What should respectable companies prepare for when carders begin to redistribute the market?
The shadow market for trading personal data and access to IT infrastructure is a phenomenon that cannot be ignored, if only because of the impact on the economy, which loses 3.5 trillion rubles from carder attacks. in year. At the end of February - beginning of March 2021, instead of the usual reports of successful cyber attacks on companies or banks, information appeared about hacked carder forums. This would seem to be good news for data operators, who spend an average of $1.5 million annually on cybersecurity. But what is happening in the carder community most resembles the redistribution of the market with all the ensuing consequences: cyber attacks will soon become more dangerous, and protection against them will become more expensive.Expand to full screen
The losses of the Russian economy from the actions of cybercriminals in 2020, according to Sberbank, could amount to 3.5–3.6 trillion rubles. This amount is equal to 73% of the funds that, according to the authorities, will be required within two years to restore the entire country’s economy after the pandemic. The market volume alone for sales of stolen bank card data in 2020, according to Group-IB estimates, was close to 145 billion rubles, which is comparable to the spending of Russians on preferential mortgages this year. At the same time, most cyber attacks, according to Microsoft, come from Russia. In September 2020, the corporation reported that over the past two years it had recorded more than 13 thousand notifications of carder attacks and the highest percentage of messages were caused by Russian actions.
But at the beginning of 2021, “Russian carders” suddenly came under attack themselves. Thus, on January 20, the administrator of the carding forum Verified reported the hack, on February 16 - the carding forum CrdClub (fraudsters used it for transactions with suppliers of fake credit cards), on March 2, Exploit announced the attacks, and on March 3, the oldest Russian-language forum Maza (see. “Kommersant” dated March 5). Carding forums are actually exchanges for the sale of cybercriminal goods and services, says Mikhail Kondrashin, technical director of Trend Micro in Russia and the CIS. Successful attacks on such “exchanges” may mean that the intelligence services have become more active, and that the cybercriminals themselves have begun a war without rules for the redistribution of the shadow market. In any case, for good data operators, the news about carders being hacked seems good. But it's not that simple. To begin with, the question arises: why do specialists in stealing data from the Internet post their own data on it?
Expand to full screen
Entry with a guarantee
Carding forums are not just for carders. On such forums, services are bought or sold or the practical aspects of their use are discussed, says Dmitry Galov, a cybersecurity expert at Kaspersky Lab. Therefore, among the active visitors to the forums there may be programmers who write Trojan code, but do not carry out attacks themselves, but sell their services to attackers, says Vadim Solovyov, senior analyst at Positive Technologies. Another part of the audience of shadow platforms are “private traders” who do not know how to “code”, but want to make money by selling collected data or by conducting attacks. “On the forums, for example, those who withdraw money from ATMs after an attack can also be registered,” adds Mr. Soloviev.In addition, according to experts, on the forums you can find intermediaries who fulfill someone’s order or make money by reselling data and malware, those who have assembled their own botnet (a computer network of devices infected with malware) and offer it as a service.
Forum administrators are protected from outsiders by a complex registration mechanism and its high price. To register, you need to confirm your account and provide a “portfolio” or a guarantee from an existing user, says Anton Ponomarev, director of corporate sales at ESET in Russia. The Maza platform has a particularly complex registration mechanism, and its price is $1 thousand (an idea of the number of users is given by the fact that as a result of the March attack, the data of more than 2 thousand carders was freely available). By the way, administrators of such sites - in fact, carders who make money from carders - receive money both from registration and from participation in the fraudulent schemes discussed. According to Kommersant’s interlocutor in carder circles, at least $0.5 million passes through the Maza forum every month, and the total monthly turnover of Maza, Verified and Exploit exceeds more than $1 million.
Messages about hacking of other forums often appear on carding forums, but a distinctive feature of the latest attacks was that their target was precisely the largest and widely known resources in the underground, says Vadim Soloviev. “Three forums in one month is strange. I don't think they were ordinary carders. Someone is purposefully destroying forums,” one of the founders of Exploit is sure.
