Download - From russia final_bluehat10
![Page 1: From russia final_bluehat10](https://reader035.vdocument.in/reader035/viewer/2022062617/54c68f804a79590e6b8b4584/html5/thumbnails/1.jpg)
InsightOn Russian
UndergroundEconomy
Fyodor Y | ARMORIZE
The Grugq | COSEINC
![Page 2: From russia final_bluehat10](https://reader035.vdocument.in/reader035/viewer/2022062617/54c68f804a79590e6b8b4584/html5/thumbnails/2.jpg)
Meet the “authors”.. :)
![Page 3: From russia final_bluehat10](https://reader035.vdocument.in/reader035/viewer/2022062617/54c68f804a79590e6b8b4584/html5/thumbnails/3.jpg)
Outline
•Tools and methods
•Introduction: Geeks or Gangsters?
•Underground economy: what u never knew
•Future trends and our research
•Lining up
![Page 4: From russia final_bluehat10](https://reader035.vdocument.in/reader035/viewer/2022062617/54c68f804a79590e6b8b4584/html5/thumbnails/4.jpg)
Чтобы заработь на Интернете не
нужноничего и даже
мозгов
“To make money on Internet you don’t need much, not even brain” - from online tutorial
on how to make money
My favorite quote:
![Page 5: From russia final_bluehat10](https://reader035.vdocument.in/reader035/viewer/2022062617/54c68f804a79590e6b8b4584/html5/thumbnails/5.jpg)
Brief: ToolsAnd methods
![Page 6: From russia final_bluehat10](https://reader035.vdocument.in/reader035/viewer/2022062617/54c68f804a79590e6b8b4584/html5/thumbnails/6.jpg)
Sources
•Dealing with large volume of data (public forums, bbs, manual follow up)
•Mostly public data
•Often: post mortem analysis of compromised systems
![Page 7: From russia final_bluehat10](https://reader035.vdocument.in/reader035/viewer/2022062617/54c68f804a79590e6b8b4584/html5/thumbnails/7.jpg)
Intelligence Gathering
•Automated and manual analysis of publicly available data
![Page 8: From russia final_bluehat10](https://reader035.vdocument.in/reader035/viewer/2022062617/54c68f804a79590e6b8b4584/html5/thumbnails/8.jpg)
Automation: difficulties
•Language: complicated for automated processing (slang, misspellings, multiple spellings)
•Context evaluation for new items of trade requires manual analysis
![Page 9: From russia final_bluehat10](https://reader035.vdocument.in/reader035/viewer/2022062617/54c68f804a79590e6b8b4584/html5/thumbnails/9.jpg)
Ex.: What does this say?
![Page 10: From russia final_bluehat10](https://reader035.vdocument.in/reader035/viewer/2022062617/54c68f804a79590e6b8b4584/html5/thumbnails/10.jpg)
Good luck w/ automated translation
![Page 11: From russia final_bluehat10](https://reader035.vdocument.in/reader035/viewer/2022062617/54c68f804a79590e6b8b4584/html5/thumbnails/11.jpg)
Slang sources•Fenya - Russian prison slang
•Anglonims - English loan words
•Rhyming slang - Sounds like the English word
•Direct translation
![Page 12: From russia final_bluehat10](https://reader035.vdocument.in/reader035/viewer/2022062617/54c68f804a79590e6b8b4584/html5/thumbnails/12.jpg)
Tools of trade
•Mostly open-source. With custom extensions
![Page 13: From russia final_bluehat10](https://reader035.vdocument.in/reader035/viewer/2022062617/54c68f804a79590e6b8b4584/html5/thumbnails/13.jpg)
Tools: Nutch
•Content Fetcher; extended with custom Indexers
•Changes to Spider behavior (“proper” robots.txt handling etc)
•Custom “Seeders”
•Distributed Indexing (w/ hadoop)
![Page 14: From russia final_bluehat10](https://reader035.vdocument.in/reader035/viewer/2022062617/54c68f804a79590e6b8b4584/html5/thumbnails/14.jpg)
Tools: RSS feeds “eater”
•A bunch of python scripts thrown together to fetch rss feeds
![Page 15: From russia final_bluehat10](https://reader035.vdocument.in/reader035/viewer/2022062617/54c68f804a79590e6b8b4584/html5/thumbnails/15.jpg)
Tools: SOLR
•Customized Data indexing and search
•Custom schema and search fields
•JSON output used
•Language “projection” (lingo/slang support)
![Page 16: From russia final_bluehat10](https://reader035.vdocument.in/reader035/viewer/2022062617/54c68f804a79590e6b8b4584/html5/thumbnails/16.jpg)
Tools: Web UI/Maltego
•Web UI: easier
•Visualization: Maltego Custom Transforms
![Page 17: From russia final_bluehat10](https://reader035.vdocument.in/reader035/viewer/2022062617/54c68f804a79590e6b8b4584/html5/thumbnails/17.jpg)
Overall picturesque
![Page 18: From russia final_bluehat10](https://reader035.vdocument.in/reader035/viewer/2022062617/54c68f804a79590e6b8b4584/html5/thumbnails/18.jpg)
Maltego
![Page 19: From russia final_bluehat10](https://reader035.vdocument.in/reader035/viewer/2022062617/54c68f804a79590e6b8b4584/html5/thumbnails/19.jpg)
Introduction:Geeks or
gangsters? :)
![Page 20: From russia final_bluehat10](https://reader035.vdocument.in/reader035/viewer/2022062617/54c68f804a79590e6b8b4584/html5/thumbnails/20.jpg)
From Russia with love..?
