In many cases, cybercriminals are seen as parasites, always looking for victims of all sizes and stripes and preying on them.
The trend has resulted in an array of bottom-feeding "metaparasites" flocking to the Dark Web marketplace, seeking to take advantage of their own set of victims.
A common side effect of this phenomenon is that it provides researchers with a rich vein of threat intelligence, including contact details and locations of cybercriminals. This intelligence can help them identify threats.
Matt Wixey, the Sophos senior threat researcher, spoke at Black Hat Europe 2022 about the ecosystem of metaparasites. In his talk titled, "Scammers Who Scam Scammers, Hackers Who Hack Hackers," he explained how this contributes to the proliferation of scams and phishing scams.
According to the research Wixey and his fellow researcher, Angela Gunn, conducted, the underground economy is riddled with a large variety of fraudsters. Every year these fraudsters collect millions of dollars from fellow cybercriminals who collaborate with them.
A study conducted by The Dark Web Research team (Russian-speaking Exploit and XSS forums as well as English-speaking Breach forums) reveals that there have been thousands of successful scam attempts in the past 12 months.
According to the report, scammers have cheated users by about $2.5 million over the past year. The amount can vary from as little as $2 up to low six-figure money. The amount per scam varies, depending on the type of scam.
Even though tactics vary, a common and effortless tactic is called "rip and run." There are two versions of the term "rip." First, a buyer receives goods, such as an exploit, sensitive data, valid credentials, credit card numbers, etc. In the second version, a seller receives the payment but never delivers what he promised.
There is also the phrase "run." This refers to how the scammer has disappeared from the marketplace and has refused to answer any questions that they have received.
It depends on the dine-and-dash concept on the Dark Web.
In addition to the vast number of scammers hawking fake goods out there, those scammers can also be found hawking fake accounts - often nonexistent crypto accounts, macro builders that create nothing malicious, fake data, or databases that have previously been leaked or are available online. Depending on the situation, they can get pretty creative, according to Wixey.
"Our research led us to find a service that claimed it could bind an. EXE script to a PDF so that when a victim taps on the PDF to open it, the. EXE would run silently in the background while the PDF would load," Wixey further explained.
The scammer sent the buyer a document with the PDF icon, but it did not contain a PDF, nor did it contain an. EXE. He just sent them a document appearing as a PDF. They hoped that buyers would not know what they were asking for or how to check it.
A scam is also common when a seller publicized that the goods they are selling are of a certain quantity but the quality of the goods might not live up to what has been advertised, like credit card data that claims to work 30% of the time when only 10% of these cards are working. The databases might be real, but they are being marketed as "exclusive" while the seller is reselling them to, a multitude of parties to make a profit.
The fraudsters may often work in conjunction in some cases, and they may be involved for a longer period, Wixey said.
According to Wixey, the fact that most sites are exclusive makes it possible for them to create "a degree of intrinsic trust" that they can play off of."
There are a variety of ways one can use this technique. First, one builds rapport with a target and suggests they can help; then the victim will say that they know someone else who can do the job much better, who is an expert in this field.
Most often, they direct the victim to a fake forum that is operated and monitored by another person. This forum often asks for a deposit or registration fee, which is then paid by the victim. Both scammers then simply disappear.
What forum moderators are doing to fight back
Wixey noted that the activity has a detrimental impact on the use of Dark Web forums - acting as an "effective tax on criminal marketplaces, which makes them more expensive and more dangerous for everyone, as well as more unsafe for the criminal community." Despite this, ironically, many markets are implementing security measures to curb the tide of fraud in the market.
Putting protections on forums can be difficult due to the following factors. Firstly, there is no recourse to law enforcement or regulatory authorities. Secondly, it is a semi-anonymous culture, which makes it challenging to track down perpetrators. To combat fraud, anti-fraud controls have been implemented to track activity and issue warnings to prevent fraud.
A popular industry-standard practice of some sites is to provide a plug-in that checks a URL to check if it links to a verified cybercrime forum, as opposed to a fake site where users are defrauded through a bogus "joining fee." Other sites offer a "blacklist" of known scammers and their tools and user names. Users can also file a scam report with many of the companies that have a dedicated arbitration process in place.
According to Wixey, "If you have been scammed by another person of a forum, you should go to one of these arbitration rooms and create a forum thread and provide some information about what you have been scammed by." As much information as possible is required, such as a username, contact information for the scammer, proof of a purchase or wallet transfer, screenshots, as well as chat logs, and screenshots, as well as any additional details of the scam.
"A moderator will review and respond to the report, requesting more information if necessary to complete the process. Later, they will tag the accused person and give them somewhere between 12 and 72 hours to respond to the complaint, depending on what forum it is on," Wixey explained.
There may be cases where the accused makes restitution, but that is not very common. What is more common is that the scammer disputes the report, claiming that the report was wrong and there was a misunderstanding about the terms of the sale.
The use of a guarantee is another security option available to forum users. This is because it shows that this resource has been verified by the site and acts as an escrow account. Until the goods or services involved in the exchange are confirmed as legitimate, the money destined for trading is parked there.
Despite this, it is common for fraudsters to impersonate the guarantees themselves.
