Exploring The Underground Credentials Market

Positive “sticky threads” place the user’s message at the top of the message queue, or keeps the message in the forum for a longer time period. De-prioritising “sticky threads” pulls messages towards the end of the queue, or expires the user’s messages all together. “Sticky threads” are based both on bribery to the forum’s administrator, as well as on a reputation-based system. Bribery may include a small subset of the goods for sale (for example, a sampling of the stolen credentials) or a “commission” on a sale of the goods. Reputation-based system relies on feedback from other forum users. A user who has performed successful past transactions is considered reliable and thus gains her “sticky thread”.

However, a user who does not deliver goods upon payment is quickly tagged as a “ripper”. The payer may then complain to the forum administrator who decides to change the ripper’s “sticky thread” or even ban the ripper from the forum altogether. Messages are posted to the forum by any logged-in user, whereas the post is publicised, meaning that any logged-in user can read the forum’s messages. When a reader is interested in the contents of the post, a “match” is made and the reader contacts the individual who posted the message at an online private location external to the forum (e.g. IM).

While the underground forum only establishes the initial match between the buyer and seller to proceed with dealings outside of the forum, IRC channels provide the complete marketplace. Matches are made and transactions are performed all within the IRC channel. These marketplaces are considered more secretive than underground forums as they are not indexed by search engines.

While forums are picked up by search engines, it is not possible to “hit” an IRC channel via a search engine. Rather, IRC channels are known by word of mouth. In this model, the interested IRC user (buyer or seller) connects to an IRC network via a server. Once connected, the user chooses the channel she is interested in joining.

It is assumed that, in order to gain initial knowledge on the existence of a particular IRC channel, the user is a serious participant rather than just lurking around. However, different channels also employ reputation-based systems similar to that found in an underground forum model.  The IRC user may follow up on a public communication and may join in the “conversation” at any moment. If there is a “match” during the conversation, both parties may then communicate over a private one-on-one IRC room. It is in those private IRC rooms where the contract between the parties takes place.

Regardless of the marketplace, the parties in play are all similar. In the case of online credential sales, a single transaction may be performed – namely between the seller of the credentials and the buyer. This scenario is slightly more complex in the case of credit cards, as an additional party is required to cash out on the card, as described in the section “Monetising on credit cards”. Once a buyer obtains the database of credit cards, she re-enters the marketplace, this time to seek the user who can cash out on the cards, for example, a plastic card manufacturer.

We have seen that in these cases, the buyer of the stolen credit cards and the user who monetises on the card split the earnings on a 40 percent – 60 percent basis such that the buyer receives 40 percent of the earnings while the user who took a higher risk by monetising the card retrieves the higher amount.

The different marketplaces also use the same currency. In the cyber-criminal underground marketplaces, online payment services as well as offline monetary transfers are performed according to the buyer’s and seller’s likings. It is the current underground trend that the online payment services used are Liberty Reserve and WebMoney. Western Union and MoneyGram are the more commonly used services for cash transaction.

Conclusion

Due to the large supply of credit card numbers and given the difficulties in monetising credit cards, fraudsters are turning to other data sources to gain illicit monetary advantage. The alternative source comes in the form of application credentials which, once stolen, may be used for different malicious activities ranging from performing online banking transactions to harvesting additional addresses to using them as a stepping stone to other application accounts. We believe that this trend has just started to pick up and has still much to grow until reaching its peak before hackers will leech on to their next data source.

Amichai Shulman is chief technology officer at data security firm Imperva