•What is the biggest export from Russia except for oil, gas, and nuclear scientists..? :)
![Page 21: From russia final_bluehat10](https://reader035.vdocument.in/reader035/viewer/2022062617/54c68f804a79590e6b8b4584/html5/thumbnails/21.jpg)
-Malware -Stuff that lives in your PC
Against your will :)
![Page 22: From russia final_bluehat10](https://reader035.vdocument.in/reader035/viewer/2022062617/54c68f804a79590e6b8b4584/html5/thumbnails/22.jpg)
Typical export sample:
•Targets MS platforms
•Often - multi-component (loader, payload functions in form of DLL etc)
•Sensitive information collection (data, keystrokes and credential information)
•Turns computer into web proxy, smtp proxy, socks etc (useful for rent, spamming etc)
•May extort money from end user
![Page 23: From russia final_bluehat10](https://reader035.vdocument.in/reader035/viewer/2022062617/54c68f804a79590e6b8b4584/html5/thumbnails/23.jpg)
Looks familiar?
![Page 24: From russia final_bluehat10](https://reader035.vdocument.in/reader035/viewer/2022062617/54c68f804a79590e6b8b4584/html5/thumbnails/24.jpg)
Моscow arest (31/08/2010)
Annual income: over 500,000 rubles (100,000USD)
One unlock charged at300 rubles (10USD)
Via SMS
![Page 25: From russia final_bluehat10](https://reader035.vdocument.in/reader035/viewer/2022062617/54c68f804a79590e6b8b4584/html5/thumbnails/25.jpg)
Scale: big
![Page 26: From russia final_bluehat10](https://reader035.vdocument.in/reader035/viewer/2022062617/54c68f804a79590e6b8b4584/html5/thumbnails/26.jpg)
“export” through legimate sites
![Page 27: From russia final_bluehat10](https://reader035.vdocument.in/reader035/viewer/2022062617/54c68f804a79590e6b8b4584/html5/thumbnails/27.jpg)
Which end up in Google blacklist
![Page 28: From russia final_bluehat10](https://reader035.vdocument.in/reader035/viewer/2022062617/54c68f804a79590e6b8b4584/html5/thumbnails/28.jpg)
Why such spike?
•Fun?
•Profit!
![Page 29: From russia final_bluehat10](https://reader035.vdocument.in/reader035/viewer/2022062617/54c68f804a79590e6b8b4584/html5/thumbnails/29.jpg)
But there’s much more..
malware
OTHERCOOLSTUFF
:-)
![Page 30: From russia final_bluehat10](https://reader035.vdocument.in/reader035/viewer/2022062617/54c68f804a79590e6b8b4584/html5/thumbnails/30.jpg)
That’s not a russian hax0r
![Page 31: From russia final_bluehat10](https://reader035.vdocument.in/reader035/viewer/2022062617/54c68f804a79590e6b8b4584/html5/thumbnails/31.jpg)
This is closer..
