Post on 27-Jan-2015
description
InsightOn Russian
UndergroundEconomy
Fyodor Y | ARMORIZE
The Grugq | COSEINC
Meet the “authors”.. :)
Outline
•Tools and methods
•Introduction: Geeks or Gangsters?
•Underground economy: what u never knew
•Future trends and our research
•Lining up
Чтобы заработь на Интернете не
нужноничего и даже
мозгов
“To make money on Internet you don’t need much, not even brain” - from online tutorial
on how to make money
My favorite quote:
Brief: ToolsAnd methods
Sources
•Dealing with large volume of data (public forums, bbs, manual follow up)
•Mostly public data
•Often: post mortem analysis of compromised systems
Intelligence Gathering
•Automated and manual analysis of publicly available data
Automation: difficulties
•Language: complicated for automated processing (slang, misspellings, multiple spellings)
•Context evaluation for new items of trade requires manual analysis
Ex.: What does this say?
Good luck w/ automated translation
Slang sources•Fenya - Russian prison slang
•Anglonims - English loan words
•Rhyming slang - Sounds like the English word
•Direct translation
Tools of trade
•Mostly open-source. With custom extensions
Tools: Nutch
•Content Fetcher; extended with custom Indexers
•Changes to Spider behavior (“proper” robots.txt handling etc)
•Custom “Seeders”
•Distributed Indexing (w/ hadoop)
Tools: RSS feeds “eater”
•A bunch of python scripts thrown together to fetch rss feeds
Tools: SOLR
•Customized Data indexing and search
•Custom schema and search fields
•JSON output used
•Language “projection” (lingo/slang support)
Tools: Web UI/Maltego
•Web UI: easier
•Visualization: Maltego Custom Transforms
Overall picturesque
Maltego
Introduction:Geeks or
gangsters? :)
From Russia with love..?
•What is the biggest export from Russia except for oil, gas, and nuclear scientists..? :)
-Malware -Stuff that lives in your PC
Against your will :)
Typical export sample:
•Targets MS platforms
•Often - multi-component (loader, payload functions in form of DLL etc)
•Sensitive information collection (data, keystrokes and credential information)
•Turns computer into web proxy, smtp proxy, socks etc (useful for rent, spamming etc)
•May extort money from end user
Looks familiar?
Моscow arest (31/08/2010)
Annual income: over 500,000 rubles (100,000USD)
One unlock charged at300 rubles (10USD)
Via SMS
Scale: big
“export” through legimate sites
Which end up in Google blacklist
Why such spike?
•Fun?
•Profit!
But there’s much more..
malware
OTHERCOOLSTUFF
:-)
That’s not a russian hax0r
This is closer..
Russian Underground
Economy
Where is the money!
•Banking credentials
•Credit cards
•Shops and goods
•Online goods and services
•Online currencies
•Monetization via Carrier providers and more
We don’t sell or advertize any
serviceWe simply look at the trades :-)
Disclaimer:
“Ликбез”Some terminology
•WMZ - web money - one wmz = one USD
•Drop - money mule
•CC - creditcards
•Abuse resistant - Safe to host any kind of fraudulent service
•Partnerka - partnership program
Online currencies
•Web Money (WMZ)
•Yandex Money
•LR (liberty reserve)
Exchange points
Credit cardsVery accessible
Money washing
Drop:Another way to turn dirty cash into
profit
Mass domaintheft
Traffic generationAs big biz
Costs• AU - 300-550$
• UK - 220-300$
• IT - 200-350$
• NZ - 200-250$
• ES,DE,FR - 170-250$
• US - 100-150$
• RU, UA, KZ, KG .. 10-40$
Per 1000 Unique visitors
Other Online goods
Looks familiar?
Cards, burners
And more
Passport scans
“Business package” Pa
Includes..Под средства любой загрязненности! For money of any state of dirtinessВ комплект входит: Pack includes1.Банковский акк(online доступ) Online bank account access2.АТМ картa(Дневной лимит на снятие средств 1000$/6000$ В МЕСЯЦ-Возможно увеличение лимита +30$-) ATM card (1000/6000USD per month withdrawal limit)3.Карта кодов (для online доступа) online access passwords4.Копия паспорта дропа Passport copy of “poor john”5.Sim-ka SIM card
Also can be pre-ordered on custom passport scan
(25USD)
DDOSVery affordable
We remove sites of your concurrents with DDOS attack. Fast and effective.
Supported:
Prices (in WMZ ~= USD)
Discounts for bulk
DDOS 911
Abuse resistant hosting
Malware A/V QA
Hash crackingIn cloud
CaptchaIn cloud
Exploit packs
With nice stats
Stats per countryClicks, loads (pwned ;),
percentage)
Need to build Botnet?
WelcomeTDS system
Seller
Buyer
Owner
“Game” rules :)Iframe traff. 4USD/1000
clicks
No bot traf (ruclicks)Payday - every monday
Making money togetherFake AV affiliation
program
Fake AV payouts
BalanceLogin
Crimeware: thrends
And research
Moving mobile
•Steal a dollar from million - still a million dollars
•WAP sites spreading trojaned games are very popular
Mobile Malware
SEO spam<*bad* word (rus)
Now - delivered proffesionally :)
Malware through Infected ads
Malware infectionHidden behind login screens
•Frequent in banking or other online credential targeted attacks
•Effectively prevents services like google blacklist, HA and other from identifying infections
Research
•Monetization schemes
•Taking over the existing ifrastructures for forensics analysis and statistics
•Hunt the hunters
Hunt the hunter
•Pwnkit - automated exploitkit pwner
•Automated exploit kit fingerprinting
•Password bruteforce
•Exploiting bugs and common misconfigurations
•Generates statistics on exploit pack usage :in the wild:
Misc. Case studies :)
Botnet DIY ;)•Goal: 1000000 nodes botnet
•No skills required
•Buy these (available on sale):
•Traffic
•Abuse-resistant service
•Exploitpack
•Botnet gear
How much it costs•Traffic - 10-15KUSD (mixed) infection
ratio arond 10-20% (depending on exploit pack)
•Abuse resistant server 300USD/month
•Exploitpack 200-2000USD
•Botnet gear 500- 10,000USD
•= 15-20,000USD total + 1-2 months of work
Conclusions
•You can be victim, even if you paid for Kaspersky and apply patches regulary :)
•While malware is what you mostly see, cybercrime is not about malware, it is about money
•Global economy - global fraud
•0day is not important. Volume is important
•(Mostly) not organized crime but ecosystem
What’s next?
Questions?
•Fyodor.y@armorize.com