Piratas informáticos adquieren mayores niveles de organización

DeepSight Threat Management System
Research Report
Online Fraud Communities and Tools
Version 1: January 24, 2006
Analysts: The DeepSight Analyst Team
Table of Contents
Tour of the underground ……………….2
Honeypot compromise and fraud
activity …………………………………23
Detecting fraudster work habits by
analyzing malicious code …………..30
Passive attacks ………………………….35
Registering a phishing site: an
experiment ……………………………35
Change log ……………………………….37
Glossary …………………………………..38
Index ………………………………………39
Executive Summary
Online fraud is on the rise. The DeepSight Threat and
Vulnerability Analyst Teams have pursued several related
research projects in the last quarter on the topic, and have
reached the following conclusions:
1. The development of malicious code is often a regular, fulltime
activity. Developers may even be employed to produce
malicious code, and several development teams in various
locales may be collaborating on such projects.
2. Besides using the Internet to prey upon victims, fraudsters
also go online to “support” each other, to trade their
particular expertise, to barter stolen credit card numbers, and
so on.
3. Many of their techniques (e.g. the use of old, commonplace
vulnerabilities) lack sophistication, but are still effective
enough to produce rewards.
4. Most disturbing, perhaps, is the relative ease with which an
unskilled novice can enter the world of online fraud and use
the many online tools, forums, and tutorials that will walk
them through practically all the steps and techniques they
need to defraud others.
Online Fraud Communities and Tools — January 24, 2006— Copyright © 2006 Symantec Corporation Page 1 of 41
Page 2 of 41 Online Fraud Communities and Tools — January 24, 2006 — Copyright © 2006 Symantec Corporation
Online fraud has been steadily increasing and shows no signs of leveling off anytime soon. Unfortunately, with
the relative anonymity of the Internet coupled with access to a huge number of potential targets, this activity will
likely persist.
In this analysis, facets of the online fraud community are revealed. We cover the following in this report:
1. A tour through the online communities where many of the deals are made. Here you will meet carders,
rippers, and other fraudsters who frequent the channels and chatrooms devoted to fraud.
2. An evaluation of a specific piece of malicious code used for phishing. From system data contained within
the malicious code itself, we can derive information about the people who created the code.
3. An overview of two compromised honeypots. One is used to join a Romanian chatroom associated with
the exchange of credit card numbers. The other is compromised and quickly converted into a phishing
site, illustrating how fraudulent sites can be set up in minutes.
4. An experiment we conducted to show how plausible certain phishing and pharming tactics can be. This
gives insight into how quickly, and with very few skills, an individual can attempt to defraud others.
Tour of the underground
We begin our tour of the fraudster community by looking at a couple of key communication channels. The
content on these channels reveals a great deal about how fraudsters operate, what they buy and sell online, and
so on.
Communication channels
During this investigation, we attempted to locate possible communication channels used by those engaging in
phishing and other fraud-related activity. Two significant high-activity resources have been highlighted and
presented as case studies in this document:
RealCashout IRC network
CCPower.info forums
Fraudsters use these channels to solicit various intermediate tasks required to perform certain types of fraudulent
activity, including:
Successfully exploiting a vulnerability to gain control of victim hosts. The compromised hosts are often called
“roots” by fraudsters.
Bartering stolen credentials or other commodities recognized by phishers.
Disseminating information to further enable phishers to perform attacks and to evade new detection methods
aimed at countering such attacks.
These communication channels include an online message board that’s viewable only by registered members, and
a small Internet Relay Chat (IRC) network apparently dedicated to discussions of fraud-related activity. The IRC
network is accessible to anyone aware of its existence and the address of one or more of its servers. The
message board, although not viewable by unregistered users, doesn’t screen new registrations beyond verifying
that a valid email address is used to register the account. As such, we were able to view the contents of this
message board by creating a user with an anonymous email address.
RealCashout IRC network
Online Fraud Communities and Tools — January 24, 2006 — Copyright © 2006 Symantec Corporation Page 3 of 41
There are probably several other discussion forums, at least some of which likely take measures to prevent
unknown users and the general public from gaining access. Such forums may quite possibly operate far less like
an online community and more like an organized criminal enterprise. This is speculation, however, since we have
no further information about such channels.
Multiple IRC channels that appear to exist for the purpose of fraud discussion also operate on several of the large
public IRC networks, but public discussion in these channels was found to be minimal in comparison to the
private channels. Furthermore, the conduct of the users in these channels represents that found on the larger,
dedicated network, albeit on a much smaller scale. This suggests that the various facets of the fraud community,
although independent from one another, share a common modus operandi.
RealCashout IRC network
RealCashout is a small IRC network dedicated to phishing and fraud-related activity. At the time of this writing,
the network consists of three unique server hosts, but we found multiple DNS records on several domains, all of
which point to the IP address of one or more servers.
On average, approximately 800 concurrent users are connected to this network at a given time. Of those,
approximately 700-750 are in the network’s main channel: “#ccpower.”
Using the whois utility, we discovered the following information about the servers:
Country: Sweden
DNS Names: irc.realcashout.net
Country: USA
DNS Names: irc.darkunix.net
Country: Sweden
DNS Names: irc.realcashout.net
Although the IRC channel contains a large number of users, there’s very little interactive conversation. Most of
the activity consists of advertisements or requests for various services. Interested parties are instructed to
respond to the message by initiating a conversation with the advertiser using private messages. In addition to
these requests, a large amount of the traffic is generated by the users of the channel issuing commands to a bot
program that resides there (see the section “Examples of bot usage” below).
The following is a sample of the general activity seen in this channel at any given time. For those unfamiliar with
the IRC protocol, the contents encapsulated within the angle brackets represent a user’s IRC alias, such as
. In all of the following samples, no attempt has been made to edit the spelling and typographic
errors that are found in many of the interactions in these chatrooms.
4 #Hacker anyone wanna deal i have address if u need address to cards electronics but
my deal is 50,50 and i will send your cut to u through fedex my email is
man2care_008@yahoo.com u can contact me rfor a deal. my name is harry
i can confirm western union of any amount to any count
who has a password hacker sofware sbcrusty@yahoo.com
who can help me plz for paltalk
-join #hacker
i have valid cc,paypal,scam page,phpmailer wanna trade with it

Deja una respuesta

Tu dirección de correo electrónico no será publicada. Los campos obligatorios están marcados con *