Examining Underground Economy Servers

In my previous column, I briefly mentioned underground economy servers and the role they play in identity theft. This column will take a closer look at how criminals operate them.

Underground economy servers came to the forefront in October 2004 when the U.S. Secret Service, in collaboration with law enforcement agencies around the world, conducted raids on members of the ShadowCrew.com message board.

Between 2002 and the 2004 indictment, ShadowCrew.com had become, along with the Russian site, CarderPlanet, a clearinghouse that enabled members to buy, sell, or trade hacked credit and bank cards, false identities, and stolen personally identifiable information (PIM). PIM can include government-issued identity numbers, PINs, user accounts, and e-mail address lists, among other information.

These clearinghouse message boards became part of the underground landscape as cyber-criminals turned from disrupting IT infrastructures (remember the "I Love You" virus of 2000?) to developing malware with financial gain in mind and hacking for profit.

TUTORIALS AND MALICIOUS TOOLS 

Cyber-fraudsters can find a wide range of goods and services on the Web that support online criminal activities. For beginners, some message boards on underground servers include tutorials that introduce them to using forged credit cards, scamming, phishing techniques, and other criminal topics.

Symantec's November 2008 "Report on the Underground Economy" details malicious software available for purchase on underground economy servers. Cyber-criminals use this software to steal PII and collect hacked accounts from computer systems they've compromised. They then resell this information, these accounts, and entire compromised systems on the same or other underground economy servers.

Cyber-criminals also can sell, resell, or rent compromised hosts for such scams as phishing and for receiving and storing logs generated by keystroke loggers or Trojan-horse backdoors.

Symantec identifies malicious software, which are revenue-generating tools. Among them are:

Botnets: Networks of compromised hosts used for a variety of online criminal ventures. They are used for spamming, hosting scams like phishing, launching denial-of-service attacks, and more. These can either be sold or rented out for a number of hours or days.

Structured Query Language (SQL) injection tools: A hacker uses these to gather such private information as usernames and passwords from legitimate Web sites. SQL, a database language used to retrieve and manipulate data, is used in Web-based applications to allow them to communicate with a database to generate transactional Web pages, such as a catalog or order form, which the user sees. The application thus passes queries and information processing commands to the database. 

Legitimate, well-designed Web sites should validate user input to insure that malicious commands aren't sent to the database. Such a malicious command could take the form of a query for all credit card numbers stored in the database. But in certain cases, this validation doesn't occur and a cyber-criminal might be able to send a command to the database via a Web-based form to retrieve PII stored in the database.

Malicious: Cyber-criminals might purchase malicious software on underground servers and find developers of malicious software willing to write for specific purposes.

Exploit code: Exploits take advantage of flaws in the ways applications are written or designed. But unlike other tools that automatically attack many varied systems, these are designed to attack specifically selected high-value targets.

PAYMENT SYSTEMS 

Like any other market, the price and profitability of goods and services available on underground economy servers will be based on supply and demand. Cyber-criminals often don't use common online payment and wire-transfer services because operators and regulatory agencies strongly oversee them. Instead, they use currency services that allow users to convert real currency into electronic currency and:

• Don't require proofs of identity
   
• Normally require only valid e-mail addresses
   
• Aren't regulated by the government
   
• Aren't required to perform any "Know Your Customer" controls
   
• Don't have to report suspicious activities

In the next column, we'll take a closer look at network forensics and their role in fraud investigations.

Jean-François Legault, CISSP, CISA, CISM, GCIH, GCFA, is a senior manager with Deloitte's Forensic & Dispute Services practice in Montreal, Canada.  

The Association of Certified Fraud Examiners assumes sole copyright of any article published on www.Fraud-Magazine.com or ACFE.com. Permission of the publisher is required before an article can be copied or reproduced.