Monitoring the cybercriminal underground sometimes leads us down some interesting paths. We recently encountered a cybercriminal posting in a Russian underground forum which led to the discovery of more than 136,000 stolen credit card credentials.
Help in all the wrong places
The trail started with the following post on a Russian underground forum.
Figure 1. Post in underground forum (click to enlarge)
The post from user acmpassagens asking for help with the well-known Virtual Skimmer point-of-sale (PoS) malware family was not particularly unusual. However, two things stood out: first of all, the post, despite being written in Russian, was not written by a native speaker. The sentence construction did not look right. The poster also claimed that he had access to more than 400 PoS terminals in gas stations and shops… in Brazil. This was a user from Brazil asking questions in a Russian underground forum.
As part of his post, acmpassagens left both his e-mail address (firstname.lastname@example.org) and Skype address (acmpassagens). Together with his username, one can follow some of this person’s other online activities. For example, on an official Microsoft forum, he replied to a question about credit card readers with a post offering to sell software:
Figure 2. Post on Microsoft Developer Network (MSDN)
Videos related to card-skimming contained his e-mail address so curious viewers who wanted to “join the business” could contact him directly as well.
Figure 3. Youtube video
However, initially there didn’t appear to be anything online that could help us uncover the identity of acmpassagens. We were able to obtain some of the e-mail addresses he used, as well as two of his Skype accounts: acmpassagens and _brenosk815.
However, just before we were about to set this case aside, diligent Google searching led to an incredible jackpot: an account used by acmpassagens on the online file storage service 4shared. Moreover, all of the contents of his account – all 1GB of it – were open for anybody with Internet access to see, without the need for a user name or password.
Figures 4 and 5. Publicly available 4shared account
What was in this account?
The files in the 4shared account contained what appeared to be a log of the cybercrime activities that acmpassagens had carried out. It contained malware, phishing templates, and various documents with what appeared to be the personal information of cybercriminals, accomplices, and victims.
First, who is acmpassagens? According to the account, he is a Brazilian national named Breno Franco. He describes himself as a “businessman”, with an official address in Salvador, the eighth most populous city in Brazil. There were also multiple pictures of himself on the account:
Figure 6. Picture of Breno Franco
Mr. Franco used multiple addresses to communicate with others:
In addition to this, there was ample information relating to Mr. Franco’s money mules. We found various documents including Visa card slips and printouts of bank account statements.
Figure 7. Scanned identity card
Some of these documents may not be authentic. However, there also appeared to be private information of these mules, including scans of passports and official Brazilian identity cards (see above). It is hard to determine if these documents belong to actual people or whether the passports are fakes, since we also found Photoshop files for fake passports in 4shared. In addition, there was a recording of a VoIP call between a mule and Mr. Franco:
Figure 8. Recorded VoIP call
What about Mr. Franco’s cybercrime haul? In the account, we found what appeared to be 136,000 credit card numbers stored for future usage.
Table 1. Stolen cards
More than 107,000 of these numbers are for Visa, and more than 20,000 for MasterCard, with other networks picking up the small remainder. Visa is an official FIFA Partner, which may explain why Visa customers were frequent victims.
The 4shared account also contained the tools that Mr. Franco may have used to carry out his attacks. There was PoS malware belonging to the Virtual Skimmer and BlackPOS families, which may have been used to carry out the attacks that Mr. Franco described in some of his posts.
Aside from the above malicious tools, there were two other files useful in processing stolen card information. One was a file used to generate credit cards with stolen valid credit card numbers. The other is used to verify card numbers and is known as T3ST4D0R C0D3R (CC VALIDA). (Legitimate software has been abused by cybercriminals for the latter role.)
There were also templates for various phishing sites stored inside the 4shared account. Some of these sites had been found in the wild very recently. These phishing sites took advantage of the ongoing World Cup:
Figure 9. Phishing site
One of these phishing templates was uploaded to the compromised site of a Brazilian restaurant and shop. The files on the said site can be grouped into two: files from around 2011, when the legitimate site was last created/modified, and 2014, when Mr. Franco took control of the site and used it to host his phishing page.
In the past, the cybercriminal underground has operated in distinct groups. There was separate Russian underground communities, Latin American underground communities, etc. That is no longer the case: cybercriminals are now crossing borders and combining the various tools and resources available to them.
As cybercriminals become increasingly able to work together, attacks will become truly global. Trend Micro will continue to work closely with, and support and share information with law enforcement whenever possible to bring cybercriminals to justice.