In the first part of this series of blog posts, we interviewed Ido Rozen, Cyber Researcher at SecuredTouch, and established that the dark web can be murky den of criminality that often treads the line between an illicit marketplace and a ‘how to hack’ forum. This part takes a deeper look at the fraudster’s modus operandi, and some of the cases Rozen has encountered on the job.
What do you look for when researching patterns of suspicious indicators?
We usually look for details that can indicate a fraudulent device or a fraudulent session. For example, a device that has no name, or multiple credit cards used on the same IP address. Tracking a potentially fake IP address can be a useful signal for detecting fraudulent behavior.
Can you give another example of these behavioral indicators?
Let’s say someone is trying to attack an mobile shopping app, by using stolen credit cards. They’ll use a script to see if their numbers work. At the same time, they’ll also try to disguise their device as a regular phone, or several different phones. If we see that someone is entering information on a phone in specific fields, without any mistakes, or if we see many actions in a short period of time, we might suspect this is being done by a script, and not a person.
You sometimes masquerade yourselves as hackers. Can you tell us about an interesting case that you came across?
About two months ago, while researching bots, I got into a conversation with a fraudster on the dark web. He was having problems trying to break into a specific web site. It turned out this was actually a site I was trying to protect!
That’s incredible. What did you do?
I asked him if he knew how to make captchas. In the end, I got him to actually send me a script of what he was doing and realized that he was taking advantage of a very serious vulnerability on the site I was trying to protect. Naturally, after this, we were able to block the vulnerability immediately, and he was none the wiser.
What can you tell us about the exchange of hands?
Folks on the dark web who try to get their hands on usernames and passwords don’t necessarily want to carry out the next step of actual fraud. They sell these credentials to other fraudsters so that they can’t be traced back to the crime. For example, if a criminal got hold of several keys to houses in your neighborhood, he will test and match each key to a specific household but he has no interest in going in a stealing things, he leaves that to the burglars. He will sell the key to the right house. The same goes for a fraudster on the dark web; they sell certain credentials that will allow another fraudster to gain entry into a site, so the exchange of hands minimizes the risk of getting caught.
Given the magnitude of criminal and/or terrorist activity on the dark web, you’d think there would be greater law enforcement or monitoring.
There is, but they’re not looking for fraud per se. If a social networking site was breached, for example, and it usernames and passwords were leaked, law enforcement wouldn't care as much. By and large, law enforcement is far more interested in terror related activities or evidence of paedophilia and human trafficking.
Lastly, how has the dark web changed over the last decade or so, and what do you predict for the foreseeable future?
The dark web has become more anonymous because people are trying harder to cover themselves. People are more cautious now and afraid of criminal activities being traced directly back to them. Assets that used to be free, such as credit card lists and software programs, have to be bought today. In the future, I foresee a longer validation process before a fraudster can undertake criminal activities and get a piece of the action.
We hope you enjoyed reading about some of the experiences of Cyber Researcher Ido Rozen. Going “behind enemy lines” and finding out what goes on in the dark web helps us stay ahead of the game, since this is where a lot of the fraudulent activity is coming from.