Cybercriminals Offer High Quality Plastic U.S Driving Licenses/University ID Cards

August 29, 2013
Continuing the series of blog posts profiling the most recent underground market propositions for high quality fake passports/IDs/documents, in this post, I'll emphasize on a cybercrime-friendly vendor that's exclusively targeting the U.S market.

Go through previous research into the market for fake passports/IDs/documents:
Offering fake plastic driving licenses for over 25+ U.S States, including student IDs for major U.S Universities for a static price of $150, the vendor not just currently outperforms competing vendors in terms of quality in this particular market segment -- within the cybercrime-friendly community in question -- but also, is already receiving recommendations from other cybercriminals to raise the price of his underground market 'asset', indicating penetration pricing in action.

Payment methods accepted? Bitcoin, Western Union and Moneygram.

Sample underground market ad:
[VENDOR's NAME REDACTED] has over 25+ states on tap, along with 'secondaries' to offer, all of of which and are high quality, meaning in-state without issue, in most cases. All IDs contain UV (where applicable as some states don't), multispec-hologram, 1D/2D barcode and/or magstripe that will scan/swipe to read DMV/AAMVA license standard.

The vendor is requiring the following data from his potential customers:
Name - First, MI, Last
Address
DOB
Sex
Hair Color
Height
Weight
Eye color
Driver License number - if a number isn't provided one will be randomly generated
Endorsements and/or Restrictions - if not included these will be left blank
Scanned signature - if not provided you will receive a generic font signature

*****More\Less info may be required depending on the state requested

Scanned passport picture - no webcam pictures can be accepted.

If you cannot get a real passport picture and have a decent camera, please take a pic from the chest up against a white background/drywall with the flash 'ON'. I will handle the cropping aspect. Also try to have good lighting and when scanning use high resolution. You may also upload a signature. I ask that this be written using a black sharpie style pen to achieve the best results.

You may upload this info to sendspace.com or the file-sharing site of your choosing and forward me the download link. I will confirm reception via email and you order will begin processing. All IDs are 150USD with incentive to group buys. Payment can be made via BTC, WU, Moneygram. Payment will be collected upon completion and approval of your order.

Sample screenshots of the service's current 'inventory':































































































































The market for fake passports/IDs/documents is prone to flourish, as more cybercriminals demand both, scanned, and plastic fake IDs to be later one abused in related fraudulent schemes. Naturally, the market is quick to supply, and those who excel in their Operational Security and quality of the underground market 'assets', will begin occupying a decent market share within this underground market segment. Continue reading →

The Cost of Anonymizing a Cybercriminal's Internet Activities - Part Four

0
August 23, 2013
Continuing the "The Cost of Anonymizing a Cybercriminal's Internet Activities" series, in this post, I'll profile an API-supporting, blackhat SEO-friendly vendor of anonymization services, which is currently offering hundreds of thousands of compromised SSH accounts, HTTP/HTTPs based (compromised) proxies, and the ubiqutous for the cybercrime ecosystem, Socks 4/5 servers.

Catch up with related research on the topic:
The service is currently offering access to 180,331 compromised SSH accounts, 9597 HTTP/HTTPS proxies, and 110,185 (compromised) Socks servers located virtually all over the World.

How are they gaining access to this accounting data in the first place? Despite the overall availability of brute-forcing tools, in 2013, one of the most popular tactic for obtaining stolen/compromised accounting data, remains the practice of 'data mining' a botnet's already infected 'population' for virtually anything kind of accounting data, to be later on monetized through multiple distribution/abuse channels.

Sample screenshots of the anonymization service:




Sample screenshots of the API in action:




What's also worth emphasizing on is the fact, that, the service is not just targeting potential cybercriminals wanting to anonymize their Internet activities, but also, black hat SEO monetizers, who now have access to hundreds of thousands of fresh Socks servers for the purpose of abusing them on their way to monetize their fraudulent/malicious campaigns.

Vertical market integration, or the one-stop-shop market model, has always been an inseparable part of the cybercrime ecosystem, as it increases the probability that a cybercriminal's one-stop-shop would immediately occupy a larger market share within the cybercrime ecosystem, consequently resulting in more revenue from the facilitation of fraudulent and malicious activity.

Some of the most popular instances of this trendy business concept applied by cybercriminals internationally, include but are not limited to the following real-life underground market propositions:
  • A vendor of mobile spamming services would not only offer the actual spamming process, but also, offer harvested mobile mobile numbers as a value-added service, next to the on demand harvesting of mobile numbers for any given geographical region.
  • A vendor of managed spam services, would also offer the option to buy segmented and geolocated, as well as often validated, email addresses, with the ability to perform custom harvesting for any given country
  • A vendor of managed iFraming platform would also offer access to hijacked traffic to be automatically converted to malware-infected hosts through the platform, with additional services including as for instance, managed crypting of the iFrame/malicious script in real-time
  • An author of Web malware exploitation kit, would be also offering managed iFrame/script crypting services next to bulletproof hosting in case the customer desires those
The cost of anonymizing a cybercriminal's Internet activities in this particular case? The price is shaped based on the anonymization method of choice.

