Underground crooks quickly block Blackhole creator Paunch’s account following his apparent arrest, Tom Brewster finds
“Mr. Soze rarely works with the same people for very long, and they never know who they’re working for. One cannot be betrayed if one has no people.” So says Kobayashi in The Usual Suspects. It’s an ethos that many in the cyber crime world carry with them, and the Internet facilitates this, making it simple to distance oneself from compromised contacts.
Hence the highly cautious reaction to the arrest of the person accused of being Paunch, creator of the Blackhole exploit kit, and its even more expensive sister product Cool.
‘Turmoil’ amongst Russian cyber crooks
“There was some turmoil in the Russian underground community about his arrest, and his user [ID] was banned from several forums, which suggests that the admins are aware of his arrest and are protecting themselves, their forums, and their communities,” one source working the forums tells me.
Locking Paunch out of forums will be vital if crooks want to avoid law enforcement. Police have proven themselves adept at getting hold of ID and login details of those they arrest – and then using them to pose as crooks.
Carl Leonard, security research manager at Websense, says he has seen forum posts being edited or taken down to remove any potentially incriminating evidence of contact with Paunch. Some websites related to Blackhole, like the crypt.am service used to encrypt the exploit kit, have been shut down too.
“They’re trying to get some layer of abstraction between them and those who might be involved in criminal affairs,” Leonard adds.
Blackhole usage has taken a hit too. F-Secure’s Sean Sullivan told me the security firm has seen fewer Blackhole and Cool exploits across its customer upstream telemetry data.
Could Blackhole make a comeback? It all depends on whether anyone takes the torch and carries the code forward, maintaining it as well as Paunch did and ensuring the latest exploits are incorporated into the software. If someone steps up, there’s no reason it won’t be “market leader” again, given many are used to the tool, its attractive interface and comprehensive functionality.
What the reaction to the Paunch arrest shows, though, is that cyber crooks react quickly to protect themselves when big news hits to protect themselves. Backed by anonymising tools like the Tor Browser, this makes life for law enforcement particularly tricky, even if they claim to have ways of unmasking anyone on the underground forums.
Yet there is a key difference between the real and virtual worlds that may benefit law enforcement. Thanks to heavy monitoring of dark web forums, across police forces and industry partners, records are kept of past messages, so it’s possible to see where changes have been made, where the reaction to an arrest is strongest. In a world where Internet sleuths are constantly following trails of breadcrumbs, this kind of visibility allows for greater focus on particular markets. And that’s bad news for Paunch’s old allies.
How well do you know Internet security? Try our quiz!