Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

1/24/2017
06:25 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

Meet Ripper.cc, A Reputation Service For Cybercriminals

Ripper.cc offers a service to help protect the genuine cybercriminals from the scammers in their midst.

Fraud, it turns out, is as big a problem in the cyber underworld as it is for legitimate enterprises. And just as businesses constantly refine processes and techniques for spotting fraudsters, so too apparently do the bad guys.

Security firm Digital Shadows issued an alert this week about Ripper.cc, a service designed to help cybercriminals weed out scammers selling fake credential dumps, invalid or used payment card data, and for failing to deliver promised goods after taking money for them.

Ripper.cc is not the first service to try and help shield cybercriminals from fellow scammers. Cybercriminals have long used blacklists, underground forums, and other means to warn one another of rippers in their midst. Since 2005, in fact, a Russian service named Kidala.info has maintained a database of rippers.

What makes Ripper.cc different is its level of sophistication and the quality of its service, says Michael Marriott, research analyst at Digital Shadows.

For starters, Ripper.cc has a much sleeker-looking, and therefore more usable, website, according to Digital Shadows. The operators of the underground reputation service also offer helpful extensions for Firefox and Chrome and for PsiPlus that highlight all the known rippers that might be present in an underground forum or site so visitors know to stay away from them.

The browser extensions allow the visitor to click through the warnings and pull up ripper profiles from Ripper.cc, along with any identifying information that might be available on the individual including forum accounts and the reasons for their being in the database, Marriott says.

The PsiPlus plugin for those using Jabber instant messenger warns users when they might be interacting with someone in the Ripper database. As with the browser extension, the PsiPlus plugin also lets users pull up the profile and full details of each scammer. In both cases, the purpose is early detection of rippers. 

The plugins address a critical shortcoming in blacklists and some of the earlier services like Kidala where all the data about known rippers is contained in one place.

"Ripper.cc’s browser plugins will highlight known rippers for you on any forum regardless of whether they have been banned on that particular forum or not," he says. "[That] means it’s cross-platform and doesn’t require you to do anything extra."

The creators of Ripper.cc appear to have taken steps to assure users about the trustworthiness of the scammer data in the database. They have tried to involve trusted members from within the underground community to participate in the project. Ripper.cc also has a process to ensure that all submitted complaints about potential rippers go through an arbitration process, Marriott says. Administrators from four well-known underground forums are part of Ripper.cc’s arbitration team.

"Nonetheless, there is no doubt that not everyone in the cybercriminal community will trust them," Marriott says.

For now, the operators of Ripper.cc seem content to monetize their service through advertisements. Currently, the site has only two advertisers, both underground sites. To advertise on the site, it costs $15 per month for a footer banner, $35 for a side banner, and $50 for a header banner.

The operators of the site appear to have considered other monetization options as well but have not implemented them yet. One is a subscription model where users would presumably pay a small fee to access the plugins. The other option that the operators of Ripper.cc have discussed is operating as an escrow agent and collecting a cut for each transaction.

If such a service becomes successful, cybercriminals could begin to operate with more confidence, Marriott says. "It will enable cybercriminals to significantly reduce the risks associated with rippers and the overall cybercriminal economy can become more profitable allowing for further growth."

Related stories:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Tipsh
50%
50%
Tipsh,
User Rank: Apprentice
1/26/2017 | 2:04:27 PM
ripper.cc
You're right half. We have already given an interview to a journalist motherboard in jabber, painted all the details as much as possible. Please do not judge us for previously.
Thx you.

adm ripper.cc
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
1/26/2017 | 11:19:04 AM
Re: Darknet Yelp
@jcavery: While the aggregation of collected data can certainly be helpful, to be fair, I highly doubt the cybercriminals in question are using their real identities (beyond a pseudonymous one) -- or, for that matter, that Ripper is storing IP addresses (and, even if they were, I suspect that the vast majority -- if not all -- of the cybercriminals in question are using Tor, VPNs, and/or other IP-masking tools).
jcavery
50%
50%
jcavery,
User Rank: Moderator
1/26/2017 | 9:45:46 AM
Re: Darknet Yelp
Nice, doing the FBI's job for them. Keep up the great work Ripper
Joe Stanganelli
100%
0%
Joe Stanganelli,
User Rank: Ninja
1/25/2017 | 10:25:24 AM
Darknet Yelp
So, basically, this is Darknet Yelp.

If they're considering different monetization models, I wonder if they'll go with advertising -- as did "regular" Yelp.

And then, from there, "regular" Yelp has been accused of extorting small business owners.  (Not sure how those accusations turned out or their veracity; I only know that there have been a number of such allegations.)

At some point, though, there has to be honor among thieves.
News
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
News
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
News
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7856
PUBLISHED: 2021-04-20
A vulnerability of Helpcom could allow an unauthenticated attacker to execute arbitrary command. This vulnerability exists due to insufficient authentication validation.
CVE-2021-28793
PUBLISHED: 2021-04-20
vscode-restructuredtext before 146.0.0 contains an incorrect access control vulnerability, where a crafted project folder could execute arbitrary binaries via crafted workspace configuration.
CVE-2021-25679
PUBLISHED: 2021-04-20
** UNSUPPORTED WHEN ASSIGNED ** The AdTran Personal Phone Manager software is vulnerable to an authenticated stored cross-site scripting (XSS) issues. These issues impact at minimum versions 10.8.1 and below but potentially impact later versions as well since they have not previously been disclosed....
CVE-2021-25680
PUBLISHED: 2021-04-20
** UNSUPPORTED WHEN ASSIGNED ** The AdTran Personal Phone Manager software is vulnerable to multiple reflected cross-site scripting (XSS) issues. These issues impact at minimum versions 10.8.1 and below but potentially impact later versions as well since they have not previously been disclosed. Only...
CVE-2021-25681
PUBLISHED: 2021-04-20
** UNSUPPORTED WHEN ASSIGNED ** AdTran Personal Phone Manager 10.8.1 software is vulnerable to an issue that allows for exfiltration of data over DNS. This could allow for exposed AdTran Personal Phone Manager web servers to be used as DNS redirectors to tunnel arbitrary data over DNS. NOTE: The aff...