Identifying and Circumventing Trust Issues Within Cybercrime Communities
Identifying and Circumventing Trust Issues Within Cybercrime Communities
June 26, 2017
A lot of innovations have happened in the world of cybercrime since I founded Shadowcrew.com. Criminals now have tools like RDPs, Antidetect, Fraudfox, VMware, and more. Unlike the days when I was Admin of criminal sites like Carderplanet, CardersMarket, ScandanavianCarding and others, today's cyber criminals are able to utilize off the shelf products developed not only by seasoned, professional hackers, but also by cybersecurity companies. Products like a VPN and VMware are used with WHONIX GATEWAY to WHONIX WORKSTATION, or WHONIX GATEWAY to WINDOWS 7 VM, then RDP. Maybe throw in Antidetect, Socks5, etc.
Yeah, yeah. Some will know what I am talking about, many wont. Point is criminals have gotten extremely good at mixing both legal and illegal tools to accomplish their goals, namely ripping people off. Most cybercriminals develop their own system using a variety of these tools and products. Initially, they might buy a guide, or read posts by others, or ask for advice. But sooner or later—if they stay out of prison long enough--they will develop their own criminal “Opsec” to bring them comfort and joy (Comfort and Joy—like the song).
The cybercrime landscape itself has turned into a modern-day gold rush. More and more would-be criminals enter the fray with dreams of dollars dancing in their heads. Most of the newbies vanish after a few weeks, having been scammed out of their hard-earned shekels, or discovering that cybercrime as a profession involves a LOT of hard work, study, stress, and bad days. In a bizarre take on the 1890s Gold Rush, the cybercrime professionals of today have discovered the real money in online crime lay not in carding, or draining bank accounts, or a multitude of other crimes to be committed. Nope. The real money and security lay in providing the product that these would-be criminals, these gold seeking newbies, need to buy in order to find their fame and fortune. Sellers like Ston3d, kriminal, ggmccloud1, iSellpizzas, Gaia88, HolyDiarrhea, and even Satan himself with his new-found ransomware ply their wares daily to would be treasure seekers. The sellers haul off tons of loot every week, making much more money than the people using purchased product.
In today's world, it is the cybercrime suppliers who bring home the real money. It appears this is something most online criminals inherently know. However, visions of wealth tend to cloud reason. News articles pop up of countless millions stolen out of banks in Thailand, or out of Tesco, or by sending spoofed emails in the names of various CEOs asking their accounting department to wire currency somewhere. Cyber Crime Gold Seekers see headlines like that and figure they can do the same damn thing. They don't, they can't. But the visions of lollipops persist in their heads and they keep buying product. And the suppliers keep getting richer.
Such is the nature of the business today. And business is booming. When I ran ShadowCrew we ended with roughly 4,000 registered users. Ross Ulbricht's Silk Road ended with somewhat over 25,000. The current most popular marketplace, Alphabay, has over 141,000 users. Business seems to be chugging along quite nicely and nothing seems to be slowing the advance of cybercrime.
I was asked recently by the Vice President of Sales with a security company I consult with how buyers and sellers of an illegal marketplace actually know who they are doing business with? How do they know they aren't going to get ripped off, how do they know they aren't dealing with a cop?
The question is an important one. Maybe the most important in understanding the way cybercrime operates and perhaps coming up with ways to curtail its growth. I say “curtail” because there is no stopping it. One can only hope to reign it in.
It is a complicated issue of Trust. All members of a criminal forum/marketplace/group must be able to trust the other members as well as the system for which they are a member. Without that, the entire thing starts to fall apart.
Let’s think about that for a second:
Buyers have to trust that the other person on the end of the line is actually going to provide the illegal product they are advertising. They have to trust the person isn't a cop trying to arrest them or a scammer trying to steal their money. They have to believe the same product they are purchasing isn't being sold to other buyers. They have to believe that the system to which they join (forum, market, group) isn't a honeypot or a large scam operation.
