Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

5/26/2015
04:10 PM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

Profile Of A Cybercrime Petty Thief

Trend Micro provides peek at methods of amateur, lone-wolf carder.

Although the cybercrime game is dominated by organized criminals -- according to IBM X-Force, 80 percent of cyber attacks are driven by highly organized crime rings -- there are one-man operations getting a piece of the action, too. Trend Micro today proposed that actors like these may be the "evolved version of the petty thief," and profiled one individual operating in Canada.

This individual, who Trend Micro calls Frapstar, doesn't write code:  he buys it. He isn't very slick at hiding his tracks or identity. Yet he seems to make a comfortable living, either supplemented by or solely by selling dumps of credit card and Canadian passport data.

Frapstar also goes by the handles ksensei21 and badbullz across a variety of platforms, both criminal and non-criminal. He's active on multiple carding, PII exchange, and Russian hacking forums including vendors.es, proven.su, silverspam.net, lampeduza.so, damagelab.org, and exploit.in. 

"We even found him openly searching for conspirators on the public Internet," wrote the researchers, referencing a post in which Frapstar said "Need partner to make thing happen in canada region."

"This is clearly the mark of a one-man and relatively amateurish operation," according to Trend researchers, "most criminals that we track know better than to ask for conspirators, especially not in Canada — a large country with a small populace makes for an easy grid to track someone down."

Because he used the same handles across platforms, the researchers were able to discover that Frapstar is a fan of expensive cars, particularly BMWs. He gushed about his BMW 540i on a BMW forum, introducing himself as "Chuck" from Montreal, and providing his Gmail address.

"This finding gives a peek of what kind of lifestyle Frapstar has," the researchers wrote. "He is obviously living comfortably and is able to afford some luxuries. We are not certain whether Frapstar has a different day job that supplements his cybercrime operations, but we believe that he is earning a substantial amount from his operations."

While Bitcoins have become the preferred payment method of organized cybercriminals, Frapstar preferred Western Union or WebMoney.

His tradecraft of choice were all purchased on the black market from other cybercriminals, and included information stealers like ZeuS and Zbot, the VBNA Visual Basic worm, SillyFDC autorun worm, and a variety of scanners, passwrod stealers, droppers, downloaders, and backdoors. He also bought spamming and botnet services.

"His strategy, using multiple malware types resembles a Swiss Army Knife," the researchers said. "Frapstar purchases malware with different capabilities and used each depending on his current needs. This also highlights a key fact about the user: Frapstar is a script kiddie who shops for malware on hacking forums but also possesses enough know-how to effectively use the malware."

Trend Micro has reported Frapstar to Canadian authorities.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
glamourweave
50%
50%
glamourweave,
User Rank: Apprentice
8/12/2015 | 7:01:20 AM
Frapstar has a different
Frapstar has a different day job that supplements his cybercrime operations, but we believe that he is earning a substantial amount from his operations.
GitHub Named in Capital One Breach Lawsuit
Dark Reading Staff 8/14/2019
The Mainframe Is Seeing a Resurgence. Is Security Keeping Pace?
Ray Overby, Co-Founder & President at Key Resources, Inc.,  8/15/2019
The Flaw in Vulnerability Management: It's Time to Get Real
Jim Souders, Chief Executive Officer at Adaptiva,  8/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5034
PUBLISHED: 2019-08-20
An exploitable information disclosure vulnerability exists in the Weave Legacy Pairing functionality of Nest Cam IQ Indoor version 4620002. A set of specially crafted weave packets can cause an out of bounds read, resulting in information disclosure. An attacker can send packets to trigger this vuln...
CVE-2019-5035
PUBLISHED: 2019-08-20
An exploitable information disclosure vulnerability exists in the Weave PASE pairing functionality of the Nest Cam IQ Indoor, version 4620002. A set of specially crafted weave packets can brute force a pairing code, resulting in greater Weave access and potentially full device control. An attacker c...
CVE-2019-5036
PUBLISHED: 2019-08-20
An exploitable denial-of-service vulnerability exists in the Weave error reporting functionality of the Nest Cam IQ Indoor, version 4620002. A specially crafted weave packets can cause an arbitrary Weave Exchange Session to close, resulting in a denial of service. An attacker can send a specially cr...
CVE-2019-8103
PUBLISHED: 2019-08-20
Adobe Acrobat and Reader versions, 2019.012.20035 and earlier, 2019.012.20035 and earlier, 2017.011.30142 and earlier, 2017.011.30143 and earlier, 2017.011.30142 and earlier, 2015.006.30497 and earlier, and 2015.006.30498 and earlier have an out-of-bounds read vulnerability. Successful exploitation ...
CVE-2019-8104
PUBLISHED: 2019-08-20
Adobe Acrobat and Reader versions, 2019.012.20035 and earlier, 2019.012.20035 and earlier, 2017.011.30142 and earlier, 2017.011.30143 and earlier, 2017.011.30142 and earlier, 2015.006.30497 and earlier, and 2015.006.30498 and earlier have an out-of-bounds read vulnerability. Successful exploitation ...