Chapter 3 - Crime Areas

3.1 Crime-as-a-Service - Overview

Over the past few decades the digital underground has evolved and matured from a few small groups hacking and phreaking for fun and prestige, to a thriving criminal industry that costs global economies an estimated USD 300+ billion per year [8].

The digital underground is not only complex and highly dynamic but also highly fragmented. Each actor, from sophisticated criminal groups to the fledgling cybercriminals, has their own particular skill-set and area of expertise. It is this division of labour and adoption of niche functionalities that drives the criminal economy, and has created a booming as-a-service industry, as skills can be monetised and create broader – even mass – access to crime capacities that would have formerly required exceptional abilities.

Underground forums

The underground economy relies extensively on websites and forums - market places and hubs where supply and demand meet; places to advertise, buy and sell products and services, network and share experience and expertise. Here the pooling of knowledge and the constant need for innovation also stimulates research and development.

These forums can be devoted to a particular topic (a product or specialised service such as hacking or carding) or be more generalised, covering a huge range of topics and products, servicing the entire spectrum of cybercrime and supplying all logistical aspects required to perpetrate cybercrime offences.

One Russian language carding forum with over 13 000 members and almost 4000 daily visitors had more than 20 subforums covering topics including online security, tutorials, carding, botnets, web design and money laundering. Across the forum there were in excess of 75 000 individual discussion topics.

Since their first appearance in the early 2000s [9], these forums have matured in sophistication, in the expertise and range of products available, and the level of professionalism and operational security exhibited.

Traditionally these forums have resided within the open or Deep Web [10], however the Darknet [11] is increasingly becoming host to such communities. The same mechanism which provides anonymity to users likewise allows content to be hosted anonymously on the network, ostensibly being untraceable whilst remaining accessible from within the network. This capability has given rise to what have become known as hidden services.

These services generally take one of two forms - underground forums and criminal marketplaces. Underground forums on Darknets typically mirror their open Internet or Deep Web counterparts, serving as meeting places and message boards for many different communities. Forums dedicated to drugs, hacking, carding and child abuse material can all be found on the Darknet.

Although trade in illicit commodities does occur on these forums, Darknets have risen in infamy due to the specialised criminal marketplaces - epitomised by the Silk Road. These markets offer browsers a place to acquire almost any illicit commodity or service including narcotics, weapons, pharmaceuticals and steroids, forged documents, credit cards, hacking tools and even contract killings. Silk Road spawned a number of alternate sites such as the Agora and Outlaw markets and, following its takedown in October 2013, Silk Road 2.0. As of August 2014 there were at least 39 such markets [12]. The majority of these sites are in the English language, however a number of them cater to specific languages including Finnish, French, Italian, Polish and Russian [13].

Despite the increased protection and anonymity the Darknet affords, the more sophisticated, high threat cybercrime forums still operate in the open or Deep Web. It is possible that this is due to a perceived greater degree of control over internal security than that afforded by a Darknet infrastructure in addition to superior connection speeds.

In either environment, access to these platforms is not always straightforward. Entry requirements escalate with the sophistication of the forum. The more security-conscious forums for example, often require new members to be ‘vouched’ for by existing members.

Within forums a rigid and unique (for cybercrime) hierarchy often exists. This structure, with designated roles and responsibilities, allows forums to effectively police themselves, controlling population levels, and rooting out unwanted or troublesome members. Forums are run by Administrators who manage its hosting, determine the general purpose and direction of the forum and set rules for recruitment and behaviour. Each subforum is generally overseen by one or more Moderators. These are trusted individuals who are often subject matter experts for their particular subforum topic and who manage content and disputes within their area. Each forum will also have a multitude of Vendors with services and products to trade with the forum membership. Vendor status typically requires providing samples to the Moderators for review. Furthermore their products will continuously be reviewed and rated by customers. The concept of reputation and ratings is analogous to that of legitimate commercial websites with the exception that access to cybercriminals with a high reputation is not easy.

A user’s reputation and consequently their online nickname [14] on these underground forums is one of the most important factors in creating trust and for deciding to engage in a business relationship.