For sellers and providers of services the same is true. The seller has to trust that the person he is selling to isn't a cop, or a security professional, or a scammer trying to get free product.
All this has to be done without ever meeting the person on the other end of the line.
Consider that: All these illegal transactions take place among people who are anonymous to each other. They have never met. They likely never will meet. It is based solely on taking someone at their word.
That's pretty odd when you consider that every user there is either a criminal or a cop or security pro trying to stop the criminal. Every user. There might be the occasional straggler wandering in out of curiosity, but it’s rare. These places aren't like eBay or Drudge Report; they aren't easily found or accessible. Criminal sites take work to find and gain access to. People don't really just come to browse. They come for a reason. And that reason is either to break the law or to stop those who do. Such is the population of people on these sites.
Knowing this, users still choose to place their trust in the other members there. Now, to be fair, many members of Law Enforcement and many Security Professionals are easily spotted by criminals online. They come on site and think they can pass as just another criminal. They ask too many questions, or the wrong type of questions, or make the wrong type of comments. Real criminals online notice this, and while they may not be able to specifically identify the problem, they know to stay away and avoid these people like the plague. Other cops and security people are a bit smarter and choose to remain quiet, not really posting anything at all, but learning the dynamics of the group or marketplace/forum. These individuals gather intel and use it to aid in investigations and to counter fraud. Very difficult for would be criminals to spot these individuals. Then there is a third class of law enforcement and security type. These are individuals like FBI Agent and overall hell of an impressive individual Keith Mularski. They infiltrate the group, gather intel, make arrests. And these individuals are extremely effective in their work.
Law enforcement and Security Professionals populate the cybercrime landscape. For individuals engaged in online crime? Unless they have remained completely quiet within their specific network, they have at some point communicated with someone out to stop them. If they are the least bit competent in their criminal activities, they can be sure they have the interest of law enforcement. Criminals can also be sure that given enough time and resources, they will be caught and sent to prison for a lengthy term. Just ask Ross Ulbricht. Hell, just ask me. The longer a criminal persists, the more likely it is they will make some mistake. And one mistake is all it takes. Again, just ask Ross or me.
To be sure, there are mechanisms and tools in place which work to keep the criminals safe from other criminals and law enforcement. Bitcoin provides a near anonymous method to move currency back and forth between buyer and seller. This currency can be laundered easily and then converted to cash for daily use. The TOR Network provides a near anonymous method of conducting business, protecting both the sites criminals visit and the criminals themselves from being identified. Review systems and escrow services are in place to ensure buyers and sellers alike are protected during transactions. And, maybe most important, members communicate with one another in order to improve their criminal abilities and to stay safe. All of this taken together provides a framework in which a criminal can instill Trust.
For a Regular Joe, all these tools and mechanisms would never be enough for them to be able to successfully engage in crime. The fear of losing freedom or cash is enough to keep them out of the cybercrime arena. They may dabble a bit, but they won’t last.
Successful criminals tend to adopt a sense of fatalism often fed by a huge ego. Most criminals know everything I have stated here. They know that if they persist in their criminal enterprise they will at some point screw up and go to prison. They continue because they have adopted an attitude of “whatever will be, will be,” Que sera, sera. This attitude MUST be adopted in order for the criminal to operate. If the criminal were constantly worried about being caught and losing everything, he likely wouldn't be able to commit any crime because of fear and stress. This idea of fatalism isn't just confined to cybercrime. It pervades all degrees of crime. I was locked up for several years with a variety of criminals. I can tell you the fatalistic criminal is much more common than not.
That sense of fatalism is often fed by an enormous ego. Money isn't the only reason cyber crooks operate. There is a lot of satisfaction derived from committing and getting away with online crime. It's that one man against an entire government or huge corporation thingy. One person goes against the unlimited resources of governments and businesses and wins. It's a huge rush. Huge boost to one’s ego. Guy goes online and commits countless crimes knowing law enforcement is wanting him? And he gets away? Yep, another rush. The other members of the criminal group fawn over the guy and his abilities? Hard to beat that. This ego rush tends to be so big that it drives and influences any number of things.
