Trend Micro provides peek at methods of amateur, lone-wolf carder.

Sara Peters, Senior Editor

May 26, 2015

2 Min Read

Although the cybercrime game is dominated by organized criminals -- according to IBM X-Force, 80 percent of cyber attacks are driven by highly organized crime rings -- there are one-man operations getting a piece of the action, too. Trend Micro today proposed that actors like these may be the "evolved version of the petty thief," and profiled one individual operating in Canada.

This individual, who Trend Micro calls Frapstar, doesn't write code:  he buys it. He isn't very slick at hiding his tracks or identity. Yet he seems to make a comfortable living, either supplemented by or solely by selling dumps of credit card and Canadian passport data.

Frapstar also goes by the handles ksensei21 and badbullz across a variety of platforms, both criminal and non-criminal. He's active on multiple carding, PII exchange, and Russian hacking forums including vendors.es, proven.su, silverspam.net, lampeduza.so, damagelab.org, and exploit.in. 

"We even found him openly searching for conspirators on the public Internet," wrote the researchers, referencing a post in which Frapstar said "Need partner to make thing happen in canada region."

"This is clearly the mark of a one-man and relatively amateurish operation," according to Trend researchers, "most criminals that we track know better than to ask for conspirators, especially not in Canada — a large country with a small populace makes for an easy grid to track someone down."

Because he used the same handles across platforms, the researchers were able to discover that Frapstar is a fan of expensive cars, particularly BMWs. He gushed about his BMW 540i on a BMW forum, introducing himself as "Chuck" from Montreal, and providing his Gmail address.

"This finding gives a peek of what kind of lifestyle Frapstar has," the researchers wrote. "He is obviously living comfortably and is able to afford some luxuries. We are not certain whether Frapstar has a different day job that supplements his cybercrime operations, but we believe that he is earning a substantial amount from his operations."

While Bitcoins have become the preferred payment method of organized cybercriminals, Frapstar preferred Western Union or WebMoney.

His tradecraft of choice were all purchased on the black market from other cybercriminals, and included information stealers like ZeuS and Zbot, the VBNA Visual Basic worm, SillyFDC autorun worm, and a variety of scanners, passwrod stealers, droppers, downloaders, and backdoors. He also bought spamming and botnet services.

"His strategy, using multiple malware types resembles a Swiss Army Knife," the researchers said. "Frapstar purchases malware with different capabilities and used each depending on his current needs. This also highlights a key fact about the user: Frapstar is a script kiddie who shops for malware on hacking forums but also possesses enough know-how to effectively use the malware."

Trend Micro has reported Frapstar to Canadian authorities.

About the Author(s)

Sara Peters

Senior Editor

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad of other topics. She authored the 2009 CSI Computer Crime and Security Survey and founded the CSI Working Group on Web Security Research Law -- a collaborative project that investigated the dichotomy between laws regulating software vulnerability disclosure and those regulating Web vulnerability disclosure.


Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights