Saturday, May 25, 2013

A Peek Inside the Russian Underground Market for Fake Documents/IDs/Passports

Fake IDs/fake passports have always been a hot commodity within the cybercrime ecosystem.

Thanks to their general availability and affordable prices -- naturally based on the quality that a potential cybercriminal/fraudster is seeking -- the vendors behind them continue undermining the trust chain that society/market thrives on, by empowering cybercriminals and fugitives with new IDs to be later on used in related fraudulent activities.

In this post, I'll sample fraudulent activity on the Russian underground marketplace, feature exclusive screenshots of fake passports currently offered for sale, and discuss how relatively low profile cybercriminals have been literally generating fake (Russian) passports for years, primarily relying on DIY passport/stamp generating tools.

Sample screenshots of the inventory of available fake passports for multiple countries:

Affected countries include: Russia, Belarus, Canada, Germany, Denmark, Finland, Israel, Netherlands (Holland), Norway, Romania, United Kingdom, United States, Australia, Ukraine. The prices vary between $20-30, and according to the vendors, use real people's data/photos etc.

It's also worth emphasizing on the fact that, of all the countries, Russia's underground marketplace for fake documents is perhaps the most vibrant one. Next to high-quality fake documments/IDs/passports, they're naturally the cheap alternatives, which Russian fraudsters have been literally generating for years, relying on DIY (do-it-yourself) tools/stamp editors like these:

Thanks to the demand for such kind of underground market assets, I'm certain that that market would continue flourishing, and would eventually reach a stage where the vendors would start sacrificing OPSEC (Operational Security) in an attempt to reach customers from virtually every country. With localization on demand services proliferating, next to the ubiquitous for the cybercrime ecosystem, affiliate based revenue-sharing models, vendors of fake documents/IDs/passports, have virtually everything that they need at their disposal, if they were to start targeting the international audience.

Friday, May 24, 2013

Fake 'Facebook Profile Spy Application' Campaign Spreading Across Facebook

Over the last couple of days, multi-tasking cybercriminals have been spreading a "Facebook Profile Spy" campaign across Facebook, enticing users into installing a rogue Chrome extension, next to monetizing the campaign through an unethical pseudo-mobile marketing agency, known as Prizerally.

Sample redirection chain:
hxxps:// -> hxxp:// -> hxxp:// -> hxxps:// -> hxxp:// -> hxxp:// -> hxxp://

Domain names reconnaissance: - ( - Email: - (; - Email: - - Email: - - - Email:

We also got the following fraudulent and typosqutted domains known to have responded to the same IP ( in the past:

As well as the following malicious MD5s phoning back to the same IP in the past:
MD5: e315a877c58773ce82cc32fc192bdfa5
MD5: 1cd4c2a2b2143689b185e064dc6c331c
MD5: 26c5102e75daf3d3c696ad719bc55ad4

Prizerally's scheme is fairly simple:
Service costs £3 per question played and a £4,50 sign up fee applies. You will receive an additional £1.50 charge for a reminder message tomorrow. Winners will be contacted every first businessweek of the month, all question entries must be received before 00.00 on the last day of the month. This is not a subscription service. Minimum age 18+ with bill payer's permission. One prize available per service per month. Customer service: call 0800 408 0796, email or visit the website: Play the game on your mobile. The winner will be selected among all participants in the first business week of every month. When participating you acknowledge that you agree to the terms & conditions, you are a resident of the UK, 18 years or older and authorized account holder and/or that you have the consent of the accountholder. £3 per question. This service is a product of Mypengo Mobile. Free entry method: send an email with your name, phonenumber, and prize you want to win to Prizerally is not affiliated with, sponsored by or endorsed by any of the listed products or retailers. Trademarks, service marks, logos (including, without limitation, the individual names of products and retailers) are the property of their respective owners. When you see one of our Products on the Internet, you can start receiving our content via SMS (i.e. text message). You can enter your mobile telephone number on the landing pages via the Internet and confirm your registration. You hereby agree to the Terms and Conditions. Prizerally charges you £3,00 per question played. Each sent answer will be followed by a new question. If you stop sending answers you will not receive any more messages. Once stopped you will receive one extra £1,50 reminder message. To stop this message, simply text STOP to 85150. From this moment on you have to decide on your own if you will continue to play for more points. By answering a question, you will receive a new messages containing a new puzzel/question also chargeble at £ 1,50 per text message received. When you stop sending answers the game will end. O2 and Orange customers can only spend the maximum amount of £ 30.00 a day. This spending cap applies for one day, so the next day these customers are eligble to play again. The maximum amount you can spend on our Prizerally service is £ 99.00.

Facebook has been notified. The rogue Chrome extension has already been removed.

Updates will be posted as soon as new developments take place.