The Inner Workings of Financially Motivated Cybercrime

Posted: 12th April 2021
The Inner Workings of Financially Motivated Cybercrime

Recorded Future’s Insikt Group recently published a research report titled, The Business of Fraud: An Overview of How Cybercrime Gets Monetized. The report describes the types of fraud methods and services currently used by threat actors to facilitate their campaigns. It provides an overview of some notable recent developments, lists some of the top vendors of these services on the criminal underground, and provides suggested mitigations for defenders to implement. 

Joining us this week to discuss their findings are Recorded Future’s Kirill Boychenko and Roman Sannikov, both members of the Insikt Group’s team cybercrime and underground. 

This podcast was produced in partnership with the CyberWire.

Dave Bittner: Hello everyone, and welcome to episode 204 of the Recorded Future podcast. I'm Dave Bittner from The CyberWire. Recorded Future's Insikt Group recently published a research report titled, The Business of Fraud: An Overview of How Cybercrime Gets Monetized. The report describes the types of fraud methods and services currently used by threat actors to facilitate their campaigns. It provides an overview of some notable recent developments, lists some of the top vendors of these services on the criminal underground, and provide suggested mitigations for defenders to implement. Joining us this week to discuss their findings are Recorded Future's Kirill Boychenko and Roman Sannikov, both members of the Insikt Group's team cybercrime and underground. Stay with us. Roman, why don't I start with you? The report is called The Business of Fraud: An Overview of How Cybercrime Gets Monetized. What prompted the creation of the report here?

Roman Sannikov: That's a great question. So, one of the things that we've noticed is that in our profession, there's a lot of focus on preventing things like unauthorized access. Justifiably, so obviously, we don't want bad guys and threat actors being able to get into places where they don't, but what we've noticed is that there isn't as much of a focus or isn't as a thorough an understanding of what frequently happens after the fact that when the cybercriminals have gained access to something. For example, be it credit card information, be it PII, be it other types of information, how do they then monetize that access? The cybercrime is called crime for reason, and that's because they're trying to gain something financially from all of their hard work, all the threat actor's hard work. So, we decided to put together this report really detailing the various aspects of what I like to call the second half of the cycle after they've gained access to your credit card data, your bank account data, all that kind of data. What do they do next? How do they actually make money from something like that?

Dave Bittner: Kirill, can you give us a little bit of a notion of where we stand today in terms of the lay of the land, the kind of breadth and spectrum of what you all see when it comes to cybercrime?

Kirill Boychenko: So, what we see is that cybercriminal fraud is an ecosystem, and it's pretty specialized. We see that there are specialized vendors of different services. We see that there are threat actors that advertise very specific tools that are tailored for different methods of fraud. We see that it all comes as different methods, and there are different targets for fraudsters on criminal underground as we see, and there are cash out schemes. So, we see that this is a very much an interconnected ecosystem where cybercriminals cooperate with each other, advertise specific tools, and are quite specialized in their fraud offerings.

Dave Bittner: I think one of the things that strikes me that we've seen over the past few years is the degree to which there's been professionalization here and even specialization. What are you seeing there, Kirill?

Kirill Boychenko: We see that the courses are very specialized or they're very general. Sometimes, you can see a training course that would encompass many different fraud vectors. There would be payment card fraud, and money mules, and cash out services, or it could be very specialized, for example, on account takeover or on creating fraudulent documents, things like that. We found that these tutorials and courses, if they don't represent cutting-edge instructions, they still give an entry to novice cybercriminals to enter fraud, and we also see that communities that provide this training, it's not like they're willing to share their know-how, their secret sauce. We rather think that they're trying to feed the ecosystem. So, when they train novice cybercriminals, they realize that later they will become their customers. They will be buying stolen payment card data from them. They will be ordering money mule services from them. They will be their customers, so they're very much interested in giving the training, even though it may not be earth-shattering techniques.

Dave Bittner: How hard is it to get access to these sorts of bits of information? Is there a vetting process before they will share it or make it available to someone?

Kirill Boychenko: Some of those tutorials and courses are very available, and some of them come as texts or documents that one can just read, but there could be some that are very closed. In order to get in, you need to go through a vetting process, there is a paywall, some are very private. We talk about some specific examples of different fraud courses offered on the dark web in our report.

Roman Sannikov: I think, if I could jump in, what Kirill said is that this was a great way for them to really not only create clients but also to recruit and to really set up that next level of individuals who are going to be working for them. At the same time, it greatly lowers the barrier to entry for individuals who are trying to break into cybercrime because now you have experienced threat actors who are sharing the knowledge that they've gotten through years of actually perpetrating. So, they'll tell you things like what kind of services to use, how to circumvent anti-fraud mitigation, how to behave when you're trying to do social engineering at a bank. Frequently, some of these tutorials are specialized, like Kirill said, for specific companies and specific entities.