![Page 32: From russia final_bluehat10](https://reader035.vdocument.in/reader035/viewer/2022062617/54c68f804a79590e6b8b4584/html5/thumbnails/32.jpg)
Russian Underground
Economy
![Page 33: From russia final_bluehat10](https://reader035.vdocument.in/reader035/viewer/2022062617/54c68f804a79590e6b8b4584/html5/thumbnails/33.jpg)
Where is the money!
•Banking credentials
•Credit cards
•Shops and goods
•Online goods and services
•Online currencies
•Monetization via Carrier providers and more
![Page 34: From russia final_bluehat10](https://reader035.vdocument.in/reader035/viewer/2022062617/54c68f804a79590e6b8b4584/html5/thumbnails/34.jpg)
We don’t sell or advertize any
serviceWe simply look at the trades :-)
Disclaimer:
![Page 35: From russia final_bluehat10](https://reader035.vdocument.in/reader035/viewer/2022062617/54c68f804a79590e6b8b4584/html5/thumbnails/35.jpg)
“Ликбез”Some terminology
•WMZ - web money - one wmz = one USD
•Drop - money mule
•CC - creditcards
•Abuse resistant - Safe to host any kind of fraudulent service
•Partnerka - partnership program
![Page 36: From russia final_bluehat10](https://reader035.vdocument.in/reader035/viewer/2022062617/54c68f804a79590e6b8b4584/html5/thumbnails/36.jpg)
Online currencies
•Web Money (WMZ)
•Yandex Money
•LR (liberty reserve)
![Page 37: From russia final_bluehat10](https://reader035.vdocument.in/reader035/viewer/2022062617/54c68f804a79590e6b8b4584/html5/thumbnails/37.jpg)
Exchange points
![Page 38: From russia final_bluehat10](https://reader035.vdocument.in/reader035/viewer/2022062617/54c68f804a79590e6b8b4584/html5/thumbnails/38.jpg)
Credit cardsVery accessible
![Page 39: From russia final_bluehat10](https://reader035.vdocument.in/reader035/viewer/2022062617/54c68f804a79590e6b8b4584/html5/thumbnails/39.jpg)
Money washing
![Page 40: From russia final_bluehat10](https://reader035.vdocument.in/reader035/viewer/2022062617/54c68f804a79590e6b8b4584/html5/thumbnails/40.jpg)
Drop:Another way to turn dirty cash into
profit
![Page 41: From russia final_bluehat10](https://reader035.vdocument.in/reader035/viewer/2022062617/54c68f804a79590e6b8b4584/html5/thumbnails/41.jpg)
Mass domaintheft
![Page 42: From russia final_bluehat10](https://reader035.vdocument.in/reader035/viewer/2022062617/54c68f804a79590e6b8b4584/html5/thumbnails/42.jpg)
Traffic generationAs big biz
![Page 43: From russia final_bluehat10](https://reader035.vdocument.in/reader035/viewer/2022062617/54c68f804a79590e6b8b4584/html5/thumbnails/43.jpg)
Costs• AU - 300-550$
• UK - 220-300$
• IT - 200-350$
• NZ - 200-250$
• ES,DE,FR - 170-250$
• US - 100-150$
• RU, UA, KZ, KG .. 10-40$
Per 1000 Unique visitors
![Page 44: From russia final_bluehat10](https://reader035.vdocument.in/reader035/viewer/2022062617/54c68f804a79590e6b8b4584/html5/thumbnails/44.jpg)
Other Online goods
![Page 45: From russia final_bluehat10](https://reader035.vdocument.in/reader035/viewer/2022062617/54c68f804a79590e6b8b4584/html5/thumbnails/45.jpg)
Looks familiar?
