Cyber-criminals have lost at least $2.5m to scammers on just three underground sites in the past 12 months, according to Sophos.
The UK-based security vendor claimed that this “sub-economy,” in which cyber-criminals effectively defraud each other, has become big business.
In the first part of its new report, The scammers who scam scammers on cybercrime forums, Sophos senior threat researcher, Matt Wixey, claimed that the problem is now so acute that forum admins have created dedicated “arbitration rooms.”
“Personal beefs, rivalries and wanting to destroy (or sometimes enhance) reputations can all result in scams. And it’s not just small-time crooks. We saw prominent threat actors either accused of scamming or falling victim to scams themselves,” Wixey continued.
“We saw referral cons, fake data leaks and tools, typosquatting, phishing, ‘alt rep’ scams (the use of sockpuppets to artificially inflate reputation scores), fake guarantors, blackmail, impersonated accounts and backdoored malware. We even found instances where threat actors got revenge by scamming the scammers who scammed them.”
The report looked at three popular underground sites: Exploit and XSS, two Russian-language cybercrime forums that provide access-as-a-service (AaaS) listings, and the English language BreachForums, which specializes in data leaks.
Over 12 months, Sophos investigated 600 scams passing through arbitration on these sites, with claims ranging from $2 to $160,000.
Wixey argued that analyzing these disputes is a useful way to glean insight into cyber-criminals’ tactical and strategic priorities, rivals and alliances, and their susceptibility to deception.
“Threat actors are aware that criminal forums are monitored, and so often employ good operational security. When they’re victims of crime themselves – well, not so much,” he added.
“Because forum rules demand proof to support scam allegations, wronged threat actors will often happily post screenshots of private conversations and source code, identifiers, transactions, chat logs, and blow-by-blow accounts of negotiations, sales, and troubleshooting.”
Sometimes scammers create entire fake sites. Wixey claimed his research uncovered one group which built 20 imitation sites, including one that spoofed the popular Genesis Market. The ruse was to trick interested parties into handing over a $100 ‘activation fee’ to participate.