Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

1/24/2017
06:25 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

Meet Ripper.cc, A Reputation Service For Cybercriminals

Ripper.cc offers a service to help protect the genuine cybercriminals from the scammers in their midst.

Fraud, it turns out, is as big a problem in the cyber underworld as it is for legitimate enterprises. And just as businesses constantly refine processes and techniques for spotting fraudsters, so too apparently do the bad guys.

Security firm Digital Shadows issued an alert this week about Ripper.cc, a service designed to help cybercriminals weed out scammers selling fake credential dumps, invalid or used payment card data, and for failing to deliver promised goods after taking money for them.

Ripper.cc is not the first service to try and help shield cybercriminals from fellow scammers. Cybercriminals have long used blacklists, underground forums, and other means to warn one another of rippers in their midst. Since 2005, in fact, a Russian service named Kidala.info has maintained a database of rippers.

What makes Ripper.cc different is its level of sophistication and the quality of its service, says Michael Marriott, research analyst at Digital Shadows.

For starters, Ripper.cc has a much sleeker-looking, and therefore more usable, website, according to Digital Shadows. The operators of the underground reputation service also offer helpful extensions for Firefox and Chrome and for PsiPlus that highlight all the known rippers that might be present in an underground forum or site so visitors know to stay away from them.

The browser extensions allow the visitor to click through the warnings and pull up ripper profiles from Ripper.cc, along with any identifying information that might be available on the individual including forum accounts and the reasons for their being in the database, Marriott says.

The PsiPlus plugin for those using Jabber instant messenger warns users when they might be interacting with someone in the Ripper database. As with the browser extension, the PsiPlus plugin also lets users pull up the profile and full details of each scammer. In both cases, the purpose is early detection of rippers. 

The plugins address a critical shortcoming in blacklists and some of the earlier services like Kidala where all the data about known rippers is contained in one place.

"Ripper.cc’s browser plugins will highlight known rippers for you on any forum regardless of whether they have been banned on that particular forum or not," he says. "[That] means it’s cross-platform and doesn’t require you to do anything extra."

The creators of Ripper.cc appear to have taken steps to assure users about the trustworthiness of the scammer data in the database. They have tried to involve trusted members from within the underground community to participate in the project. Ripper.cc also has a process to ensure that all submitted complaints about potential rippers go through an arbitration process, Marriott says. Administrators from four well-known underground forums are part of Ripper.cc’s arbitration team.

"Nonetheless, there is no doubt that not everyone in the cybercriminal community will trust them," Marriott says.

For now, the operators of Ripper.cc seem content to monetize their service through advertisements. Currently, the site has only two advertisers, both underground sites. To advertise on the site, it costs $15 per month for a footer banner, $35 for a side banner, and $50 for a header banner.

The operators of the site appear to have considered other monetization options as well but have not implemented them yet. One is a subscription model where users would presumably pay a small fee to access the plugins. The other option that the operators of Ripper.cc have discussed is operating as an escrow agent and collecting a cut for each transaction.

If such a service becomes successful, cybercriminals could begin to operate with more confidence, Marriott says. "It will enable cybercriminals to significantly reduce the risks associated with rippers and the overall cybercriminal economy can become more profitable allowing for further growth."

Related stories:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Tipsh
50%
50%
Tipsh,
User Rank: Apprentice
1/26/2017 | 2:04:27 PM
ripper.cc
You're right half. We have already given an interview to a journalist motherboard in jabber, painted all the details as much as possible. Please do not judge us for previously.
Thx you.

adm ripper.cc
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
1/26/2017 | 11:19:04 AM
Re: Darknet Yelp
@jcavery: While the aggregation of collected data can certainly be helpful, to be fair, I highly doubt the cybercriminals in question are using their real identities (beyond a pseudonymous one) -- or, for that matter, that Ripper is storing IP addresses (and, even if they were, I suspect that the vast majority -- if not all -- of the cybercriminals in question are using Tor, VPNs, and/or other IP-masking tools).
jcavery
50%
50%
jcavery,
User Rank: Moderator
1/26/2017 | 9:45:46 AM
Re: Darknet Yelp
Nice, doing the FBI's job for them. Keep up the great work Ripper
Joe Stanganelli
100%
0%
Joe Stanganelli,
User Rank: Ninja
1/25/2017 | 10:25:24 AM
Darknet Yelp
So, basically, this is Darknet Yelp.

If they're considering different monetization models, I wonder if they'll go with advertising -- as did "regular" Yelp.

And then, from there, "regular" Yelp has been accused of extorting small business owners.  (Not sure how those accusations turned out or their veracity; I only know that there have been a number of such allegations.)

At some point, though, there has to be honor among thieves.
Where Businesses Waste Endpoint Security Budgets
Kelly Sheridan, Staff Editor, Dark Reading,  7/15/2019
US Mayors Commit to Just Saying No to Ransomware
Robert Lemos, Contributing Writer,  7/16/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Now this is the worst micromanagment I've seen.
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-17210
PUBLISHED: 2019-07-20
An issue was discovered in PrinterOn Central Print Services (CPS) through 4.1.4. The core components that create and launch a print job do not perform complete verification of the session cookie that is supplied to them. As a result, an attacker with guest/pseudo-guest level permissions can bypass t...
CVE-2019-12934
PUBLISHED: 2019-07-20
An issue was discovered in the wp-code-highlightjs plugin through 0.6.2 for WordPress. wp-admin/options-general.php?page=wp-code-highlight-js allows CSRF, as demonstrated by an XSS payload in the hljs_additional_css parameter.
CVE-2019-9229
PUBLISHED: 2019-07-20
An issue was discovered on AudioCodes Mediant 500L-MSBR, 500-MBSR, M800B-MSBR and 800C-MSBR devices with firmware versions F7.20A to F7.20A.251. An internal interface exposed to the link-local address 169.254.254.253 allows attackers in the local network to access multiple quagga VTYs. Attackers can...
CVE-2019-12815
PUBLISHED: 2019-07-19
An arbitrary file copy vulnerability in mod_copy in ProFTPD up to 1.3.5b allows for remote code execution and information disclosure without authentication, a related issue to CVE-2015-3306.
CVE-2019-13569
PUBLISHED: 2019-07-19
A SQL injection vulnerability exists in the Icegram Email Subscribers & Newsletters plugin through 4.1.7 for WordPress. Successful exploitation of this vulnerability would allow a remote attacker to execute arbitrary SQL commands on the affected system.