Dancho Danchev's Blog - Mind Streams of Information Security Knowledge

In the overwhelming sea of information, access to timely, insightful and independent open-source intelligence (OSINT) analyses is crucial for maintaining the necessary situational awareness to stay on the top of emerging security threats. This blog covers trends and fads, tactics and strategies, intersecting with third-party research, speculations and real-time CYBERINT assessments, all packed with sarcastic attitude

Saturday, May 25, 2013

A Peek Inside the Russian Underground Market for Fake Documents/IDs/Passports

Fake IDs/fake passports have always been a hot commodity within the cybercrime ecosystem.

Thanks to their general availability and affordable prices -- naturally based on the quality that a potential cybercriminal/fraudster is seeking -- the vendors behind them continue undermining the trust chain that society/market thrives on, by empowering cybercriminals and fugitives with new IDs to be later on used in related fraudulent activities.

In this post, I'll sample fraudulent activity on the Russian underground marketplace, feature exclusive screenshots of fake passports currently offered for sale, and discuss how relatively low profile cybercriminals have been literally generating fake (Russian) passports for years, primarily relying on DIY passport/stamp generating tools.

Sample screenshots of the inventory of available fake passports for multiple countries:

Affected countries include: Russia, Belarus, Canada, Germany, Denmark, Finland, Israel, Netherlands (Holland), Norway, Romania, United Kingdom, United States, Australia, Ukraine. The prices vary between $20-30, and according to the vendors, use real people's data/photos etc.

It's also worth emphasizing on the fact that, of all the countries, Russia's underground marketplace for fake documents is perhaps the most vibrant one. Next to high-quality fake documments/IDs/passports, they're naturally the cheap alternatives, which Russian fraudsters have been literally generating for years, relying on DIY (do-it-yourself) tools/stamp editors like these:

Thanks to the demand for such kind of underground market assets, I'm certain that that market would continue flourishing, and would eventually reach a stage where the vendors would start sacrificing OPSEC (Operational Security) in an attempt to reach customers from virtually every country. With localization on demand services proliferating, next to the ubiquitous for the cybercrime ecosystem, affiliate based revenue-sharing models, vendors of fake documents/IDs/passports, have virtually everything that they need at their disposal, if they were to start targeting the international audience.

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Dancho Danchev

Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com

A Peek Inside the Russian Underground Market for Fake Documents/IDs/Passports

Dancho Danchev

Friday, May 24, 2013

Fake 'Facebook Profile Spy Application' Campaign Spreading Across Facebook

This summary is not available. Please click here to view the post.

Dancho Danchev

Fake 'Facebook Profile Spy Application' Campaign Spreading Across Facebook

This summary is not available. Please click here to view the post.

Dancho Danchev

Wednesday, May 01, 2013

Summarizing Webroot's Threat Blog Posts for April

The following is a brief summary of all of my posts at Webroot's Threat Blog for April, 2013. You can subscribe to Webroot's Threat Blog RSS Feed, or follow me on Twitter:

01. DIY Java-based RAT (Remote Access Tool) spotted in the wild
02. Spamvertised ‘Re: Changelog as promised’ themed emails lead to malware
03. Cybercrime-friendly service offers access to tens of thousands of compromised accounts
04. Madi/Mahdi/Flashback OS X connected malware spreading through Skype
05. Cybercriminals selling valid ‘business card’ data of company executives across multiple verticals
06. A peek inside the ‘Zerokit/0kit/ring0 bundle’ bootkit
07. DIY Skype ring flooder offered for sale
08. Spamvertised ‘Your order for helicopter for the weekend’ themed emails lead to malware
09. A peek inside a ‘life cycle aware’ underground market ad for a private keylogger
10. American Airlines ‘You can download your ticket’ themed emails lead to malware
11. Cybercriminals offer spam-friendly SMTP servers for rent
12. How mobile spammers verify the validity of harvested phone numbers – part two
13. A peek inside a (cracked) commercially available RAT (Remote Access Tool)
14. DIY Russian mobile number harvesting tool spotted in the wild
15. DIY SIP-based TDoS tool/number validity checker offered for sale
16. CAPTCHA-solving Russian email account registration tool helps facilitate cybercrime
17. Historical OSINT – The ‘Boston Marathon explosion’ and ‘Fertilizer plant explosion in Texas’ themed malware campaigns
18. Fake ‘DHL Delivery Report’ themed emails lead to malware
19. Cybercriminals impersonate Bank of America (BofA), serve malware
20. How fraudulent blackhat SEO monetizers apply Quality Assurance (QA) to their DIY doorway generators
21. Managed ‘Russian ransomware’ as a service spotted in the wild

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Dancho Danchev