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter. Continue reading →

Vendor of Scanned Fake IDs, Credit Cards and Utility Bills Targets the French Market Segment

0
August 22, 2013
Continuing the series of blog posts detailing the very latest efficiency/quality/scalability/universal business concepts oriented underground market propositions for fake IDs, credit cards and utility bills, in this post I'll discuss an example of market segmentation in terms of supplying them, through an ad targeting potential cybercriminals based in France, or international cybercriminals wanting to enter the French market.

Catch up with previous research on the topic:
What's so special about this underground market proposition, anyway? It's the market segmentation taking place through the eyes of the vendor, as well as the diversity of scanned .PSD Photoshop templates, the non-modifiable scanned documents, and the actual availability of physical fake IDs, all of them exclusively targeting the French market segment.

Sample screenshot of the advertisement:
There are several types of vendors contributing to the currently mature state of the market for fake IDs/documents, or to the cybercrime ecosystem in general. Let's discuss the most popular types of market players.

Among the rarest type of such vendors is the experienced one who tends not to advertise at public or commercially accessible cybercrime-friendly communities. Although it would seem fairly logical to assume that the applied OPSEC (Operational Security) would be directly proportional with the decrease in processed orders since it would limit the visibility of his services within the cybercrime ecosystem, that's not necessarily the case when quality, experience, sophisticated, and, of course, high profit margins based on perceived value come into play. In between the lack of mass advertisements, the vendor would also not list his contact details, and would only do business with cybercriminals with proven reputation within not just the community in question, but also, across the entire ecosystem.

Next are those vendors who'd sacrifice OPSEC, for the sake of reaching as many customers as possible in an attempt to monetize this market 'touch point' with other prospective cybercriminals. They advertise on public and on commercially accessible cybercrime-friendly communities, usually have a decent reputation, with generally positive feedback from their customers, and of course, never fail to 'deliver' what they pitch.

There's yet another type of such vendors, worth discussing. It's those who 'populate' a newly launched community with their propositions, and most often target novice cybercriminals with zero understanding of cybercrime ecosystem reputation dynamics, who are still looking to purchase this desired, but largely commoditized underground market good.

With more vendors of fake IDs/documents popping up across the entire ecosystem, the series of blog posts profiling their activities, are prone to expand.

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter. Continue reading →

Vendor of Scanned Fake IDs, Credit Cards and Utility Bills Targets the French Market Segment

August 22, 2013
Continuing the series of blog posts detailing the very latest efficiency/quality/scalability/universal business concepts oriented underground market propositions for fake IDs, credit cards and utility bills, in this post I'll discuss an example of market segmentation in terms of supplying them, through an ad targeting potential cybercriminals based in France, or international cybercriminals wanting to enter the French market.

Catch up with previous research on the topic:
What's so special about this underground market proposition, anyway? It's the market segmentation taking place through the eyes of the vendor, as well as the diversity of scanned .PSD Photoshop templates, the non-modifiable scanned documents, and the actual availability of physical fake IDs, all of them exclusively targeting the French market segment.

Sample screenshot of the advertisement:
There are several types of vendors contributing to the currently mature state of the market for fake IDs/documents, or to the cybercrime ecosystem in general. Let's discuss the most popular types of market players.

Among the rarest type of such vendors is the experienced one who tends not to advertise at public or commercially accessible cybercrime-friendly communities. Although it would seem fairly logical to assume that the applied OPSEC (Operational Security) would be directly proportional with the decrease in processed orders since it would limit the visibility of his services within the cybercrime ecosystem, that's not necessarily the case when quality, experience, sophisticated, and, of course, high profit margins based on perceived value come into play. In between the lack of mass advertisements, the vendor would also not list his contact details, and would only do business with cybercriminals with proven reputation within not just the community in question, but also, across the entire ecosystem.

Next are those vendors who'd sacrifice OPSEC, for the sake of reaching as many customers as possible in an attempt to monetize this market 'touch point' with other prospective cybercriminals. They advertise on public and on commercially accessible cybercrime-friendly communities, usually have a decent reputation, with generally positive feedback from their customers, and of course, never fail to 'deliver' what they pitch.

There's yet another type of such vendors, worth discussing. It's those who 'populate' a newly launched community with their propositions, and most often target novice cybercriminals with zero understanding of cybercrime ecosystem reputation dynamics, who are still looking to purchase this desired, but largely commoditized underground market good.

