Hacker-hunters finger 'Keyser Soze' of Russian underground card sales
Report claims user named 'Rescator' is mastermind
A hacker based in Odessa, Ukraine has become the main provider of data stolen from compromised credit cards, a new study claims.
According to Russian cyber-security consultancy Group-IB, a person or persons operating under the pseudonym “Rescator” (AKA Helkern and ikaikki) uploaded details of over five million cards onto the SWIPED online carder marketplace.
"Rescator is not the owner of SWIPED, he is active seller at this card shop," Dmitry Volkov, head of threat prevention & investigation department at Group-IB claimed.
He claimed in a conversation with El Reg: "But Rescator has his own card shop – Octavian.su – where he also sells compromised bank cards. [Rescator] was on our 'radar' because he is one of main members of Darklife team. It's a Russian-speaking hack team and they have closed forum. For example, he was the second user who was registered on darklife.ws.
"We always insert [a plant] in any well professional hack communities, especially if they are Russian-speaking.
"Rescator lives in Ukraine, but he does not sell compromised cards of Russian or Ukrainian banks. No local victims – no criminal case," he added.
Group-IB looked at a sample of cards traded through SWIPED - all of which were originally stolen from the retail chain Target. The Russian security consultancy found that 80 per cent of payments on SWIPED are currently made using Bitcoin, with other crypto-currencies also playing a role as convenient tools for illegal transactions.
The Russian market for stolen credit cards more generally is becoming more sophisticated and structured, complete with wholesalers and online trading platforms. Criminals can easily browse and purchase stolen credit card information as if they were shopping on any mainstream e-commerce site. This interest in crypto-currencies has spawned malware development.
"The use of malware-based botnets to mine Bitcoins has also become so developed that botnet renting through services like SkyShare has become a reality. Stealing from crypto-currency wallets using Trojans has also become more sophisticated and common," according to Group-IB.
Group-IB's annual report, published on Wednesday, focuses on the nefarious activities of Russian-speaking cybercriminals operating mainly throughout eastern Europe and the former Soviet Union.
The report found that mobile banking threats experienced strong growth over the last 12 months or so, with the emergence of five criminal groups that specialise in mobile banking theft using Trojans. "These groups infect Android phones and steal information via SMS banking and the use of phishing sites," Group-IB reports. "The scale of these thefts is limited only by the manual nature of the activity."
Groups targeting financial institutions have stolen about $40m during the report period, using techniques including Trojans, phishing sites, and even assistance from corrupt insiders. Group-IB's report highlights the many and various tactics in play.
Hackers reprogram ATM machines to hand out the big bills: Either by physical access or infection of local networks, hackers are able to introduce malicious scripts to ATM software. In some cases the purpose is to record any ATM card numbers and pins used on the compromised machines and to make cash withdrawals from those accounts. Other scripts can reprogram an ATM to pay out larger value notes than they should, for example, issuing 5,000-ruble [about £76] notes when 100-ruble [about £1.50] notes ought to be issued. The total amount stolen from one group via this method exceeded 50 million rubles [over £767,000].
Online banking fraud – at least in Russia – is down. Group-IB attributes this decrease to law enforcement action.
"Of eight criminal groups active in Russian online banking theft last year, two have switched to foreign targets and one was broken up following the 2014 arrest of one of its leaders. This has resulted in a decrease in the total online banking fraud market, from an estimated $615m in 2012 to $425m in 2013-2014," it reports.
While DDoS attacks on government websites fell during the report period, attacks on banks and payment systems increased. Hackers are abandoning using botnets in favour of DNS/NTP amplification attacks, providing more powerful attacks at lower cost. Such attacks now account for 70 per cent of the total, according to Group-IB.
Elsewhere spam, long a mainstay of the underground economy, provides high earnings to sellers of counterfeit pharmaceuticals.
Group-IB detects 10,000 new online stores selling fake pharmaceuticals every month. "The counterfeit stores will collude with employees of processing centres and legitimate online stores to skirt the rules of international payment systems like VISA and MasterCard, which prohibit payment for unlicensed medical sellers," Group-IB reports.
Moscow-based Group-IB specialises in preventing and investigating high-tech cyber crimes and fraud. The company offers a range of security auditing and computer incident response services, including computer forensics for Russian law enforcement. Its report covers H2 2013 – H1 2014 period and the Russian-speaking world – not only Russia, but countries which were part of the former USSR. ®