Hacker-hunters finger 'Keyser Soze' of Russian underground card sales

Report claims user named 'Rescator' is mastermind

A hacker based in Odessa, Ukraine has become the main provider of data stolen from compromised credit cards, a new study claims.

According to Russian cyber-security consultancy Group-IB, a person or persons operating under the pseudonym “Rescator” (AKA Helkern and ikaikki) uploaded details of over five million cards onto the SWIPED online carder marketplace.

"Rescator is not the owner of SWIPED, he is active seller at this card shop," Dmitry Volkov, head of threat prevention & investigation department at Group-IB claimed.

He claimed in a conversation with El Reg: "But Rescator has his own card shop – Octavian.su – where he also sells compromised bank cards. [Rescator] was on our 'radar' because he is one of main members of Darklife team. It's a Russian-speaking hack team and they have closed forum. For example, he was the second user who was registered on darklife.ws.

"We always insert [a plant] in any well professional hack communities, especially if they are Russian-speaking.

"Rescator lives in Ukraine, but he does not sell compromised cards of Russian or Ukrainian banks. No local victims – no criminal case," he added.

Group-IB looked at a sample of cards traded through SWIPED - all of which were originally stolen from the retail chain Target. The Russian security consultancy found that 80 per cent of payments on SWIPED are currently made using Bitcoin, with other crypto-currencies also playing a role as convenient tools for illegal transactions.

The Russian market for stolen credit cards more generally is becoming more sophisticated and structured, complete with wholesalers and online trading platforms. Criminals can easily browse and purchase stolen credit card information as if they were shopping on any mainstream e-commerce site. This interest in crypto-currencies has spawned malware development.

"The use of malware-based botnets to mine Bitcoins has also become so developed that botnet renting through services like SkyShare has become a reality. Stealing from crypto-currency wallets using Trojans has also become more sophisticated and common," according to Group-IB.

Group-IB's annual report, published on Wednesday, focuses on the nefarious activities of Russian-speaking cybercriminals operating mainly throughout eastern Europe and the former Soviet Union.

The report found that mobile banking threats experienced strong growth over the last 12 months or so, with the emergence of five criminal groups that specialise in mobile banking theft using Trojans. "These groups infect Android phones and steal information via SMS banking and the use of phishing sites," Group-IB reports. "The scale of these thefts is limited only by the manual nature of the activity."

Groups targeting financial institutions have stolen about $40m during the report period, using techniques including Trojans, phishing sites, and even assistance from corrupt insiders. Group-IB's report highlights the many and various tactics in play.

Hackers reprogram ATM machines to hand out the big bills: Either by physical access or infection of local networks, hackers are able to introduce malicious scripts to ATM software. In some cases the purpose is to record any ATM card numbers and pins used on the compromised machines and to make cash withdrawals from those accounts. Other scripts can reprogram an ATM to pay out larger value notes than they should, for example, issuing 5,000-ruble [about £76] notes when 100-ruble [about £1.50] notes ought to be issued. The total amount stolen from one group via this method exceeded 50 million rubles [over £767,000].

Online banking fraud – at least in Russia – is down. Group-IB attributes this decrease to law enforcement action.

"Of eight criminal groups active in Russian online banking theft last year, two have switched to foreign targets and one was broken up following the 2014 arrest of one of its leaders. This has resulted in a decrease in the total online banking fraud market, from an estimated $615m in 2012 to $425m in 2013-2014," it reports.

While DDoS attacks on government websites fell during the report period, attacks on banks and payment systems increased. Hackers are abandoning using botnets in favour of DNS/NTP amplification attacks, providing more powerful attacks at lower cost. Such attacks now account for 70 per cent of the total, according to Group-IB.

Elsewhere spam, long a mainstay of the underground economy, provides high earnings to sellers of counterfeit pharmaceuticals.

Group-IB detects 10,000 new online stores selling fake pharmaceuticals every month. "The counterfeit stores will collude with employees of processing centres and legitimate online stores to skirt the rules of international payment systems like VISA and MasterCard, which prohibit payment for unlicensed medical sellers," Group-IB reports.

Moscow-based Group-IB specialises in preventing and investigating high-tech cyber crimes and fraud. The company offers a range of security auditing and computer incident response services, including computer forensics for Russian law enforcement. Its report covers H2 2013 – H1 2014 period and the Russian-speaking world – not only Russia, but countries which were part of the former USSR. ®

Similar topics

Narrower topics

Other stories you might like

  • Nothing says 2022 quite like this remote-controlled machine gun drone
    GNOM is small, but packs a mighty 7.62mm punch

    The latest drone headed to Ukraine's front lines isn't getting there by air. This one powers over rough terrain, armed with a 7.62mm tank machine gun.

    The GNOM (pronounced gnome), designed and built by a company called Temerland, based in Zaporizhzhia, won't be going far either. Next week it's scheduled to begin combat trials in its home city, which sits in southeastern Ukraine and has faced periods of rocket attacks and more since the beginning of the war.