![Page 46: From russia final_bluehat10](https://reader035.vdocument.in/reader035/viewer/2022062617/54c68f804a79590e6b8b4584/html5/thumbnails/46.jpg)
Cards, burners
![Page 47: From russia final_bluehat10](https://reader035.vdocument.in/reader035/viewer/2022062617/54c68f804a79590e6b8b4584/html5/thumbnails/47.jpg)
And more
![Page 48: From russia final_bluehat10](https://reader035.vdocument.in/reader035/viewer/2022062617/54c68f804a79590e6b8b4584/html5/thumbnails/48.jpg)
Passport scans
![Page 49: From russia final_bluehat10](https://reader035.vdocument.in/reader035/viewer/2022062617/54c68f804a79590e6b8b4584/html5/thumbnails/49.jpg)
“Business package” Pa
Includes..Под средства любой загрязненности! For money of any state of dirtinessВ комплект входит: Pack includes1.Банковский акк(online доступ) Online bank account access2.АТМ картa(Дневной лимит на снятие средств 1000$/6000$ В МЕСЯЦ-Возможно увеличение лимита +30$-) ATM card (1000/6000USD per month withdrawal limit)3.Карта кодов (для online доступа) online access passwords4.Копия паспорта дропа Passport copy of “poor john”5.Sim-ka SIM card
Also can be pre-ordered on custom passport scan
(25USD)
![Page 50: From russia final_bluehat10](https://reader035.vdocument.in/reader035/viewer/2022062617/54c68f804a79590e6b8b4584/html5/thumbnails/50.jpg)
DDOSVery affordable
We remove sites of your concurrents with DDOS attack. Fast and effective.
Supported:
Prices (in WMZ ~= USD)
Discounts for bulk
![Page 51: From russia final_bluehat10](https://reader035.vdocument.in/reader035/viewer/2022062617/54c68f804a79590e6b8b4584/html5/thumbnails/51.jpg)
DDOS 911
![Page 52: From russia final_bluehat10](https://reader035.vdocument.in/reader035/viewer/2022062617/54c68f804a79590e6b8b4584/html5/thumbnails/52.jpg)
Abuse resistant hosting
![Page 53: From russia final_bluehat10](https://reader035.vdocument.in/reader035/viewer/2022062617/54c68f804a79590e6b8b4584/html5/thumbnails/53.jpg)
Malware A/V QA
![Page 54: From russia final_bluehat10](https://reader035.vdocument.in/reader035/viewer/2022062617/54c68f804a79590e6b8b4584/html5/thumbnails/54.jpg)
Hash crackingIn cloud
![Page 55: From russia final_bluehat10](https://reader035.vdocument.in/reader035/viewer/2022062617/54c68f804a79590e6b8b4584/html5/thumbnails/55.jpg)
CaptchaIn cloud
![Page 56: From russia final_bluehat10](https://reader035.vdocument.in/reader035/viewer/2022062617/54c68f804a79590e6b8b4584/html5/thumbnails/56.jpg)
Exploit packs
![Page 57: From russia final_bluehat10](https://reader035.vdocument.in/reader035/viewer/2022062617/54c68f804a79590e6b8b4584/html5/thumbnails/57.jpg)
With nice stats
![Page 58: From russia final_bluehat10](https://reader035.vdocument.in/reader035/viewer/2022062617/54c68f804a79590e6b8b4584/html5/thumbnails/58.jpg)
Stats per countryClicks, loads (pwned ;),
percentage)
![Page 59: From russia final_bluehat10](https://reader035.vdocument.in/reader035/viewer/2022062617/54c68f804a79590e6b8b4584/html5/thumbnails/59.jpg)
Need to build Botnet?
![Page 60: From russia final_bluehat10](https://reader035.vdocument.in/reader035/viewer/2022062617/54c68f804a79590e6b8b4584/html5/thumbnails/60.jpg)
WelcomeTDS system
![Page 61: From russia final_bluehat10](https://reader035.vdocument.in/reader035/viewer/2022062617/54c68f804a79590e6b8b4584/html5/thumbnails/61.jpg)
Seller
![Page 62: From russia final_bluehat10](https://reader035.vdocument.in/reader035/viewer/2022062617/54c68f804a79590e6b8b4584/html5/thumbnails/62.jpg)
Buyer
![Page 63: From russia final_bluehat10](https://reader035.vdocument.in/reader035/viewer/2022062617/54c68f804a79590e6b8b4584/html5/thumbnails/63.jpg)
Owner
![Page 64: From russia final_bluehat10](https://reader035.vdocument.in/reader035/viewer/2022062617/54c68f804a79590e6b8b4584/html5/thumbnails/64.jpg)
“Game” rules :)Iframe traff. 4USD/1000
clicks
No bot traf (ruclicks)Payday - every monday
