Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

1/24/2017
06:25 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

Meet Ripper.cc, A Reputation Service For Cybercriminals

Ripper.cc offers a service to help protect the genuine cybercriminals from the scammers in their midst.

Fraud, it turns out, is as big a problem in the cyber underworld as it is for legitimate enterprises. And just as businesses constantly refine processes and techniques for spotting fraudsters, so too apparently do the bad guys.

Security firm Digital Shadows issued an alert this week about Ripper.cc, a service designed to help cybercriminals weed out scammers selling fake credential dumps, invalid or used payment card data, and for failing to deliver promised goods after taking money for them.

Ripper.cc is not the first service to try and help shield cybercriminals from fellow scammers. Cybercriminals have long used blacklists, underground forums, and other means to warn one another of rippers in their midst. Since 2005, in fact, a Russian service named Kidala.info has maintained a database of rippers.

What makes Ripper.cc different is its level of sophistication and the quality of its service, says Michael Marriott, research analyst at Digital Shadows.

For starters, Ripper.cc has a much sleeker-looking, and therefore more usable, website, according to Digital Shadows. The operators of the underground reputation service also offer helpful extensions for Firefox and Chrome and for PsiPlus that highlight all the known rippers that might be present in an underground forum or site so visitors know to stay away from them.

The browser extensions allow the visitor to click through the warnings and pull up ripper profiles from Ripper.cc, along with any identifying information that might be available on the individual including forum accounts and the reasons for their being in the database, Marriott says.

The PsiPlus plugin for those using Jabber instant messenger warns users when they might be interacting with someone in the Ripper database. As with the browser extension, the PsiPlus plugin also lets users pull up the profile and full details of each scammer. In both cases, the purpose is early detection of rippers. 

The plugins address a critical shortcoming in blacklists and some of the earlier services like Kidala where all the data about known rippers is contained in one place.

"Ripper.cc’s browser plugins will highlight known rippers for you on any forum regardless of whether they have been banned on that particular forum or not," he says. "[That] means it’s cross-platform and doesn’t require you to do anything extra."

The creators of Ripper.cc appear to have taken steps to assure users about the trustworthiness of the scammer data in the database. They have tried to involve trusted members from within the underground community to participate in the project. Ripper.cc also has a process to ensure that all submitted complaints about potential rippers go through an arbitration process, Marriott says. Administrators from four well-known underground forums are part of Ripper.cc’s arbitration team.

"Nonetheless, there is no doubt that not everyone in the cybercriminal community will trust them," Marriott says.

For now, the operators of Ripper.cc seem content to monetize their service through advertisements. Currently, the site has only two advertisers, both underground sites. To advertise on the site, it costs $15 per month for a footer banner, $35 for a side banner, and $50 for a header banner.

The operators of the site appear to have considered other monetization options as well but have not implemented them yet. One is a subscription model where users would presumably pay a small fee to access the plugins. The other option that the operators of Ripper.cc have discussed is operating as an escrow agent and collecting a cut for each transaction.

If such a service becomes successful, cybercriminals could begin to operate with more confidence, Marriott says. "It will enable cybercriminals to significantly reduce the risks associated with rippers and the overall cybercriminal economy can become more profitable allowing for further growth."

Related stories:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Tipsh
50%
50%
Tipsh,
User Rank: Apprentice
1/26/2017 | 2:04:27 PM
ripper.cc
You're right half. We have already given an interview to a journalist motherboard in jabber, painted all the details as much as possible. Please do not judge us for previously.
Thx you.

adm ripper.cc
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
1/26/2017 | 11:19:04 AM
Re: Darknet Yelp
@jcavery: While the aggregation of collected data can certainly be helpful, to be fair, I highly doubt the cybercriminals in question are using their real identities (beyond a pseudonymous one) -- or, for that matter, that Ripper is storing IP addresses (and, even if they were, I suspect that the vast majority -- if not all -- of the cybercriminals in question are using Tor, VPNs, and/or other IP-masking tools).
jcavery
50%
50%
jcavery,
User Rank: Moderator
1/26/2017 | 9:45:46 AM
Re: Darknet Yelp
Nice, doing the FBI's job for them. Keep up the great work Ripper
Joe Stanganelli
100%
0%
Joe Stanganelli,
User Rank: Ninja
1/25/2017 | 10:25:24 AM
Darknet Yelp
So, basically, this is Darknet Yelp.

If they're considering different monetization models, I wonder if they'll go with advertising -- as did "regular" Yelp.

And then, from there, "regular" Yelp has been accused of extorting small business owners.  (Not sure how those accusations turned out or their veracity; I only know that there have been a number of such allegations.)

At some point, though, there has to be honor among thieves.
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "The security team seem to be taking SiegeWare seriously" 
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16770
PUBLISHED: 2019-12-05
A poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack. If more keepalive connections to Puma are opened than there are threads available, additional connections will wait permanently if the attacker sends requests frequently enough.
CVE-2019-19609
PUBLISHED: 2019-12-05
The Strapi framework before 3.0.0-beta.17.8 is vulnerable to Remote Code Execution in the Install and Uninstall Plugin components of the Admin panel, because it does not sanitize the plugin name, and attackers can inject arbitrary shell commands to be executed by the execa function.
CVE-2019-16768
PUBLISHED: 2019-12-05
Exception messages from internal exceptions (like database exception) are wrapped by \Symfony\Component\Security\Core\Exception\AuthenticationServiceException and propagated through the system to UI. Therefore, some internal system information may leak and be visible to the customer. A validation m...
CVE-2012-1105
PUBLISHED: 2019-12-05
An Information Disclosure vulnerability exists in the Jasig Project php-pear-CAS 1.2.2 package in the /tmp directory. The Central Authentication Service client library archives the debug logging file in an insecure manner.
CVE-2019-16769
PUBLISHED: 2019-12-05
Affected versions of this package are vulnerable to Cross-site Scripting (XSS). It does not properly mitigate against unsafe characters in serialized regular expressions. This vulnerability is not affected on Node.js environment since Node.js's implementation of RegExp.prototype.toString() backslash...