth element on their very own experiences.
Historic artifacts
In by far essentially the most weird thread we found, a risk actor claimed to have “discovered some pharaonic and coptic monuments [i.e., Ancient Egyptian artifacts]…solely two individuals learn about its location. We need to promote it, however we don’t understand how…to deal with the cargo and the suitable place to promote in an public sale (black market).” The consumer uploaded two photographs of what gave the impression to be a sarcophagus mendacity on bubble wrap.
Determine 7: A risk actor claims to have “some pharaonic and coptic [sic] monuments” that they need to “promote in an public sale (black market)”
Some customers expressed curiosity in buying; others really helpful technique of verifying age/authenticity. One consumer claimed that that they had been to Egypt for the same job and will put the sellers in contact with a professional purchaser “who will purchase it instantly after his professional confirms.”
Medicine
Hashish
One risk actor acknowledged that “we have now direct enterprise relations with an American firm that legally grows and sells marijuana within the US.” The consumer famous that the enterprise is searching for lead mills and buyers, with lead mills getting 10% of revenue (“revenue is normally $1000-$4000 per day”).
We additionally noticed a information on learn how to develop 25kg of hashish in 4 months. The consumer outlined prices, together with $7,000 for hydroponics, $1,500 for fertilizer, $12,000 to hire a home, and $1,700 a month for lighting. “The common value of 25 kilograms of excellent grass wholesale is $50,000…promoting is simple and protected…in no way fascinating to the cops – in court docket you’ll have to show the very fact of the sale.”
Determine 8: A risk actor posts a tutorial on rising hashish, the gear wanted, and expenditure
Medicine and carders
As famous in the primary article on this sequence, we famous an admission from a risk actor that they’ve given cocaine and tablets to cybercriminals, in alternate for stolen bank card particulars.
Determine 9: A felony discussion board consumer admits to giving cybercriminals “cocaine or tablets” in alternate for stolen bank card particulars
Tax evasion
We noticed an in depth dialogue on tax evasion strategies, together with particular steerage on tax evasion versus cash laundering; utilizing “a corrupt, overseas financial institution” versus false reporting; hiring “specialised legal professionals” and extra.
Determine 10: A part of an in depth dialogue on tax evasion on a felony discussion board
Insider buying and selling
One risk actor claimed to have an insider in a outstanding expertise agency, who really helpful investing huge cash after “the corporate made some main adjustments…they need to double their inventory worth in 12-16 months.”
Determine 11: A risk actor claims to have an insider inside a outstanding expertise firm
One other risk actor suggested others “to not gamble on the inventory market…getting inside information is the one manner…if hacking teams give a heads up on which firm’s paperwork they’re going to leak you should buy put contracts on the corporate and revenue on inventory happening.”
In the identical vein, one other consumer requested about shorting shares of corporations affected by ransomware assaults, and puzzled if ransomware operators have thought of doing this. Most customers stated this was viable, though others had been extra uncertain (“You’ll entice regulatory authorities for insider buying and selling”).
In the identical thread, risk actors additionally mentioned different kinds of assault (DDoS and web site defacements), together with their attainable impacts on inventory worth and whether or not it might be price shorting the inventory. A consumer prompt utilizing web optimization, deepfakes, and AI-generated articles to drive down the inventory costs of attacked corporations additional.
On one other thread, a risk actor claimed to “promote insider data properly upfront of the massive strikes available in the market for some cryptocurrencies. I normally work with funding corporations, however a few of you may have a good quantity of cryptocurrencies, and I consider that I could be of nice assist to you.”
Reinvesting in cybercrime
Throughout our analysis, we famous many risk actors asking their friends what they need to make investments their cash in, and replies akin to “make investments it within the enterprise that introduced you this revenue. It’s apparent.” Reinvesting in cybercrime could also be enticing to risk actors who’ve ‘paid their dues’ and profited – they’ll spend money on a brand new undertaking in a well-known discipline, and reap the rewards whereas being uncovered to much less danger.