![Page 65: From russia final_bluehat10](https://reader035.vdocument.in/reader035/viewer/2022062617/54c68f804a79590e6b8b4584/html5/thumbnails/65.jpg)
Making money togetherFake AV affiliation
program
![Page 66: From russia final_bluehat10](https://reader035.vdocument.in/reader035/viewer/2022062617/54c68f804a79590e6b8b4584/html5/thumbnails/66.jpg)
Fake AV payouts
BalanceLogin
![Page 67: From russia final_bluehat10](https://reader035.vdocument.in/reader035/viewer/2022062617/54c68f804a79590e6b8b4584/html5/thumbnails/67.jpg)
Crimeware: thrends
And research
![Page 68: From russia final_bluehat10](https://reader035.vdocument.in/reader035/viewer/2022062617/54c68f804a79590e6b8b4584/html5/thumbnails/68.jpg)
Moving mobile
•Steal a dollar from million - still a million dollars
•WAP sites spreading trojaned games are very popular
![Page 69: From russia final_bluehat10](https://reader035.vdocument.in/reader035/viewer/2022062617/54c68f804a79590e6b8b4584/html5/thumbnails/69.jpg)
Mobile Malware
![Page 70: From russia final_bluehat10](https://reader035.vdocument.in/reader035/viewer/2022062617/54c68f804a79590e6b8b4584/html5/thumbnails/70.jpg)
SEO spam<*bad* word (rus)
![Page 71: From russia final_bluehat10](https://reader035.vdocument.in/reader035/viewer/2022062617/54c68f804a79590e6b8b4584/html5/thumbnails/71.jpg)
Now - delivered proffesionally :)
![Page 72: From russia final_bluehat10](https://reader035.vdocument.in/reader035/viewer/2022062617/54c68f804a79590e6b8b4584/html5/thumbnails/72.jpg)
Malware through Infected ads
![Page 73: From russia final_bluehat10](https://reader035.vdocument.in/reader035/viewer/2022062617/54c68f804a79590e6b8b4584/html5/thumbnails/73.jpg)
Malware infectionHidden behind login screens
•Frequent in banking or other online credential targeted attacks
•Effectively prevents services like google blacklist, HA and other from identifying infections
![Page 74: From russia final_bluehat10](https://reader035.vdocument.in/reader035/viewer/2022062617/54c68f804a79590e6b8b4584/html5/thumbnails/74.jpg)
Research
•Monetization schemes
•Taking over the existing ifrastructures for forensics analysis and statistics
•Hunt the hunters
![Page 75: From russia final_bluehat10](https://reader035.vdocument.in/reader035/viewer/2022062617/54c68f804a79590e6b8b4584/html5/thumbnails/75.jpg)
Hunt the hunter
•Pwnkit - automated exploitkit pwner
•Automated exploit kit fingerprinting
•Password bruteforce
•Exploiting bugs and common misconfigurations
•Generates statistics on exploit pack usage :in the wild:
![Page 76: From russia final_bluehat10](https://reader035.vdocument.in/reader035/viewer/2022062617/54c68f804a79590e6b8b4584/html5/thumbnails/76.jpg)
Misc. Case studies :)
![Page 77: From russia final_bluehat10](https://reader035.vdocument.in/reader035/viewer/2022062617/54c68f804a79590e6b8b4584/html5/thumbnails/77.jpg)
Botnet DIY ;)•Goal: 1000000 nodes botnet
•No skills required
•Buy these (available on sale):
•Traffic
•Abuse-resistant service
•Exploitpack
•Botnet gear
![Page 78: From russia final_bluehat10](https://reader035.vdocument.in/reader035/viewer/2022062617/54c68f804a79590e6b8b4584/html5/thumbnails/78.jpg)
How much it costs•Traffic - 10-15KUSD (mixed) infection
ratio arond 10-20% (depending on exploit pack)
•Abuse resistant server 300USD/month
•Exploitpack 200-2000USD
•Botnet gear 500- 10,000USD
•= 15-20,000USD total + 1-2 months of work
![Page 79: From russia final_bluehat10](https://reader035.vdocument.in/reader035/viewer/2022062617/54c68f804a79590e6b8b4584/html5/thumbnails/79.jpg)
Conclusions
•You can be victim, even if you paid for Kaspersky and apply patches regulary :)
•While malware is what you mostly see, cybercrime is not about malware, it is about money
•Global economy - global fraud
•0day is not important. Volume is important
•(Mostly) not organized crime but ecosystem
![Page 80: From russia final_bluehat10](https://reader035.vdocument.in/reader035/viewer/2022062617/54c68f804a79590e6b8b4584/html5/thumbnails/80.jpg)
What’s next?