IntroMarijuana. Cocaine. Heroin.
Assault rifles and illegal weapons.
Crime syndicates sitting around a smoky table in a dark room.
Do these Hollywood images of the black market fit the new Internet underground? A look at a large bust led by the Secret Service, called "Operation Firewall," publicly revealed some of the first details of the online black market and the people behind it. On October 26, 2004, 28 key members and ringleaders of the ShadowCrew, an online community of cybercriminals, were arrested for facilitating an underground economy where identity theft and exchange of stolen goods flourished. The founders of the group included a part-time student in Scottsdale, Arizona and a former mortgage broker from Linwood, New Jersey. The group seamlessly crossed international boundaries as well. The ShadowCrew boasted more than 4,000 members worldwide who launched millions of phishing messages, hacked company networks, and then bought and sold the stolen goods in their own online auction, complete with confidence ratings and reviews.
What does the Internet black market look like today after the high profile busts of the ShadowCrew and other cybercriminals in Operation Firewall? The online underworld is constantly shifting. Symantec performed a brief investigation of several online fraud communities to answer this and other questions raised by this quickly evolving breed of cybercriminal.
What Does an Internet Black Market Look Like?Criminal Communities
Symantec's glimpse into online fraud communities focused on active communities of criminals who use the Internet Relay Chat (IRC) network for communication. These forums were largely online message boards, viewable by only registered members, as opposed to the online auction of the ShadowCrew. The IRC networks that Symantec explored were accessible to anyone aware of their existence and the address of one or more servers. The message boards, although not viewable by unregistered users, do not screen new registrations beyond verifying that a valid email address was used to register the account. This allows the exploration of all message board areas by registering with an anonymous email address. Undoubtedly, there are more secretive black market groups on the Internet which take great pains to remain hidden from law enforcement.
Inside these communities, fraudsters sell their services, share tips, and exchange information in order to have more private conversations off of the IRC network (e.g. using instant messaging or e-mail). Novice attackers can use the message boards to find detailed instructions in the art of online fraud (e.g. how to obtain credit card numbers, where to purchase goods online using fraudulent data, etc.). More accomplished fraudsters offer specialized services and generally take part in a sort of division of labor-most fraudsters do not conduct attacks from start to finish but rely at least somewhat upon other members of the fraud community. The various roles played by the members of the black market are detailed below.
Not surprisingly, there is no honor among online thieves. The message boards are also used to expose members of the fraud community who steal from other members by reneging on agreements to provide cash for stolen data or simply keep the data without paying the provider. These unpopular fraudsters are known as "rippers," a serious insult in the black market.
Black Market Roles
Successfully launching and profiting from a phishing attack is typically a group activity where each person plays a different role. Most often, attackers do not have the skills to perform all of these tasks, and therefore must rely on each other to specialize in a given area. Fortunately, many phishers are not technically advanced enough to exploit software and break into systems, nor do many of them appear to be able to effectively automate their scams using sophisticated bot software or specialized utilities.
Here are some of the different roles required to complete an attack:
- Spammers - responsible for sending the phishing emails to as many email addresses as possible.
- Web designers - responsible for creating malicious Web sites that appear as legitimate as possible.
- Exploiters - typically amateur attackers known as "script kiddies" who gather victim computers (referred to as "roots") that can be used to host a phishing site or a spam relay. In some cases, exploiters will break into credit card databases directly to harvest credit card data, skipping the phishing stage entirely.
- Cashiers - responsible for withdrawing funds from a compromised credit card or bank account and turning it into cash for the phisher.
- Droppers - these members are able to receive merchandise purchased with stolen credit card information at an untraceable drop point. Goods purchased with stolen credit or bank card information are considered "carded" and fraudsters of this sort are also often considered "carders" as well.
Black Market Commodities
A variety of commodities are traded among phishers and fraudsters. Following is a partial list of items considered valuable:
- credit card numbers - typically CVV2 numbers (3-4 digit numbers on the back of a card) are required as well for these to be considered of any value.
- root or administrative access to servers - hacked servers which the fraudsters can access at their leisure are commonly used to host phishing websites and are often referred to as "roots" by participants in these chat rooms and forums.
- email address lists - these are used either for spam advertising or for targets of a phishing scam.
- online banking accounts.
- online payment service accounts, such as e-gold. E-gold is popular among fraudsters because funds are sent instantly and are not generally traceable.
- counterfeit currency - counterfeit money is printed and sent via postal mail. Here's an example of someone soliciting counterfeit currency:
[Jamal] i need some 1 to make alot of 20 dollar bills [Jamal] cuz i live in canada [Jamal] we can make alot of money if u can [Jamal] i will use it at other stores and return the item [Jamal] if u can make copies of the bill and send them to me and i change it to real money and i will send u half via western union
- Western Union accounts - Western Union is popular because funds are sent instantly and are not traceable or recoverable.
All of these commodities are traded and sold either via impromptu IRC chat conversations, or in an organized fashion through the online forums where the seller can obtain a "vendor" account and conduct business. This allows them to post a structured price list for would-be buyers. Users provide feedback on their experiences working with the fraud "vendors", creating a sort-of confidence rating system which discourages would-be "rippers". Vendors may also pay a start-up fee and go through a basic verification process before they are set up as a vendor within a cybercrime forum.
Marketing & Promotions
The following example taken from an online fraud forum illustrates that these "vendors" take their business seriously- in some cases even offering promotions, sales, and guarantees. The following "promotion" offers a volume discount for large purchases as well as free calling cards depending on how much is purchased.
Smile Buy Cheap Cvv2s And Get Gifts Hello all carders ! Iam glad to offer my service to serve all you guys. Iam selling US cvv2 with NO LIMIT (UK & Canadian and International cvv2s will be available soon) * Cvv2s have the following information: - Card Number - Card Expiry - CVV2 - First & Last Names - Address & City - State & Zip/Postal code - Country (US) - Phone # ======= Here is the price ======== * For US cvv2 : 1 -> 40 cvv2s : $1.5 per card 100+ cvv2s : $1 per card * For UK ccs : 1$ per each (come with : Name, Address, Town, County, Postcode, Ccnumber, exp, from date, and issue number) * If you request the following information for Cvv2: Special Card Type +$0.50 Email, Password +$3 Special Gender +$2 Special bins : +$1 * Special Offers : If your order > 50$ , u will get a calling card with 5$ If your order > 100$ , u will get a calling card with 10$ If your order > 200$, u will get a calling card with 20$