No one is protected Internet fraud—even people who cheat on their friends. Cybercriminals who use hacking forums to buy stolen software and logins are getting ripped off and being ripped off thousands of dollars at a time, a new analysis has revealed. Also, when criminals complain about being hacked, they are also giving up personal information that can reveal their true identity to police and investigators.
Hackers and cybercriminals often gather in forums and marketplaces to do business with each other. They may announce an upcoming project they need help with, sell people’s stolen passwords and credit card information, or reveal new security vulnerabilities that can be used to hack people’s devices or systems. However, these deals often do not go to plan.
A new study, published today by cybersecurity company Sophos, examines the failures and the complaints people have made about them. “The number of hackers who steal from their peers in the courts and marketplaces is much bigger than we first thought,” said Matt Wixey, a Sophos X-Ops analyst who researched marketplaces.
Wixey reviewed three popular cybercrime forums: Russian-language Exploit and XSS forums, plus the English-language BreachForums, which replaced RaidForums when it was seized by US police in April. Although these sites work a little differently, they all have “delay” rooms where people who think they’ve been scammed or wronged by other scammers can file a complaint. For example, if someone buys malware and it doesn’t work, they can complain to the site’s administrators.
Complaints sometimes lead to refunds, but more often they serve as a warning to other users, Wixey says. In the last 12 months – the period covered by the survey – cybercriminals have lost more than $2.5 million to other fraudsters, the analysis says. Some people complain about losing 2 dollars, while the average fraud in each site is from $ 200 to $ 600, according to research, which is presented at the BlackHat Europe security conference.
Fraud comes in many forms. Some are easy, some are more difficult. Often, there’s a “rip-and-run” scam, Wixey says, where the buyer doesn’t pay for what he received or the seller receives money but doesn’t ship what he sold. (These are often known as “rippers.”) Other types of scams include fake data or broken security features: One person on BreachForums said a vendor tried to send them Facebook data that was public.
In another alarming incident on the Exploit forum, a thread posted a lengthy complaint that they had given someone access to the Windows kernel and not paid them the $130,000 they agreed upon. The buyer said he would pay after testing the software but did not spend the money. “At each stage, they gave different reasons for delaying payment,” the translated complaint says.