All these factors feed into the criminal’s ability to place trust. The tools and mechanisms mentioned above provide a framework, the promise of wealth gives incentive, the “screw it” attitude of fatalism allows one to distance himself from fear and stress, and the ego gives a boost of confidence, false security, and superiority. All these factors working in unison are what enable the online criminal to function and the group/forum/marketplace to operate. They enable criminals the ability to Trust without actually knowing the person with whom they are doing business.
Understanding this concept, I believe, is necessary in developing ways to curtail online crime.
When I ran ShadowCrew and CounterfeitLibrary, and when I was Admin of CarderPlanet, ScandinavianCarding, CardersMarket, and others there were a few pithy Truths I preached to all who would listen. Later, I would preach these same Truths to United States Secret Service when I worked for them. One of these Truths was the following:
“A Person Who Can Supply a Good or Service Will Tend To Do So Until Such Time As it is no Longer Viable To.”
At the time, I meant that a seller of an illegal good or service, if he could actually provide it, would continue to provide it as long as he was making money, as long as selling his wares wasn't too complicated, and as long as he wasn't about to be captured and thrown in a 6x9 cell with a very big, violent criminal. It is the basis from which I built the review system for Shadowcrew which is still in use today across every online criminal network. It is a Truth which still holds today.
Let's put it another way: If a seller can really get those illegal credit cards, bank accounts, drugs, etc. which he claims, he WILL sell them until something starts to really screw with him.
The same is true for a buyer: A buyer will continue to frequent the market and engage in business until something starts to really screw with him.
It is this idea which I believe is important to curtailing cybercrime of ALL varieties.
It is important to note that I am not specifically speaking about making arrests. I do believe that the majority of online criminals need to serve some time in a 6x9 cell (Basically, everyone but kids). But I also know law enforcement is already stressed enough. No way they are going to ever be able to catch everyone. And if they did, no way they would ever be able to lock them all up. (Hell, the pedophiles alone would fill many prisons.) It isn't going to happen. The best that can be hoped for is that we lock up some (and work to rehabilitate them) and try to dissuade the others.
So what I am going to discuss are ways to dissuade members of these criminal enterprises. In other words, ways to screw with the Trust Mechanism which is so necessary for cybercrime to thrive.
Let me state outright I believe in a proactive approach to security. I think the best defense is a good offense. And I believe that if someone hits you, you hit back harder. Too many times measures taken are reactive instead of proactive. I believe we need to change that. We need to get to the point where we anticipate an attack and defeat it before it happens.
So how do we proactively screw with the all-important Trust Mechanism?
The idea is to make users of online criminal enterprises so distrustful of their respective group and sector that the particular business is no longer a viable choice for them.
We should be using the same tools, and more, against online criminals that they use against the law abiding. Where criminal sites are able to be hit by Ddos attack, it should be done. Make the sites inaccessible. Users go crazy when that happens. They cannot buy or sell. Money is lost. Connections are lost. Do it enough and users find another marketplace or group to conduct business within. Do it across an entire criminal sector and members either find new ways to communicate or they leave the business, effectively curtailing online crime. It also has the added benefit of slowing the increase of new cyber criminals by taking these very public places offline. This can be done to every single cybercrime sector: Fraud, ID Theft, Piracy, Child Porn, Terrorism, etc.
Honeypot operations and the resulting arrests need to be common, loud, and public. Honeypots WORK. Recently, they have gotten some flak in the media. The FBI allowed a Kiddy Porn site, Playpen, to keep running two weeks after they seized it. They have gotten a lot of criticism over that. News sites ran with headlines saying the FBI was the largest provider of child porn in the world. Complete NONSENSE. Allowing Playpen to remain operational for those two weeks resulted in LOTS of arrests and LOTS of predators no longer victimizing children. It also sent a ripple of paranoia throughout the kiddie porn community the effect of which cannot be overstated. That entire segment of criminals got scared and thought the cops would be knocking on their door. They dumped files, ceased buying, selling, trading—all kinds of stuff. This needs to be done across the entire cybercrime landscape. Set up fraud and piracy honeypot operations, gather intel, make arrests, scream about it as publicly as you can. One honeypot causes paranoia. Multiple honeypots across any given sector results in a complete loss of trust for any would be users. Some users will adapt, other users will cease, those looking to enter into the crime will find it increasingly difficult.
