RegulationSecurityWorkspace

‘They Sent A Guy A Coffin With His Name On It’ – Why Russian Cyber Crooks Are So Scary

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

On a trip to RSA’s Anti-Fraud Command Center in Tel Aviv, TechWeekEurope learns about the lengths Russian cyber crooks will go to protect their own

Russian cyber crooks  hanging around the darkweb are the most advanced fraudsters on the planet. And, worryingly for the rest of the world, they are some of the most patriotic too.

That’s what TechWeekEurope heard during a trip to RSA’s Anti-Fraud Command Center (pictured) in Tel Aviv, Israel, where sleuths, who spend their days interacting with cyber crooks on the darkweb to learn about the latest trends amongst Russia’s Internet thieves, told one particularly Godfather-esque story.

On a certain underground forum, when someone upset the Russians, they sent the offending party a coffin with his initials inscribed on it. And some flowers, just for added creepiness. Can they find addresses of people on these dark markets though?

RSA fraud centre“They try and sometimes they succeed,” says one cyber intelligence agent at the AFCC. “As funny as it may be, some of these fraudsters don’t have a clear separation between their online identity and their real identity. Searching their nicknames on Google can reveal actual information about the person. Fraudsters take advantage of that, especially when it comes to fraudsters ripping each other off.

“They deal very seriously with these ‘rippers’, people who try to scam them or law enforcement, up to the extent they will engage in scaring tactics to make them regret they ever started a feud with them.”

Sickeningly skilled cyber crooks

But such mafia tactics aren’t what concern the Internet’s defenders most. It’s how technically and financially well endowed Russian cyber crooks are, and how willing they are to attack other nations, especially western ones.

“They come up with the most innovative technical solutions,” adds the analyst. “The sums they are talking about in terms of fraud revenues are much higher than other fraudsters.

“Spending big sums of money, as in tens of thousands of dollars on specific Trojans or vulnerabilities is not a problem for them.”

They are leaders in their field too, the agent says. “They’re not followers. They are trend creators.” In terms of what is hot right now, malware targeting point of sale systems and ATM machines is something to look out for, according to the RSA analyst.

Just becoming part of the illicit online scene is difficult enough. The Russians work in secretive groups on the darkweb. To get on one of the more lucrative forums, budding cyber crooks have to be recommended by five or ten users already active on their platform of choice. Then there’s a registration fee of a few hundred dollars to shell out. Again, that’s no issue for any serious player.

The site the researcher shows us, which he says has approximately 60,000 users, is nicely put together, with some genuinely enticing banner ads, (much like the ones you see on TechWeekEurope…). Only these ads are touting stolen credit card details.

Members of this elite club aren’t just selling data, Trojans and exploits, they are also looking for assistance in fresh campaigns. He says some are on a recruitment drive for bank insiders, who can help them acquire even more funds.

Over the past year, Russia has been a hive of law enforcement activity, which indicates two things: cyber crime is big business and police are doing their best to crack down on it. In March, officers from the elite Lynx squad of the Interior Ministry swooped down from the roof of a block of flats to a 16th floor residence where the ringleaders of a Trojan operation, two brothers, were living. One of the arrested was shown crying during a television recording of the ostentatious bust.

In January, the FBI announced charges against three men over their Gozi malware campaign, believed to have cost banks tens of millions of dollars. One of those was a Russian national, who, after pleading guilty, assisted the police in tracking down the other suspects, both from former USSR satellite states.

It’s believed the Gozi Prinimalka campaign, which, as found by RSA, was to initiate “the most substantial organised banking-Trojan operation” ever, was being planned by Russian cyber crooks too. TechWeekEurope understands the crooks have now shifted their infrastructure elsewhere and may be lying low, building up a fresh campaign after their plot was, unfortunately for them, widely reported.

Why such a talent for crime?

Idan Aharoni, head of cyber intelligence at RSA’s Anti-Fraud Command Center in Tel Aviv, tells TechWeekEurope Russia is on the “cutting-edge of fraud”, whilst a certain pride in their country leads them to attack US organisations more than others. And they look after their own.

“There is a patriotism and a dislike towards America,” he told TechWeekEurope. “In the Russian underground, it’s a sort of taboo to target Russians, which is quite different to, say, German fraudsters who mostly focus on Germans.”

Aharoni notes a number of contributing factors that made Russia such a hive for Internet-based fraud.

“There are a lot of poor areas, poor people, and the law is not as strict as in the US, and people there are very capable with technology. There are a lot of people who know their stuff, in terms of making computer programs. And it’s relatively easy money… you know the chance of getting arrested is relatively low.”

What do you know about IT in Russia? Take our quiz!