Security Experts:

The Return of the Mega-Boards: Is the Underground Economy Returning to its Former Glory?

They say history repeats itself, or perhaps this is the story of a community recovering from a catastrophe. Either way, the underground is returning to its former glory, and not just in how much business is being conducted – but how it is conducted. In 2006, the English-speaking part of the underground economy was a prosperous community, with several mega-bulletin boards competing for the business and the heart of fraudsters from all over the world.

On one corner there was DarkMarket, on another CardersMarket, in addition to smaller forums such as CardingZone, Talkcash and others. Most fraudsters bought and sold on multiple forums, but that didn’t help to negate the animosity between the managers of the different forums. This has led to some big moves on behalf of the administrators, such as CardersMarket’s administrator Iceman, a.k.a. Aphex, a.k.a. Digits, taking over and assimilating three of his competitors. These eventful times came to an abrupt end in two of the biggest events of them all – the arrest of Iceman and the revelation that DarkMarket has been an FBI sting site. Both CardersMarket and DarkMarket were shut down after each event, driving fraudsters deep underground, afraid of being next on the law enforcement captured criminals list. One era in the fraudster economy, one that was thoroughly documented by Kevin Poulsen in his book “Kingpin” has come to an end – and another one started.

Cybercrime Underground EconomyLaw Enforcement’s success was a nuclear strike on the sophisticated underground economy, one that left a desolate land. However, much like in the description of Mad Max or Fallout of a post-nuclear society, this strike did not eradicate all life. Many Nigerians and smalltime fraudsters continued to scour the lands, searching for partners to trade with, and in many cases rip off. The underground was still bustling, but instead of business being done in gated communities with strict rules and the guiding hands of administrators, it was done in the much less sophisticated, business-oriented chaos that is the IRC chat rooms. These were not communities, but bustling markets where fraudsters came to offer their wares and to haggle. There were no esteemed members, no community services such as escrow, no tutorials for starters, nor verification that the person you’re doing business with isn’t going to rip you off the first second he gets. Anyone in these channels not focused on conducting business was labeled a time waster and suffered from the scorn of the other members. Small forums did open up, but they took the characteristics of their chat room counterparts – all business, no services, every man for himself. The few attempts to build a community, such as GhostMarket, were taken down relatively quickly.

Fast forward a few years, and the first signs of recovery are shown. Although not exactly mega-boards, certain forums did obtain enough momentum to become a hub for “real” fraudsters. At the same time, an interesting trend started to catch on – automated websites for underground services – specifically, automated credit card stores, which I wrote quite a bit about in previous articles. The first stores were originally operated by the Russians, who were unaffected by the events in the English-speaking communities. However, these stores quickly caught on by the non-Russian speakers and ushered, as certain law enforcement agents put it, the “Industrialization of the underground”. No longer was trading done by privately talking to a vendor, but instead buying underground services was done through sophisticated automated systems – allowing both vendors and buyers to provide services in all hours of the day and in much greater numbers. The trend has become so widespread, that store kits were circling around the underground, enabling any interested vendor the ability to set up (automated) shop. Dozens of stores opened each month and the bulletin boards quickly became the new yellow pages for the underground economy. Animated and colorful banners quickly started popping up in the forums, attempting to turn members into prospective buyers.

Comparing the state of the underground today to its state several months ago, it seems that things are changing once again. Some of the recent English-speaking forums resemble their ancestor mega-boards, with a strict policy of who is ushered as a member and with industrious administrators laying down strict rules while kicking out anyone who isn’t following them. Just like in the days of yore, these administrators are respected and feared by those who join their communities. The relatively safe environments that these forums provide fraudsters draw the masses who apply to become members, which in-turn draws the vendors of underground services. An interesting twist is these boards’ interaction with automated credit card stores. Instead of going against them – they’ve embraced them – offering the “official” automated store of each forum. These stores offer a platform for interested credit card vendors to sell off their wares, instead of putting up a message in the forum. Only forum members are allowed into the store and every account is associated with a username of the member in the forum.

The “official” credit card stores have been quite a game changer. As fraudsters flock into these trusted stores, where buyers know they will get not only the best products but also a good service if something goes wrong, vendors prefer to sell their wares through those platforms and not to open their own store. Why spend time and money promoting your own store when there’s already a place with plenty of buyers eager for your product? Ever since we’ve started tracking the automated stores trend, the number of new stores opening each month was relatively high. However, in the last several months, it has substantially decreased.

It’s not as if all the legitimate vendors already opened stores and thus the numbers of new stores are dwindling. These stores often have a short lifespan, thanks to the vigilance of security firms, experts and bloggers such as Brian Krebs and Dancho Danchev. Some credit card stores were closed and re-opened half a dozen times in different hosts and domains – and those were calculated in the numbers we’ve observed (and they haven’t all moved to bulletproof hosting services, either).

Iceman, El Mariachi, Cumbajohny, Gollumfun, ChaO and yes – Master Splynter - were the underground celebrities of their generations, whether they were respected or hated in the underground communities. With the current round of forums showing promise to become the next mega-board, it looks like a new generation is going to have its own set of heroes and villains, at the expense of stolen dollars and identity theft victims.

view counter
Idan Aharoni is the Head of Cyber Intelligence for the FraudAction Intelligence team at RSA where he is responsible for gathering, analyzing and reporting intelligence findings on cybercrime and fraud activity. Mr. Aharoni joined Cyota (later acquired by RSA) in February 2005 as an analyst at the Anti-Fraud Command Center. During his service, he founded the FraudAction Intelligence team, which he leads today. Between his work at the Anti-Fraud Command Center, as well as the unique insight he has gained by the intelligence and discoveries gathered by his team, Mr. Aharoni offers vast expertise into the underground fraud economy and how cybercriminals operate.