Malware and phishing
We noticed a number of funding alternatives in in-progress/in-development malware and campaigns, together with an funding alternative ($1,000-2,000) in an Android botnet, with the flexibility to steal bank card information, spam contacts, ahead incoming calls, launch customized apps, and intercept incoming SMS messages. A screenshot was included.
We additionally famous:
- An funding alternative ($3,000-5,000) to open a retailer for botnet logs (i.e., stolen knowledge from infostealers)
- An funding alternative ($5,000) in a Telegram phishing software/marketing campaign
- A imprecise proposal regarding an MT103 (a protocol utilized in SWIFT) staging server (“I’m searching for cooperation with a darkish internet developer…we have now a deal for 10 million {dollars}”).
Determine 12: A risk actor seeks funding to create their very own “botnet logs retailer”
Determine 13: A screenshot of a Telegram phishing platform, included as a part of a pitch to potential buyers on a felony discussion board
DDoS
We noticed a possibility (ROI: 30% of revenue) to spend money on a year-old DDoS-related undertaking (the consumer insisted that this was not a rip-off, pointing to their status and lack of arbitration complaints, and the truth that they had been keen to debate situations privately).
SIM-swapping
We noticed an funding alternative (ROI: 20% of every cashout) in sim-swapping. “I’ve crypto logins and financial institution logins with cash, my final step is sim-swapping.”
Crowdfunding
One risk actor proposed launching a crowdfunding platform on Tor “for gray/black subjects.” Different customers gave the impression to be eager in precept, however famous that the platform would want to each guarantee anonymity and stop scams. One consumer prompt sensible contracts as a attainable answer.
Determine 14: A risk actor proposes a “darknet” crowdfunding platform for felony actions, likening the precept to Kickstarter
Counterfeit forex
A risk actor proposed a scheme whereby they would supply different customers with counterfeit US forex to launder, earlier than giving the OP a share. The OP prompt $400 (4 $100 payments) to start out, later rising to hundreds. The counterfeit payments allegedly had a number of serial numbers, watermarks, safety strips, optically variable ink, and handed the “pen check” (a way to detect counterfeit payments through a particular ink), however didn’t work in ATMs and wanted to be aged and handled earlier than use.
One other consumer outlined a plan for counterfeit payments, and supplied particulars on their digital and bodily OPSEC measures. The latter included:
- By no means utilizing the payments in retail shops, solely at bodily meet-ups (e.g., Craigslist transactions)
- Going from metropolis to metropolis
- By no means utilizing cash for trivial issues like lodges, meals, gasoline
- Promoting the illicitly acquired gadgets in numerous international locations
Determine 15: A risk actor goes into important element concerning their plan to distribute counterfeit payments
Potential assault
Lastly, we noticed a very disturbing thread, though it was (most likely intentionally) very imprecise. A risk actor requested the cryptic query: “Has anybody encountered or maybe heard of individuals being intimidated by voices? An individual is blended with some substance after which he begins to have extreme issues.”
Determine 16: A risk actor posts an uncommon query on a felony discussion board
One other consumer responded:
You need to use a ‘reality serum’ (scopolamine or analogues, accessible on the darknet)…the individual himself will surrender every part and inform you every part. In actual life, I noticed a profitable theft utilizing scopolamine, the person did every part he was requested to do – he took the paperwork and laptop computer out of the home, he withdrew cash from the ATM, he himself entered passwords in banking. Watch out about dosing.
Scopolamine (prescribed to handle, amongst different issues, nausea and vomiting brought on by movement illness or surgical anesthesia) is understood to have been used for theft, and allegedly additionally to facilitate kidnappings and sexual assaults.
Over the previous 4 articles, we’ve explored a wide selection of enterprise pursuits, starting from the innocuous (digitizing VHS tapes and making a cellular health app) to the downright felony (curiosity in working a brothel, counterfeit payments, rising hashish) and just about every part in between. However what does this imply for the cybersecurity trade, legislation enforcement, and society as a complete?
Within the concluding chapter of this sequence, we’ll look at the implications, challenges, and alternatives of risk actors transferring past the cyber kill chain.
