Cybercriminals are often seen as parasites, feeding on large numbers of victims of all sizes and types. But it turns out that they have become targets themselves, with large numbers of bottom-feeding 'meta-parasites' flocking to the dark web marketplace in search of their targets.
This phenomenon has had the nice side effect of exposing a wealth of threat intelligence to researchers, including details of the connections and locations of cyber criminals.
On the stage of BlackHat Europe 2022, Sophos Senior Threat Researcher Matt Wixey discussed the meta-parasite ecosystem in a session entitled "Scammers Scamming Scammers, Hackers Scamming Hackers". According to his research with researcher Angela Gunn, the underground economy is filled with a variety of fraudsters who successfully extract millions of dollars from their cybercriminal partners each year.
The pair studied 12 months of data from three dark web forums (the Russian-speaking Exploit and XSS forums, and the English-speaking Breach forum) and uncovered thousands of successful scams.
"It was quite a rich haul," says Wixey. "Over a 12-month period, scammers took approximately $2.5 million from users of these forums. Each scam ranged from as low as $2 to as high as six figures."
Tactics vary, but one of the most common and brutal tactics is known as the "pull your leg and run" strategy. This refers to one of two variants of "running away": the buyer receives the goods (vulnerabilities, sensitive data, valid credentials, credit card numbers, etc.) but doesn't pay for them; or, the seller receives payment and never delivers on the promise. The "run" part is when the scammer disappears from the marketplace and refuses to answer any queries, which can be thought of as the dark web's version of "bullying".
There are also many scammers selling fake goods - such as non-existent cryptocurrency accounts, macro builders that are not built with any malicious intent, fake data, or databases that are already public or have been previously compromised.
Some of these can be creative, Wixey explains.
"We found a service that claimed to be able to bind an .EXE file to a PDF so that when the victim clicked on the PDF, it would load in the background and the .EXE would run silently," he said. "The scammer actually just sends them back the file with the PDF icon, which is not actually a PDF and does not contain .EXE. they hope the buyer doesn't know what they are asking for or how to check it."
Equally common scams are where sellers offer legitimate goods that are not of the advertised quality - for example, credit card data that claims to be 30% valid when only 10% of the cards are actually valid. Or the database is genuine but advertised as "exclusive" when the seller is actually reselling it to multiple purchasers.
In some cases, he added, fraudsters will conspire in more ways than one to perpetuate the scam. According to Wixey, websites tend to be exclusive, which can inspire a "certain level of inherent trust" that they can work with.
"A person will establish rapport with the target and offer to provide a service; they will then say that they actually know someone else who can do the job better, who is an expert on the subject," Wixey explains. "They usually point them to a fake forum worked and run by a second person that requires some sort of deposit or registration fee. The victim pays the registration fee and then both scammers disappear."
How the forum fights back
Wixey notes that the campaign has had a detrimental effect on the use of dark web forums - as "an effective tax on the criminal marketplace, making it more expensive and dangerous for everyone else". It is therefore ironic that many markets are implementing security measures to help stem the tide of fraud.
In implementing safeguards, the Forum faces several challenges: for one, there is no recourse to law enforcement or regulatory agencies; and for another, it is a semi-anonymous culture, making it difficult to track down the culprits. As a result, the anti-fraud controls that have been put in place tend to focus on tracking activity and issuing warnings.
For example, some websites offer plugins that check the URL to ensure it links to a verified cybercrime forum, rather than a bogus site that tricks users with a fake 'join fee'. Others may run 'blacklists' of identified scamming tools and usernames. Most have a dedicated arbitration process where users can file fraud reports.
Wixey says: "If you've been scammed by another user on a forum, you can go to one of the arbitration rooms, start a new thread, and provide some information." This could include the username and contact details of the alleged scammer, proof of purchase or wallet transfer details, and as many details of the scam as possible - including screenshots and chat logs.
"The moderators review the report, they ask for more information as necessary and then they flag the alleged person and give them between 12 and 72 hours to respond, depending on the forum," Wixey said. "The accused may make restitution, but this is very rare. More commonly, the scammer will dispute the report and claim it was caused by a misunderstanding of the terms of sale."
Some people just don't respond, in which case they are either temporarily banned or permanently banned.
Another security option for forum users is to use a guarantor - a site verification resource that acts as a hosting account. The money to be delivered is held there until the goods or services are confirmed as complete. However, guarantors themselves are often impersonated by fraudsters.
A treasure trove of threat intelligence
While the study provides a view into the inner workings of an interesting branch of the dark web world, Wixey also notes that the arbitration process in particular provides researchers with an excellent source of threat intelligence.
"When a scam is suspected, forums ask for evidence, including things like screenshots and chat logs - and victims are usually happy to help," he explains. "A few of them will edit or limit the evidence so only the moderators can see it, but most people don't. They will post unedited screenshots and chat logs, which usually contain a treasure trove of cryptocurrency addresses, transaction IDs, email addresses, IP addresses, victims' names, source codes, and other information. This is in stark contrast to most other areas of the criminal marketplace where OpSec is usually quite good."
Some scam reports also include full screenshots of a person's desktop, including date, time, weather, language, and apps - breadcrumbs that provide location information.
In other words, normal precautions are out of date. a Sophos analysis of 250 recent fraud reports on three forums found that nearly 40 percent of them contained some kind of screenshot; only eight percent restricted access to evidence or offered to submit it privately.
"In general, fraud reports are useful for both technical and strategic intelligence," Wixey concludes.
He added: "The biggest takeaway here is that threat actors don't seem to be immune to deception, social engineering, or fraud." "In fact, they seem to be just as vulnerable to attack as anyone else. It's interesting because these are exactly the types of techniques they use against other users."