So, you'll have individuals who will say, "Hey, this bank requires this type of information to open an account and to enroll a compromised payment cards, whereas this bank only requires a lesser amount of information." Again, this is something that, normally in the old days, it would have taken the criminal threat actors themselves months, if not years, to figure these things out by trial and error. Now, you have individuals who are either feeding it or selling it to relatively new individuals who don't have to spend as much time making mistakes. Dave Bittner: Yeah. It's fascinating to me that there's a concerted effort here to make sure that you have new fresh talent in the pipeline.

Roman Sannikov: Yeah, absolutely. Over the years, being on a lot of these forums and platforms, this is kind of considered to be a young man's game, so to speak. It's something that most of the individuals, by the time they're maybe in their 30s and 40s, traditionally try to retire or move away from, or at least they try to move up to a different level of activity. So, they're not the ones who are, for example, conducting the cash outs. They're not the ones who are going to banks and trying to withdraw funds, or they're not the ones who are trying to buy things online with stolen, with compromised credentials, compromised painted cards. They're the ones who are more behind the scenes and further removed from the activity which obviously lessens the potential of them being arrested than being identified.

Kirill Boychenko: I was just thinking if in terms of putting into perspective of how the courses are organized, to give an example, there's one course that is offered on a well-known underground forum, and the organizers of the course are running it since 2015, and they offer it on monthly basis. So, there are over 10,000 cybercriminals that have taken this course, and it's widely advertised among different underground forums. It's been taught by 10 to 15 instructors. These are cybercriminals with reputation, and they have their own services offering different financial fraud and techniques.

We see that at least 40 to 50 participants are taking this course on monthly basis, so you can see that the scope of this offering is rather significant. We see that these are people from Commonwealth of Independent States, former USSR republics, but also China, Baltic states. We also see that our team has expertise in different geographical areas, and we have analysts who speak different languages. We see that tutorials, courses, this kind of offering is really not limited to one space. If you were imagining Russian speaking carters, well, it's not just limited to that part of the world or just that language. We see it in Chinese language forums. We see it in the Portuguese, Brazil cybercriminal communities, and many others.

Roman Sannikov: Absolutely. I think that's a really great point is that while the initial part, the hacking, so to speak, as a catch fall phrase can be done from pretty much anywhere. Fraud tends to be much more localized. For fraud to be successful, you frequently have to have individuals on the ground, in the area where the compromised information is supposed to be, so be it in Latin America, be it in Canada, be it in Europe, and Australia, you really do have to have individuals frequently who are there locally, who can facilitate opening up accounts, withdrawing funds, et cetera. So, it's something that is a lot more localized in terms of where the activity actually takes place.

Dave Bittner: Yeah. Can we dig into that? It strikes me that that's one of the trickier parts of these operations is converting your efforts into actual money wherever it is you're operating, having to interact with banks. There's a point where this interacts with the real world, the financial systems. So, how are they going about that? How are they handling getting the money out of the online internet world into the real world with real bank accounts?

Roman Sannikov: Absolutely. It's really a multi-step, multi pronged effort, and here is where you have funds, for example, if that's what we're using for this example, funds that are located in an actual account of a legitimate user, then they will typically have to have another account created. Some of the ways that they do this is either through individuals that are willing accomplices, and then there are individuals who are unwilling accomplices, some kind of willing and unwilling mules. Willing individuals are frequently told upfront that they're going to be creating something for a fraudulent transaction, and that they need to set this up, and they need to create certain kind of barriers to protect themselves and certain aspects of the account, and of their behavior that looks legitimate so that the banks will not flag it as if there's something wrong with the account that the stolen funds are going to be transferred into.

Conversely, unwilling individuals are frequently coerced or lured into doing something that they think is legitimate. In this case, the advantages that they're frequently using their own accounts are the advantage for the threat actors, that they're frequently using their own accounts, and accounts that they've probably used for quite some time, and those accounts are much less likely to be flagged as having some illegal activity associated with them or some inauthentic activity associated with them. So again, the question then is really to recruit the different individuals, give them the proper instructions about how to move the funds. Typically, the funds will be transferred. Frequently, it's internally within the same bag. So, it will be transferred from a compromised account to an account that is being controlled indirectly by the threat actor who's running the whole operation, so to speak, via their mules. Then at some point, the funds will likely be withdrawn, converted into some sort of physical cash or converted into some sort of cryptocurrency, and that cryptocurrency will then be moved overseas to another location that is, and frequently, there may be multiple locations and multiple accounts that the currency will go through.