    Measuring just under two feet in length, a couple inches less in width (57cm L х 60cm W x 38cm H), and weighing around 110lbs (50kg), GNOM is small like its namesake. It's also designed to operate quietly, with an all-electric motor that drives its 4x4 wheels. This particular model forgoes stealth in favor of a machine gun, but Temerland said it's quiet enough to "conduct covert surveillance using a circular survey camera on a telescopic mast."

    Continue reading
  • Taiwan bans exports of chips faster than 25MHz to Russia, Belarus
    Doom it is, then, Putin

    Taiwan's government has enacted a strict ban on the export of computer chips and chip-making equipment to Russia and Belarus, a move that will make it even harder for the two countries to access modern processors following export bans from other countries.

    The island nation is the world's largest advanced chip manufacturing hub, so the export ban carried out by Taiwan's Ministry of Economic Affairs, reported last week, will make it more difficult for Russia and Belarus to find chips for a variety of electronics, including computers, phones and TVs.

    Russia has already been scrambling to replace x86 processors from Intel and AMD that it can no longer access because of export bans by the US and other countries. This has prompted Russia to source x86-compatible chips from China for laptops that will be considerably slower than most modern systems. The country is also switching to servers using its homegrown Elbrus processors, which Russia's largest bank has found to be inadequate for multiple reasons.

    Continue reading
  • World Economic Forum wants a global map of online crime
    Will cyber crimes shrug off Atlas Initiative? Objectively, yes

    RSA Conference An ambitious project spearheaded by the World Economic Forum (WEF) is working to develop a map of the cybercrime ecosystem using open source information.

    The Atlas initiative, whose contributors include Fortinet and Microsoft and other private-sector firms, involves mapping the relationships between criminal groups and their infrastructure with the end goal of helping both industry and the public sector — law enforcement and government agencies — disrupt these nefarious ecosystems.  

    This kind of visibility into the connections between the gang members can help security researchers identify vulnerabilities in the criminals' supply chain to develop better mitigation strategies and security controls for their customers. 

    Continue reading
  • Europol arrests nine suspected of stealing 'several million' euros via phishing
    Victims lured into handing over online banking logins, police say

    Europol cops have arrested nine suspected members of a cybercrime ring involved in phishing, internet scams, and money laundering.

    The alleged crooks are believed to have stolen "several million euros" from at least "dozens of Belgian victims," according to that nation's police, which, along with the Dutch, supported the cross-border operation.

    On Tuesday, after searching 24 houses in the Netherlands, officers cuffed eight men between the ages of 25 and 36 from Amsterdam, Almere, Rotterdam, and Spijkenisse, and a 25-year-old woman from Deventer. We're told the cops seized, among other things, a firearm, designer clothing, expensive watches, and tens of thousands of euros.

    Continue reading
  • Capital One: Convicted techie got in via 'misconfigured' AWS buckets
    Assistant US attorney: 'She wanted data, she wanted money, and she wanted to brag'

    Updated A former Seattle tech worker has been convicted of wire fraud and computer intrusions in a US federal district court.

    The conviction follows the infamous 2019 hack of Capital One in which personal information of more than 100 million US and Canadian credit card applicants were swiped from the financial giant's misconfigured cloud-based storage.

    Paige Thompson (aka "erratic") was arrested in July 2019 after data was leaked between March and July of that year. The data was submitted by credit card hopefuls between 2005 and early 2019, and Thompson was able to get into Capital One's AWS storage thanks to a "misconfigured web application firewall."

    Continue reading
  • Never fear, the White House is here to tackle web trolls
    'No one should have to endure abuse just because they are attempting to participate in society'

    A US task force aims to prevent online harassment and abuse, with a specific focus on protecting women, girls and LGBTQI+ individuals.

    In the next 180 days, the White House Task Force to Address Online Harassment and Abuse will, among other things, draft a blueprint on a "whole-of-government approach" to stopping "technology-facilitated, gender-based violence." 

    A year after submitting the blueprint, the group will provide additional recommendations that federal and state agencies, service providers, technology companies, schools and other organisations should take to prevent online harassment, which VP Kamala Harris noted often spills over into physical violence, including self-harm and suicide for victims of cyberstalking as well mass shootings.

    Continue reading
  • International operation takes down Russian RSOCKS botnet
    $200 a day buys you 90,000 victims

    A Russian operated botnet known as RSOCKS has been shut down by the US Department of Justice acting with law enforcement partners in Germany, the Netherlands and the UK. It is believed to have compromised millions of computers and other devices around the globe.

    The RSOCKS botnet functioned as an IP proxy service, but instead of offering legitimate IP addresses leased from internet service providers, it was providing criminals with access to the IP addresses of devices that had been compromised by malware, according to a statement from the US Attorney’s Office in the Southern District of California.

    It seems that RSOCKS initially targeted a variety of Internet of Things (IoT) devices, such as industrial control systems, routers, audio/video streaming devices and various internet connected appliances, before expanding into other endpoints such as Android devices and computer systems.

    Continue reading

Biting the hand that feeds IT © 1998–2022