Security, A Many Faceted Problem (part 2)
Today I’m going to continue my ramblings from last week’s RSA security webinar and spice it up with some research I’ve done on my own. Need some fresh ramble with the pre-packaged drivel 🙂
Looking back to last week, we discussed how fraudsters are “mainstreaming” their efforts by taking best practices of the corporate world and incorporating them into the business of fraud. So the question could be, “How does one get to be a fraudster?” Well, it’s extremely easy which is why we are inundated with threats from all over the world.
First, you do a little googling and come across a “Carders Market”. These underground electronic markets traffic in low level fraudulent information and represent the beginner level of fraudulent activity. However, this is where a budding fraudster earns his street cred. Basically anyone can join a “Carders Market” but until you get some good references from other fraudsters that you are legit, then you’re not going to go further. You’ll need something to trade, whether it’s skills, warez or information. But you’ll need something to gain acceptance of the community before you move up the food chain.
Once you get some references you truly start descending into the underground economy. You’ll gain access to elite message boards and forums. Here the wares get more exotic, such as folks selling illegal goods, animals and trafficking in large volumes of stolen data. Others are offering their services as hosts for zombie or bot networks, touting their server availability and bulletproofness. Some discuss their software skills for creating malware and phishing expertise. The larger fraud outfits (Rock Phish) may be recruiting mules (we’ll discuss this term later) or even talent, just like Monster or Dice job boards.
A service that is particularly popular and listed on these boards are fraud based on a per seat license model. Hypothetically you could invest $300 a month for a 2000 computer fraud scam that may net you a large payout in e-gold, the preferred currency of the fraudster.
Of course, among this cabal of fraud and deceit there is no honor. Fraudsters try to black mail one another by threatening to destroy each others reputation via clones on messageboards or other fabricated electronic evidence. They extort payments from their targets so the fraudster on the receiving end can keep their access to whatever illegal board or chat room they inhabit.
My next post will cover Rock Phish, the premier phishing group based out of Russia. If any of you are into older Bond movies, they are like “SPECTRE” but with less cheesy movie sets and more real cash; over 100 million in ill-gotten gains to date.