Hackers use 'cartons' with 'sticks', may be foiled by 'watermelons'
Translation from Russian hack-slang: Credit card, PayPal and secure server
Gaining an invite to the best of the nearly 60 websites powering the cybercrime underground is only half the fight for researchers; they also need to know that credit cards are called 'cartons', PayPal a 'stick', and bulletproof servers 'watermelons'.
The linguistic mind-meld is thanks to the slang employed in the Russian cybercrime forums which lays waste to automated translation efforts for non-speakers.
Trend Micro researcher Max Goncharov in a report Russian Underground 2.0 [PDF] details the peculiarities and machinations of the cybercrime world, and notes recent trends in crime-as-a-service offerings.
"Our current data-collection-and-normalisation process has been automated to a large extent [but] language barriers and nuances brought about by the use of underground slang, however, still require careful manual analysis," Goncharov says.
The dialectal dilemma cuts both ways; Goncharov points out in the 41-page report that among the services booming are translation services for phishers to better lure victims, and even unscrupulous humans willing to verify bank transfers over the phone with local tellers.
Many other services such as stolen traffic services are booming across the crime forums of which 27 are deemed "very active" hubs for criminals to trade services such as exploit kits, bots, and malware.
"The Russian market, for instance, specialises in selling traffic direction systems and offering traffic direction and pay-per-install services," he says.
"Traffic-related products and services are becoming the cornerstone of the entire Russian malware industry."
The carding business has had a dose of automation with balance and validity checks done with "one click".
Goncharov says stolen web traffic increases an attacker's victim base and helps locate among command and control traffic users for targeted attacks.
Money laundering is another addition to the cybercrime underground. The schemes lift the previous restrains that forced crims to engage expensive droppers ('dropovod' in criminal lingo) - people who wittingly (razvodnie) or unwittingly (nerazvodnie) move stolen cash through bank accounts for commission.
Blackhats are now buying plane tickets and booking hotels and expensive villas, and selling those purchases on for a cut rate.
Other service additions and improvements include automated shell script uploading, professional translation, and phone services where relevant fluent language speakers offer to chat to bank staff to confirm otherwise suspicious transactions.
Criminals who would rather enjoy their holiday than parse logs can outsource that too. Services will for a fee crawl over 1GB-plus logs and pluck out credit cards and passwords, saving the botnet operator the tedious task.
Goncharov lays much blame on bulletproof host providers labelling the service market so important that without it "criminal cybercommerce wouldn't exist".
"We can even say that bulletproof hosting service provision has become an industry on its own."
Those providers operate in countries with lax cyber crime laws and accept anonymous payment for VXers wanting to store their exploit kits and malware.
Goncharov says the cost of all of services has sharply dropped starting last year despite technological advancements in crimeware.
It is unclear why prices have fallen. Large breaches impact supply and more competition between criminal vendors makes life better for customers.
Deepweb crime prices however are more expensive, starting with a forum buy-in price of up to US$1000.
More detail including profiles of popular crime sites are detailed in the report. ®