With more vendors of fake IDs/documents popping up across the entire ecosystem, the series of blog posts profiling their activities, are prone to expand. Continue reading →

The Cost of Anonymizing a Cybercriminal's Internet Activities - Part Three

0
August 21, 2013
Over the years, I've been persistently highlighting the abuse of compromised hosts as either 'stepping stones', or as the primary facilitators for 'island hopping' campaigns, empowering those using them with the necessary non-attributable 'know-how' to not just anonymize their Internet activities, but also, engineer cyber warfare tensions.

The utilization of hacked/compromised hosts/PCs as 'island hopping' points, or as 'stepping stones', continues to take place in 2013, with more managed cybercrime-friendly services offering access to compromised hosts located virtually all over the World, access to which can be bought in a cost-effective manner, thanks to the available discounts or price discrimination schemes.

Catch up with previous research on the topic:
What has changed over the years? Is the once thought the be the future of anonymization for cybercrime-friendly activities, 'proxy chaining' -- think chaining of connections between multiple malware-infected hosts -- still relevant today? Or was the concept largely replaced by log and data retention free cybercrime-friendly VPN providers, that continue popping up on everyone's radar?

Since 2010, a HTTPS-supporting, DIY multiple gates application (proxy which can be a Socks 4/Socks 5 compromised host given it has been properly configured for the purpose) managing, Man-in-the-Middle "attack" performing -- in order to randomize for anonymization purposes -- cookie/headers modifying of the requests performed through the "chaining" of compromised hosts/servers, has been commercially available for cybercriminals to take advantage of.

Let's take a close look at this state of the art gate/proxy chaining cybercrime-friendly application.

Sample screenshots of the application's interface:





The application's author is also known to have been released custom builds for various cybercrime-friendly forums:

Some of its core features include:
[+] HTTPS support for php-gates, needs OpenSSL
[+] Ability to set a password on the gate.
[+] Ability to work with a gate, through any procs (HTTP (S), SOCKS4, SOCKS5).
[+] Working with gated exclusively via the method GET, which provides protection from detection by the log files on the server.
[+] Ability to set Cookies, transferred during handling to the gate. This is useful for hiding the code in the files of the site gate. Format: "cookie = value; cookie2 = ;"
[+] Processing of each compound is in a separate stream.
[+] Ability to unlimited downloads and uploads of large files (in case of inability to bypass restrictions set_time_limit () can download files in a few times, provided support to resume from the target server).
[+] Preprocessing mechanism optimizes queries under HTTP 1.0.
[+] The presence of an encryption key must be specified (purely symbolic encryption to hide traffic from prying eyes), and all data, including the password for the gate are transmitted in encrypted form. Enable / disable the encryption does not require editing the code gate.
[+] Ability to work with several gates. In this case, each assigned a specific gated User-Agent (assigned by chance) that does not allow the target site to link together the requests from different gates.
[+] Ability to add a request to the target site header X-Forwarded-For, X-Real-Ip and Via with random IP-addresses (in this case, sites that use mechanisms for determining the visitor's IP address on these titles or used mod_realip, will benefit from logging bogus addresses, as these headlines mislead the site administrator).
[+] Ability to select the interface to listen to.
[+] More statistics on network connections, there are different levels of profiling queries (and no logs are written to the file).
[+] Support chains gates.
[+]-Chain of 3 modes:
- Direct sequence (traffic passes through a series of gates that you clearly stated)
- Random chain (each request is passed through a randomly builds a chain of gates)
- Casual chain with specific output gate time (similar to the previous mode, except that the final gate remains constant.
[+] Ability to speed up surfing through the chain by local caching IP-addresses.
[+] Support for HTTPS gates are not independent of their number.
[+] Using a cascade encryption - the ability to use any number of gates with different encryption keys.
[+] Built-checker gates.
[+] You can check all the gates at once, or each gate individually when adding / editing.
[+] Built-in gates.
[+] Ability to insert code in the gate pre-generated table of permutations. This eliminates the need to store the encryption key directly to the Gate, and generate a table for each access to the gate.
[+] Automate the process of creating a masked gate with Cookies
[+] Ability to delete from the code perevodoa lines and tabs.
[+] Ability to set proivolnyh request headers.
[+] Ability to define hosts, which will be sent to a specific heading.
[+] Ability to temporarily activate / deactivate a specific heading.
[+] Gain Control key to 2048 bits (256 bytes) using md5
[+] Complete independence from each other bytes (including the order of the bytes and encrypted block length).
[+] The variable number of rounds of permutations, depending on the key.
[+] Partly salt as XOR'a-byte hash key.

With the ease of assessing a malware-infected host's bandwidth thanks to the overall availability of such an option among the most popular managed services offering access to such hosts, it shouldn't be surprising to consider that a potential cybercriminal using this application, would be in a perfect position to create -- in a DIY fashion -- a stable anonymous network, to further assist him on his way to achieve his fraudulent or purely malicious objectives.

The bottom line? What's the cost of anonymizing a cybercriminal's Internet activities? 1,900 rubles or $57.53 for the application, in this particular case.

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter. Continue reading →
Subscribe to: Comments (Atom)