To the remainder of the community, these markets give organisation to previously disparate individuals, permitting them to escalate the scale of their operations. The current definitions of organised crime do not reflect the digital underground economy. Often, relationships between cybercriminals are transient or simply transactional, with cybercriminals rarely knowing each other offline. Instead these markets create an organised set of criminal relationships [15]. Increasingly however individuals are forming more coherent groups focused around a particular project or attack campaign, although these groups still lack the structure and hierarchy of a traditional organised crime group.

The most persistent cybercrime forums are populated by Russian speaking communities, and although English is also commonly used in communication, many jurisdictions host forums in their native language. Underground forums have various nationalities and these communities are growing.

Criminal services

In a simplified business model, a cybercriminal’s toolkit may include malicious software, supporting infrastructure, stolen personal and financial data and the means to monetise their criminal gains. With every aspect of this toolkit available to purchase or hire as a service, it is relatively easy for cybercrime initiates - lacking experience and technical skills - to launch cyber attacks not only of a scale highly disproportionate to their ability but for a price similarly disproportionate to the potential damage [16]. The possibility to outsource significant parts of their work also allows experienced cybercriminals to focus on their core activities, becoming more efficient and specialised.

The following is an outline of some of the key services offered:

Infrastructure-as-a-Service - To launch their attacks cybercriminals require infrastructure which provides security, anonymity, resilience and resistance to law enforcement intervention. Protected infrastructure for delivering attacks is not only used by profit-motivated cybercriminals, but can be used in other types of offending such as hacktivism or online child sexual exploitation. Hosting providers have a critical role in the underground economy, providing secure storage for attack tools, such as malware and exploit kits, illicit material and stolen data. Bullet-proof hosting services are highly sought after in online marketplaces [17], providing customers with the necessary resilience to evade law enforcement. VPN and proxy services play an important role providing anonymity to cybercriminals and their activities.

Distributed Denial of Service (DDoS) attacks have become accessible to anyone willing to pay for such services. Those offering this service typically have a botnet at their disposal, renting out its capacity in order to launch attacks. With today’s methods a large botnet is not always required to launch a large scale attack. A number of methods such as NTP amplification or DNS reflection can magnify the efficacy of any botnet. Such methods were used in the Spamhaus DDoS attack in 2013 - one of the largest recorded attacks in history - which spiked at nearly 300Gbps of traffic.

Although we can only expect the magnitude of DDoS attacks to increase, networks will become better at mitigating such attacks as they have with spam.

Attackers do not restrict themselves to botnets comprised of infected home computers. They have also begun identifying, compromising and exploiting vulnerable website and content management system (online publishing) servers which have greater bandwidth, are optimised for heavy traffic [18] and are therefore well suited to launching large attacks.

Data-as-a-Service - Data is a key commodity for cybercriminals. Large volumes of compromised personal and financial data are retailed in the digital underground economy. This includes not only data such as credit card, and bank account details, but also data such as physical addresses, phone numbers, email addresses, names and dates of birth, e-wallets, social network accounts and other web logins (particularly those with a financial aspect). Underground market places can also supply counterfeit or fraudulently obtained physical documents such as ID cards, passports, driver’s licences, and utility bills to facilitate both online and offline fraud [19].

Pay-per-install Services - A popular method of distributing malware. The providers of these services distribute the malicious files supplied by their customers and get paid according to the number of downloads. These services can provide country specific traffic.

Hacking-as-a-Service - At a basic level this may include hacking of email and social networking accounts but may include more sophisticated attacks such as economic espionage, or gathering private data on a target.

Translation Services - Many campaigns target victims in specific countries, for which the attacker may not be a native speaker of the target language. The use of translators to provide grammatically correct scripts maximises the impact of a campaign as poor language is often a giveaway that a particular message is part of a scam.

Money Laundering-as-a-Service - In order to financially benefit from their activities cybercriminals employ services to ‘cash out’ from digital or real world financial systems. These services involve a combination of online and offline solutions, with money mule networks often having a central role.