Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

5/26/2015
04:10 PM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

Profile Of A Cybercrime Petty Thief

Trend Micro provides peek at methods of amateur, lone-wolf carder.

Although the cybercrime game is dominated by organized criminals -- according to IBM X-Force, 80 percent of cyber attacks are driven by highly organized crime rings -- there are one-man operations getting a piece of the action, too. Trend Micro today proposed that actors like these may be the "evolved version of the petty thief," and profiled one individual operating in Canada.

This individual, who Trend Micro calls Frapstar, doesn't write code:  he buys it. He isn't very slick at hiding his tracks or identity. Yet he seems to make a comfortable living, either supplemented by or solely by selling dumps of credit card and Canadian passport data.

Frapstar also goes by the handles ksensei21 and badbullz across a variety of platforms, both criminal and non-criminal. He's active on multiple carding, PII exchange, and Russian hacking forums including vendors.es, proven.su, silverspam.net, lampeduza.so, damagelab.org, and exploit.in. 

"We even found him openly searching for conspirators on the public Internet," wrote the researchers, referencing a post in which Frapstar said "Need partner to make thing happen in canada region."

"This is clearly the mark of a one-man and relatively amateurish operation," according to Trend researchers, "most criminals that we track know better than to ask for conspirators, especially not in Canada — a large country with a small populace makes for an easy grid to track someone down."

Because he used the same handles across platforms, the researchers were able to discover that Frapstar is a fan of expensive cars, particularly BMWs. He gushed about his BMW 540i on a BMW forum, introducing himself as "Chuck" from Montreal, and providing his Gmail address.

"This finding gives a peek of what kind of lifestyle Frapstar has," the researchers wrote. "He is obviously living comfortably and is able to afford some luxuries. We are not certain whether Frapstar has a different day job that supplements his cybercrime operations, but we believe that he is earning a substantial amount from his operations."

While Bitcoins have become the preferred payment method of organized cybercriminals, Frapstar preferred Western Union or WebMoney.

His tradecraft of choice were all purchased on the black market from other cybercriminals, and included information stealers like ZeuS and Zbot, the VBNA Visual Basic worm, SillyFDC autorun worm, and a variety of scanners, passwrod stealers, droppers, downloaders, and backdoors. He also bought spamming and botnet services.

"His strategy, using multiple malware types resembles a Swiss Army Knife," the researchers said. "Frapstar purchases malware with different capabilities and used each depending on his current needs. This also highlights a key fact about the user: Frapstar is a script kiddie who shops for malware on hacking forums but also possesses enough know-how to effectively use the malware."

Trend Micro has reported Frapstar to Canadian authorities.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
glamourweave
50%
50%
glamourweave,
User Rank: Apprentice
8/12/2015 | 7:01:20 AM
Frapstar has a different
Frapstar has a different day job that supplements his cybercrime operations, but we believe that he is earning a substantial amount from his operations.
Look Beyond the 'Big 5' in Cyberattacks
Robert Lemos, Contributing Writer,  11/25/2020
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: I think the boss is bing watching '70s TV shows again!
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-26250
PUBLISHED: 2020-12-01
OAuthenticator is an OAuth login mechanism for JupyterHub. In oauthenticator from version 0.12.0 and before 0.12.2, the deprecated (in jupyterhub 1.2) configuration `Authenticator.whitelist`, which should be transparently mapped to `Authenticator.allowed_users` with a warning, is instead ignored by ...
CVE-2020-28576
PUBLISHED: 2020-12-01
An improper access control information disclosure vulnerability in Trend Micro Apex One and OfficeScan XG SP1 could allow an unauthenticated user to connect to the product server and reveal version and build information.
CVE-2020-28577
PUBLISHED: 2020-12-01
An improper access control information disclosure vulnerability in Trend Micro Apex One and OfficeScan XG SP1 could allow an unauthenticated user to connect to the product server and reveal server hostname and db names.
CVE-2020-28582
PUBLISHED: 2020-12-01
An improper access control information disclosure vulnerability in Trend Micro Apex One and OfficeScan XG SP1 could allow an unauthenticated user to connect to the product server and reveal number of managed agents.
CVE-2020-28583
PUBLISHED: 2020-12-01
An improper access control information disclosure vulnerability in Trend Micro Apex One and OfficeScan XG SP1 could allow an unauthenticated user to connect to the product server and reveal version, build and patch information.