Dancho Danchev's Blog - Mind Streams of Information Security Knowledge

In the overwhelming sea of information, access to timely, insightful and independent open-source intelligence (OSINT) analyses is crucial for maintaining the necessary situational awareness to stay on the top of emerging security threats. This blog covers trends and fads, tactics and strategies, intersecting with third-party research, speculations and real-time CYBERINT assessments, all packed with sarcastic attitude

Thursday, August 22, 2013

Vendor of Scanned Fake IDs, Credit Cards and Utility Bills Targets the French Market Segment

Continuing the series of blog posts detailing the very latest efficiency/quality/scalability/universal business concepts oriented underground market propositions for fake IDs, credit cards and utility bills, in this post I'll discuss an example of market segmentation in terms of supplying them, through an ad targeting potential cybercriminals based in France, or international cybercriminals wanting to enter the French market.

Catch up with previous research on the topic:

What's so special about this underground market proposition, anyway? It's the market segmentation taking place through the eyes of the vendor, as well as the diversity of scanned .PSD Photoshop templates, the non-modifiable scanned documents, and the actual availability of physical fake IDs, all of them exclusively targeting the French market segment.

Sample screenshot of the advertisement:

There are several types of vendors contributing to the currently mature state of the market for fake IDs/documents, or to the cybercrime ecosystem in general. Let's discuss the most popular types of market players.

Among the rarest type of such vendors is the experienced one who tends not to advertise at public or commercially accessible cybercrime-friendly communities. Although it would seem fairly logical to assume that the applied OPSEC (Operational Security) would be directly proportional with the decrease in processed orders since it would limit the visibility of his services within the cybercrime ecosystem, that's not necessarily the case when quality, experience, sophisticated, and, of course, high profit margins based on perceived value come into play. In between the lack of mass advertisements, the vendor would also not list his contact details, and would only do business with cybercriminals with proven reputation within not just the community in question, but also, across the entire ecosystem.

Next are those vendors who'd sacrifice OPSEC, for the sake of reaching as many customers as possible in an attempt to monetize this market 'touch point' with other prospective cybercriminals. They advertise on public and on commercially accessible cybercrime-friendly communities, usually have a decent reputation, with generally positive feedback from their customers, and of course, never fail to 'deliver' what they pitch.

There's yet another type of such vendors, worth discussing. It's those who 'populate' a newly launched community with their propositions, and most often target novice cybercriminals with zero understanding of cybercrime ecosystem reputation dynamics, who are still looking to purchase this desired, but largely commoditized underground market good.

With more vendors of fake IDs/documents popping up across the entire ecosystem, the series of blog posts profiling their activities, are prone to expand.

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Dancho Danchev

Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com

Vendor of Scanned Fake IDs, Credit Cards and Utility Bills Targets the French Market Segment

Dancho Danchev

Wednesday, August 21, 2013

The Cost of Anonymizing a Cybercriminal's Internet Activities - Part Three

Over the years, I've been persistently highlighting the abuse of compromised hosts as either 'stepping stones', or as the primary facilitators for 'island hopping' campaigns, empowering those using them with the necessary non-attributable 'know-how' to not just anonymize their Internet activities, but also, engineer cyber warfare tensions.

The utilization of hacked/compromised hosts/PCs as 'island hopping' points, or as 'stepping stones', continues to take place in 2013, with more managed cybercrime-friendly services offering access to compromised hosts located virtually all over the World, access to which can be bought in a cost-effective manner, thanks to the available discounts or price discrimination schemes.

Catch up with previous research on the topic:

What has changed over the years? Is the once thought the be the future of anonymization for cybercrime-friendly activities, 'proxy chaining' -- think chaining of connections between multiple malware-infected hosts -- still relevant today? Or was the concept largely replaced by log and data retention free cybercrime-friendly VPN providers, that continue popping up on everyone's radar?