Disinformation campaigns need to be mounted within existing networks. Distrust needs to be sown within trusted criminal frameworks. Sellers should be constantly discredited as “rippers” or potential law enforcement. Buyers should be labeled law enforcement and scammers. It should be consistent and non-stop. Anything a seller provides should be targeted to be shut down. Example: A seller is selling credit card information. Buy some of his goods, determine where the breach is from, shut down all associated cards, scream publicly on the forum or marketplace that the guy is selling dead cards and he is a cop. It isn't hard to determine where a breach is from. When I worked for the United States Secret Service it only took 3 cards to find out. Do it, shut them all down. Rinse and repeat across the board. A seller who continues to have his product shut down isn't going to stay in business long. A buyer who cannot find a good product isn't going to be a visitor within that group for long. The point is to make the existing framework within which a criminal operates so convoluted that users don't know what is correct and what isn't. Make it so bad that they cannot conduct business there. They will either quit or move elsewhere (hopefully, to a Honeypot).
There are other things that can be done as well to sow distrust within a community. Law enforcement should run VPN services targeting piracy and other illegal users, sign on those users, record activities, make arrests. The methods criminals use to communicate(Jabber and others) should be targeted in a similar manner.
These are just a few ideas. Certainly, there are many more possibilities out there that would undermine the trust factor criminals place in their respective systems.
I don't claim to have all the answers. I have some IDEAS. I do know what criminals DON’T like. I know what would cause them to stop using a certain system. I speak from that position of knowledge. I'm sure many won't agree with some of what I have written here. They don't have to. But hopefully, it will get people thinking about alternate means to stem the flow of online crime.
There are other things that should be done as well. Overall security and curtailing cybercrime, I believe, takes a holistic approach.
People should be listening to folks like--
Ernest Hilbert. He posted a few weeks ago on Linkedin about always considering the monetary aspect of a specific cybercrime. I agree. When we look at any breach, or any type of fraud, we should consider how the criminal is going to monetize it and cash out. Do that and you can more effectively fight it. We should target Bitcoin money exchangers and determine when BTC is being transferred to and from illicit services. Coinbase recently showed such was possible and shut down many accounts associated with AlphaBay.
Neal O'Farrell of the Identity Theft Council and the new venture OperationStopIt.org. Neal has an innate understanding of cybercrime and its human elements. He works hard to educate people on such. In order to understand cybercrime and stem it, we must understand the people who commit these crimes. It is only one area Neal specializes in, but it is an area needed to combat the problem.
Karisse Hendrick and the crew over at CardNotPresent.com. Fantastic folks who work diligently on merchant safety and education. Karisse, in particular, is as informed on the subject of merchant fraud as anyone I have met. To her, it is more than a job. She works tirelessly to combat fraud. We need more like her and the CNP Team.
Stu Sjouwerman, CEO of Knowbe4. I don't know how well versed on cybercrime he is, certainly nowhere near what I am (I mean, I WAS a criminal for several years). But I do know that he runs a very good phishing simulation company which works to educate and keep people on their toes about phishing attacks. Stu understands that combating cybercrime means the ENTIRE organization needs to be trained and on their toes, not just management. Stu also works tirelessly to inform people about various forms of cybercrime and current breaches.
We should pay attention to people like Lee Mathers, Ronin Chang, Cal Leeming and many others of their kind.
All these people are easily found on LinkedIn. They should be listened to. They have an understanding and insight of the problem which few do.