In my last blog post, I covered several topics around how cybercriminals use your stolen information and why these criminals want your information. That entry, along with this entry, is part of a blog series intended to cover the expanding economies in relation to cybercrime, as well as some facts and recommendations to help safeguard your data against information theft.
In the first part of the two-part intelligence brief series, I will tackle the existing “trust model” in the underground cybercrime arena and some profiling of the gateways/actors that sell these goods.
Information Theft Business Model
It’s no secret that scammers are out there to make a quick buck. However, what’s often not known or discussed is how they engage the market to sell their goods.
These scammers must first engage the market with their goods. They often reach out to Pastebin, underground forums, and several other sites designed to peddle their wares. Furthermore, they also use a popular tactic of posting their “ads” on legitimate forums and sites. This step can be considered the aspect of “gaining your customers”. The next step is establishing a pricing model to fit the marketplace.
Price Discrimination vs. Penetration Pricing
During the past five years, there have been a number of incidents outlining price discrimination on underground forums. Price discrimination exists when a provider sells identical goods or services at different prices for several reasons. There are realistically four degrees of price discrimination, all with varying discriminatory fashions.
However, in the past two years, there has been a shift away from price discrimination and to a more penetration pricing model. Penetration pricing is a tactic used by a seller to attract new buyers in multiple different ways.
In the penetration pricing model, scammers enter the market and sell their wares at a much lower price to gain market space, and then slowly increase their price until it meets market value with the other sellers. Many of the vendors participating in selling stolen goods enjoy a good market for selling these goods after using this model. Utilizing this will often lead to increased sales volume and higher inventory turnover.
This penetration pricing upswing has likely occurred as there were many new entrants into the underground marketplace selling goods. These new entrants weren’t following maximum price rules or by unique buyer attributes.
These scammers are also enjoying a fairly uninhibited marketplace since the ease of hiding their nefarious activities has dramatically improved. For those familiar, see onion routing, and that will easily explain one of the many ways these actors hide their tracks.
When looking at some of the actors of these scams (10 unique sites were profiled), we can start to extrapolate some commonalities between these actors. While the intent of this post isn’t to profile these actors, however an overview helps generalize some of the sellers in the community that provide goods. Knowing this information can help you avoid being a prey to some of the tactics utilized by these individuals.
While profiling many of these sites, it appears that many of the sites selling these goods originate from Ukraine, the Netherlands, and Russia. It’s also apparent that these threat actors prefer payment via Liberty Reserve, UKash, or Western Union. In some cases, WebMoney was also allowed or requested. Typically, these payment methods are requested because signing up for accounts is nearly anonymous, as many of these services only require SMS and email verification to allow transactions to process. Some services, such as Ukash, will exchange cash for a unique 19-digit code. You simply find an outlet (Online or in person) and exchange cash for this code. This unique code can then be utilized to secure payments.
Almost all of the domains registered were using Gmail or Yahoo! as their registrant email address providers. Likewise, many of the posters preferred to be contacted via instant messenger, with Yahoo! and ICQ being the preferred client.
With the underground market running rampant with new sellers entering daily, trust is in short supply on these sites. As such, scammers look for a way to verify each other and their business validity.
Figure 1. Post by someone seeking a verified trust
While scammers may not think of their “businesses” as traditional, more than likely these individuals utilize core business models without even knowing. After scammers get the business of one individual, they not only increase the marketing to that individual, they also look to that individual for verification to ensure future buyers trust the seller.
When a scammer does good work, it’s standard for scammers to verify someone else’s work. This often comes in the form of a forum post “verifying” someone as good for their wares.
Figure 2. Sample post of verifying another user for a job well done
Watch out for the second part of this series where I’ll elaborate on the sources or means, in which cybercriminals can get user information and some best practices to mitigate risks of information theft.