Expand to full screen
Punishing sword in uniform
The nature of the forum hacks suggests that the attacker had detailed information about the operation of the sites, experts interviewed by Kommersant are confident. The Exploit forum monitoring system, in particular, detected unauthorized access and an attempt to intercept and analyze network traffic. Such an attack could have been carried out “only by intelligence agencies or people who know where the servers are located,” said one of the founders of Exploit (according to the company KrebsOnSecurity).Some Kommersant interlocutors allegedly associate the Maza, Verified and Exploit forums with ex-operative of the Russian FSB Information Security Center Dmitry Dokuchaev (see reference). The rumor that the forums could have been hacked by order of the special services appeared against the backdrop of the fact that Dmitry Dokuchaev asked the court for parole. His lawyer sent a corresponding appeal to the Lefortovo court on March 2. Part of the carding community put forward a version that data received from Dmitry Dokuchaev in exchange for a reduced sentence was used to attack the forums.
However, this bright version, upon closer examination, reveals many weaknesses. Firstly, the court did not reduce Dmitry Dokuchaev’s prison term. Secondly, even the long-time antagonist of Dmitry Dokuchaev, the founder of the ChronoPay payment system Pavel Vrublevsky, did not directly point out him, but only told Kommersant that he did not know who hacked the forums, adding that “hacking will in many ways be the end of these communities and will remove the constant risk for Dmitry due to his connection with them.” The Maza administrator told Kommersant that Dmitry Dokuchaev had nothing to do with either the administration of the forum or its hacking.
But most importantly, after the attacks on the forums, there were no statements from law enforcement about their closure. Moreover, according to Kommersant’s source, a copy of Verified appeared at another address, and the Exploit portal has now restored its work. An announcement appeared on Verified that all users’ passwords had been reset, clarifies Victoria Kivilevich, an analyst at the cybersecurity company Kela. According to her, CrdClub is now working, and Expoit only suspended the work of its “mirror” in the legal segment of the Internet. This is not typical for intelligence agencies. So, in 2019, when Belarusian security forces took to the XakFor carding forum for Russian-speaking cyber carders, the site stopped working, and the Ministry of Internal Affairs and the Investigative Committee of the Republic reported its closure.
Experts point out another important point. “Attacks on such resources are unprofitable for law enforcement agencies, since they themselves constantly draw data from there for work,” says Igor Zalevsky.
As a result, the version that the major players in the shadow data trading market themselves began to redistribute it comes to the fore.
Cyber partition
The increase in attacks on carders is most likely associated with attempts to redistribute the black market for IT services and data trading, believes Ashot Oganesyan, founder of the DLBI data leak intelligence service. In his opinion, behind the attacks are the owners of other forums trying to destroy the reputation of competitors, or offended members of the community. Pavel Sitnikov is also inclined towards this version (see interview).Local clashes between competing groups can have a devastating impact on the carding community, whose main fear is de-anonymization. This is possible if the owners of the hacked resources kept a log of IP addresses, says Vadim Solovyov. In this case, in his opinion, it will be much easier for law enforcement agencies to calculate the real location of the criminals.
Exposing forum participants will certainly complicate the work of shadow platforms, experts say. Their users will “flow” to other resources, “which is quite consistent with the goals of the attackers,” Mr. Oganesyan believes, because we are talking about fighting competitors. But the administrators of all surviving sites will complicate the procedure for accepting new members, increase the protection of digital infrastructure and refuse to store user data, believes Anton Ponomarev.
Members of carder groups will begin to behave more carefully, Softline information security management expert Ilya Tikhonov is sure. Against the backdrop of such attacks, some carders are already ceasing to carry out their activities, confirms Igor Zalevsky, head of the JSOC CERT cyber incident investigation department at Rostelecom. Those who “stay in the game” raise prices for their services, taking into account the risks of revealing their identity after hacking another forum, he says.
Advertising - continued below
Now, according to Privacy Affairs, prices for various goods and services on the shadow market range from $15 for bank card data to $1 thousand for selling a vulnerability in the Android system. Hacking of various sites on the Internet, according to Positive Technologies, can cost from $40 for hacking mail to $4.5 thousand for a targeted attack on a company.
Respectable companies and banks, in turn, will have to monitor security even more closely and increase budgets in this area. In 2020, according to Cisco, the average cost of data protection in Russian organizations amounted to $1.4 million. But already in 2021, 52% of Russian companies, according to PwC, plan to increase spending on cybersecurity, and 42% of organizations want to expand their staff occupied in this area.
(c) Yulia Stepanova, Yulia Tishina
Темная сторона даркнета
К чему готовиться добропорядочным компаниям, когда хакеры начинают передел рынка
www.kommersant.ru