Since 2010, a HTTPS-supporting, DIY multiple gates application (proxy which can be a Socks 4/Socks 5 compromised host given it has been properly configured for the purpose) managing, Man-in-the-Middle "attack" performing -- in order to randomize for anonymization purposes -- cookie/headers modifying of the requests performed through the "chaining" of compromised hosts/servers, has been commercially available for cybercriminals to take advantage of.

Let's take a close look at this state of the art gate/proxy chaining cybercrime-friendly application.

Sample screenshots of the application's interface:

The application's author is also known to have been released custom builds for various cybercrime-friendly forums:

Some of its core features include:
[+] HTTPS support for php-gates, needs OpenSSL
[+] Ability to set a password on the gate.
[+] Ability to work with a gate, through any procs (HTTP (S), SOCKS4, SOCKS5).
[+] Working with gated exclusively via the method GET, which provides protection from detection by the log files on the server.
[+] Ability to set Cookies, transferred during handling to the gate. This is useful for hiding the code in the files of the site gate. Format: "cookie = value; cookie2 = ;"
[+] Processing of each compound is in a separate stream.
[+] Ability to unlimited downloads and uploads of large files (in case of inability to bypass restrictions set_time_limit () can download files in a few times, provided support to resume from the target server).
[+] Preprocessing mechanism optimizes queries under HTTP 1.0.
[+] The presence of an encryption key must be specified (purely symbolic encryption to hide traffic from prying eyes), and all data, including the password for the gate are transmitted in encrypted form. Enable / disable the encryption does not require editing the code gate.
[+] Ability to work with several gates. In this case, each assigned a specific gated User-Agent (assigned by chance) that does not allow the target site to link together the requests from different gates.
[+] Ability to add a request to the target site header X-Forwarded-For, X-Real-Ip and Via with random IP-addresses (in this case, sites that use mechanisms for determining the visitor's IP address on these titles or used mod_realip, will benefit from logging bogus addresses, as these headlines mislead the site administrator).
[+] Ability to select the interface to listen to.
[+] More statistics on network connections, there are different levels of profiling queries (and no logs are written to the file).
[+] Support chains gates.
[+]-Chain of 3 modes:
- Direct sequence (traffic passes through a series of gates that you clearly stated)
- Random chain (each request is passed through a randomly builds a chain of gates)
- Casual chain with specific output gate time (similar to the previous mode, except that the final gate remains constant.
[+] Ability to speed up surfing through the chain by local caching IP-addresses.
[+] Support for HTTPS gates are not independent of their number.
[+] Using a cascade encryption - the ability to use any number of gates with different encryption keys.
[+] Built-checker gates.
[+] You can check all the gates at once, or each gate individually when adding / editing.
[+] Built-in gates.
[+] Ability to insert code in the gate pre-generated table of permutations. This eliminates the need to store the encryption key directly to the Gate, and generate a table for each access to the gate.
[+] Automate the process of creating a masked gate with Cookies
[+] Ability to delete from the code perevodoa lines and tabs.
[+] Ability to set proivolnyh request headers.
[+] Ability to define hosts, which will be sent to a specific heading.
[+] Ability to temporarily activate / deactivate a specific heading.
[+] Gain Control key to 2048 bits (256 bytes) using md5
[+] Complete independence from each other bytes (including the order of the bytes and encrypted block length).
[+] The variable number of rounds of permutations, depending on the key.
[+] Partly salt as XOR'a-byte hash key.

With the ease of assessing a malware-infected host's bandwidth thanks to the overall availability of such an option among the most popular managed services offering access to such hosts, it shouldn't be surprising to consider that a potential cybercriminal using this application, would be in a perfect position to create -- in a DIY fashion -- a stable anonymous network, to further assist him on his way to achieve his fraudulent or purely malicious objectives.

The bottom line? What's the cost of anonymizing a cybercriminal's Internet activities? 1,900 rubles or $57.53 for the application, in this particular case.

This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.

Dancho Danchev