Cybercriminals are often seen as parasites, feeding off a wide swath of victims of every size and stripe. But as it turns out, they've become targets in their own right, with a host of bottom-feeding "metaparasites" flocking to Dark Web marketplaces to find their own set of marks.
It's a phenomenon that has the happy side effect of exposing a rich vein of threat intelligence to researchers, including contact and location details of cybercriminals.
Sophos senior threat researcher Matt Wixey took to the stage at Black Hat Europe 2022 to discuss the metaparasite ecosystem, in a session entitled "Scammers Who Scam Scammers, Hackers Who Hack Hackers." According to research he did with fellow researcher Angela Gunn, the underground economy is riddled with a wide variety of fraudsters, who successfully extract millions of dollars per year from their fellow cybercriminals.
The pair examined 12 months of data across three Dark Web forums (Russian-speaking Exploit and XSS, and English-speaking Breach Forums), and uncovered thousands of successful scam efforts.
"It's pretty rich pickings," Wixey said. "Scammers scammed users of these forums out of about $2.5 million US dollars over the course of 12 months. The amounts per scam can be as little as $2 on up to the low six figures."
The tactics vary, but one of the most common — and the most crude — is a gambit known as the "rip and run." This refers to one of two "rip" variants: A buyer receives goods (an exploit, sensitive data, valid credentials, credit-card numbers, etc.) but doesn't pay for them; or, a seller is paid and never delivers what's been promised. The "run" portion refers to the scammer disappearing from the marketplace and refusing to answer any enquiries. Consider it a Dark Web version of the dine-and-dash.
There are also plenty of scammers hawking fake goods — such as nonexistent crypto accounts, macro builders that build nothing nefarious, fake data, or databases that are either already publicly available or have previously been leaked.
Some of these can get creative, Wixey explained.
"We found a service claiming to be able to bind an .EXE text to a PDF, so that when the victim clicked on the PDF, it would load while in the background, the .EXE would run silently," he said. "What the scammer actually did was just sent them back a document with a PDF icon, which wasn't actually a PDF nor did it contain an .EXE. They were hoping that the buyer didn't really know what they're asking for or how to check it."
Also common are scams where a seller offers legitimate goods that aren't quite of the quality that has been advertised — like credit card data claiming to be 30% valid, when in reality only 10% of the cards work. Or the databases are real but being advertised as "exclusive" while the seller is actually reselling them to multiple takers.
In some cases, fraudsters work in tandem in more of a long-con fashion, he added. Sites tend to be exclusive, which foments "a degree of intrinsic trust" that they can play upon, according to Wixey.
"One will build a rapport with a target and offer to provide a service; they'll then say that they actually know someone else who can do this work much better, who's an expert on the subject," Wixey explained. "They will often point them to a fake forum that a second person works and operates, which requires some sort of deposit or registration fee. The victim pays the registration fee, and then both scammers just disappear."
How Forums Fight Back
The activity has an adverse effect on the use of Dark Web forums — acting as an "effective tax on criminal marketplaces, making it more expensive and more dangerous for everyone else," Wixey noted. As such, ironically, many markets are implementing security measures to help curb the tide of fraud.
Forums face several challenges when it comes to putting in safeguards: There's no recourse to law enforcement or regulatory authorities for one; and it's a semianonymous culture, making it difficult to track culprits. So, the anti-fraud controls that have been put in place tend to focus on tracking the activity and issuing warnings.
For instance, some sites offer plug-ins that will check a URL to make sure it links to a verified cybercrime forum, not a fake site where users are defrauded via a bogus "joining fee." Others might run a "blacklist" of confirmed scammer tools and user names. And most have a dedicated arbitration process, where users can file a scam report.
"If you've been scammed by another user on the forum, you go to one of these arbitration rooms and you start a new thread and you supply some information," according to Wixey. That may consist of the username and contact details of the alleged scammer, proof of purchase or wallet transfer details, and as many details of the scam — including screenshots and chat logs — as possible.
"A moderator reviews the report, they ask for more information as it's needed, and they will then tag the accused person and give them somewhere between 12 and 72 hours to respond, depending on the forum," Wixey said. "The accused might make restitution, but that's pretty rare. What more commonly happens is that the scammer will dispute the report and claim it's due to a misunderstanding of the terms of the sale."
Some just don't respond, and in that case, they're either temporarily or permanently banned.
Another security option for forum users is the use of a guarantor — a site-verified resource that acts as an escrow account. The money to be exchanged is parked there until the goods or services are confirmed as being legitimate. However, guarantors themselves are often impersonated by fraudsters.
A Treasure Trove of Threat Intelligence
While the research offers a view into the inner workings of an interesting subsliver of the Dark Web world, Wixey also noted that the arbitration process in particular gives researchers a fantastic source of threat intelligence.
"Forums demand proof when a scam is alleged, and that includes things like screenshots and chat logs — and victims are typically only too happy to oblige," he explained. "A minority of them redact that evidence or restrict it, so it's only visible to a moderator, but most don't. They will post unredacted screenshots and chat logs, which often contain a treasure trove of cryptocurrency addresses, transaction IDs, email addresses, IP addresses, victim names, source code, and other information. And that's in contrast to most other areas of criminal marketplaces where OpSec is normally pretty good."
Some scam reports also include full screenshots of a person's desktop, including date, time, the weather, the language, and the applications — offering breadcrumbs to location.
In other words, normal precautions go out the window. A Sophos analysis of the most recent 250 scam reports on the three forums found that almost 40% of them included some kind of screenshot; only 8% restricted access to evidence or offered to submit it privately.
"In general, scam reports can be useful both for technical intelligence and for strategic intelligence," Wixey concluded.
"The big takeaway here is that threat actors don't seem to be immune to deception, social engineering or fraud," he added. "In fact, they seem to be as vulnerable as anyone else. Which is kind of interesting because these are exactly the kinds of techniques that they're using against other users."