Sometimes, they'll even switch currencies so that it may be initially sent in Bitcoin, changed to something like Ethereum or Monero, and then changed back to Bitcoin before it is deposited at an account that is one step removed from the actual threat actor who's running the operation. So again, this is the lengthy process of laundering funds so that you're not just taking account money directly from a compromised account and wiring it to an individual who is clearly has no business accessing the funds. Kirill Boychenko: This is a great question, Dave, because you're absolutely right. Cyber attack and fraudsters, they need to be able to have this ability to turn and monetize their fraud schemes. Like Roman said, many of these money laundering services, they use cryptocurrencies, but also we see, like Roman said, their bank accounts being used. Some of them are completely fraudulent and some of them are used on mules and bank drops. This is an expensive service because this is a bottleneck of cybercrime in terms of it's fraud manifestation. You need to be able to cash out. Many of those services are very expensive. They can take up to 50% to 60% of the transaction of, for example, the value of a bank account. That's cybercriminal trying to drain that account. So, this is a big service and a very expensive service.

Dave Bittner: Help me understand. You all have a high degree of visibility into what's going on here, and I imagine part of that involves direct access to some of these forums and so on. Does it seem as though those people are operating with a sense of invulnerability? In other words, do they know that, chances are, there's folks out there like you all at Recorded Future who are keeping an eye on them, but they feel as though they can do that without a whole lot of risk?

Roman Sannikov: I would say yes and no. It really depends on how far up the food chain you are. Individuals who are, for example, somewhere in Eastern Europe, or the former Soviet Union, in a country that doesn't have extradition agreements with Western Europe or with North American countries like the United States, they do have a certain sense of impunity as long as they're targeting outside of their country or outside of their region. As Kirill can confirm, many of the Russian language forums, for example, and that's not to say that everyone on Russian language forums is primarily in Russia. They're also in other places like Ukraine, Belarus, and also all over the world. We've seen individuals from north America, from China, et cetera, in those primarily Russian speaking forums, but there's a general rule there that you don't, and I won't use the expletive, but you don't do your business where you live. There's really a lot of prohibitions, and individuals will frequently get banned if they're targeting Russia, Ukraine, former Soviet countries.

Again, there is a sense of impunity as long as you're not targeting, not going to have the targets in their countries. On the other hand, when you're talking to some of those individuals on the ground that we had mentioned before, individuals in North America, in Latin America, et cetera, they have to be very careful, obviously. That's part of the tutorial. That's part of the process of explaining how do you do social engineering, what you look for, how do you not get caught when you're installing things like skimmers, when you're going back to pick up those skimmers to gather the data, how do you act, how do you look to see that there's nobody watching or monitoring you, et cetera. In some instances, I think in some cases, they're actually more careful than nation state threat actors because there are real repercussions to them. There's the real potential of jail time for individuals that are involved in especially the financial fraud and money laundering aspect because a lot of them are located in the countries where the targets are.

Kirill Boychenko: We have called from one dark web vendor, and of course instructor who said, "If you care for your safety, do not work in the Commonwealth of Independent States." That instructor was a Russian-speaking instructor, and by work, he didn't mean a real work. He was talking about fraud activities. Going back to what Roman was talking about, and your question, Dave, there will be a tipping point. At some point, committing fraud, generating illicit income from activities like that will spill over to the point when law enforcement or financial institutions or other agencies with enough visibility and authority will start to take notice. It will be a tipping point when there is a target on the bag, and there is enough surveillance and enough evidence. We've seen successful cases on operators that have services for SIM swapping being arrested, or those that are committing payment card fraud. It's happening all the time. So, there will be a tipping point, and at that point, fraud activities will come to an end.

Dave Bittner: Yeah, that's interesting. Overall, it's always a high-risk activity, right? You spend your life looking over your shoulder to a certain degree.

Roman Sannikov: I would just end on a note that we've spoken to individuals who have literally had access to over a million dollars bank accounts with over a million dollars, and they were desperately trying to find someone who would help them somehow withdraw those funds or transfer those funds. So, I think the one takeaway that I hope people will take from this is that yes, again, you need to focus on preventing intrusions, preventing compromises, but you really need to focus on the preventing the fraud after the compromise as well because if these individuals are not able to make money, then even if they do have access to all these things, sooner or later, that's going to dry out. So, if we can tighten some of the anti-fraud mitigation and really focus on that a bit more, I think we can really put a dent into financial motivated cybercrime.

Dave Bittner: Our thanks to Recorded Future's Kirill Boychenko and Roman Sannikov for joining us. The report is titled, The Business of Fraud: An Overview of How Cybercrime Gets Monetized. You can find it in the blog section on the Recorded Future website. Don't forget to sign up for the Recorded Future Cyber Daily email where every day you'll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. You can find that at recordedfuture.com/intel. We hope you've enjoyed the show and that you'll subscribe and help spread the word among your colleagues and online. The Recorded Future podcast production team includes Coordinating Producer Caitlin Mattingly. The show is produced by The CyberWire with Executive Editor Peter Kilby, and I'm Dave Bittner. Thanks for listening.