Threat Research

The scammers who scam scammers on cybercrime forums: Part 2

A shadowy sub-economy is more than just a curiosity – it’s booming business, and also an opportunity for defenders. In the second part of our series, we look at the different flavors of scams prevalent on criminal forums

Following on from the first chapter of our investigation into scammers who scam scammers, we turn to the variety of scams on criminal marketplaces – which range from crude ‘rip-and-runs’ to sophisticated, long-term efforts.

Rip-and-run

One of the most common scams, a ‘rip-and-run’ can work in two ways: A buyer receives goods but doesn’t pay for them, or a seller receives payment but doesn’t deliver. That’s the ‘rip.’ The ‘run’ part means that the scammer goes dark, refusing to answer messages or disappearing from the forum altogether.

Rip-and-runs usually involve small amounts, but there are exceptions.

A scam report detailing a scam whereby a seller received money and then disappeared

Figure 1: A simple example of a rip-and-run scam on BreachForums, involving $200 USD

A $1500 scam report where a seller disappeared

Figure 2: A higher-value rip-and-run on Exploit, for $1500

There’s not much arbitrators can do about rip-and-runs; they usually ban the scammer, but it doesn’t have much impact as the scammer is long gone. From the scammer’s perspective, they lose their profile (and any associated reputation points), so they’ll have to start from scratch if they want to run the scam again.

A scam report where the complainant accuses a scammer of setting up multiple profiles

Figure 3: An example of a scammer apparently creating a new profile to commit further rip-and-run scams

Fake leaks and tools

A scam that embodies the warning caveat emptor, this attack can take various forms, although it’s especially common with database trades. A scammer offers a database for sale, which is actually publicly available or previously leaked.

A scam report accusing a user of selling fake data

Figure 4: A BreachForums scam report concerning a fake database

This type of scam is prevalent on BreachForums (and was also very popular on its predecessor, RaidForums).

A scam report where a scammer attempted to sell public Facebook data

Figure 5: Another scam report, this one involving a publicly available database

The moderator’s response to the above report finds in favor of the complainant, citing the forum’s rules, despite the accused disputing the claim:

A BreachForums admin reiterates the rule banning the sale of public information

Figure 6: The moderator’s response

But it’s not just databases. Here’s an example from Exploit, where one user paid $200 USD to another user to bind an executable (presumably malware) to a PDF. The buyer raised a scam report because, rather than binding the executable, the user simply gave the file a PDF icon.

A scam report where a user wanted to bind their exe with a pdf, and instead got an exe with a pdf icon

Figure 7: The PDF/exe scam report

And, in another example from Exploit, stolen credit card data turned out to be invalid.

A scam report where a user accuses another of providing invalid credit card data

Figure 8: A scam report involving higher percentages of invalid card data than advertised. Note that the complainant in this case was subsequently banned for scamming!

We saw numerous examples of users buying services, tools, and frameworks which were not as advertised or which did not meet requirements. The accused don’t usually do a runner after pulling these scams, but instead, as one commenter pointed out in the PDF/exe thread, hope that their ‘marks’ don’t understand what they’re paying for. It’s attempted deception, rather than explicit scamming.

Referral scams

Often a variation of the first two scam types, referral scams involve two or more scammers working in tandem. The first, who may have a reasonable reputation score and feedback (possibly through ‘alt repping’), builds rapport with the victim throughout the sales process, and then introduces them to the second scammer, who they claim can complete the work in question. As shown in the example below, this usually ends with both scammers disappearing with the victim’s money.

A referral scam report

Figure 9: A referral scam report on Exploit

In this case, despite clear misgivings about the trustworthiness of the second scammer, the first scammer’s reassurances were enough to convince the victim to hand over money:

A Telegram screenshot showing a chat between the victim and a scammer, discussing the second scammer not responding

Figure 10: A screenshot from a private chat between the first scammer and the victim, concerning the second scammer

Referral scams can also involve dedicated infrastructure. In the example below, the first scammer contacted the victim and convinced them to contact a second scammer on a separate forum, which was a scam site (see Typosquatting, phishing, and ripper sites, below). To access the site, the victim had to pay a deposit and registration fee, losing $350 in total.

A user posts a scam report about an attempted referral scam

Figure 11: A referral scam involving a scam forum site

Alt repping and impersonations

‘Alt repping’ is a variation on referral scams; rather than two separate scammers, one scammer operates multiple accounts, usually to artificially inflate their reputation score (a key metric for many users when deciding who to trade with).

An administrator accuses a user of running multiple accounts to artificially inflate their reputation score

Figure 12: A BreachForums moderator accuses a user of alt repping

Occasionally, scammers will use multiple profiles for other purposes. In one Exploit report, for example, a user claimed that an individual was operating accounts on both Exploit and XSS under different names to sell the same product, an AaaS listing, multiple times (we briefly examined reselling in our recent white paper on multiple attackers).

A scam report where a user complaints that someone who sold them an AaaS listing attempted to sell it to them again under a different name

Figure 13: One individual, operating accounts on different forums, attempts to sell the same AaaS listing twice

And in a stranger case, a user was banned on XSS for creating a trade between two sockpuppet accounts, and then opening an arbitration case about it (possibly because they incorrectly assumed the forum itself would compensate them):

An administrator bans a user for running two accounts attempting to scam the forum

Figure 14: Two sockpuppet profiles are banned for trying to cheat the XSS forum

A variation on alt repping is scammers impersonating users with high reputations, or jumping in on in-progress negotiations and attempting to pass themselves off as the seller:

A user warns others that someone is attempting to impersonate them on a forum

Figure 15: A user warns the XSS forum that someone is attempting to impersonate them

Fake guarantors

Guarantors and ‘middlemen’ are typically optional on criminal forums, but moderators and senior users often recommend them. They function as an escrow service, holding funds until they receive confirmation from the buyer that the goods have been received and are as advertised. They usually take commission for this, although the BreachForums administrator offers it as a free service.

A refusal to use a guarantor if asked is a bannable offense on some forums.

An administrator asks a user to explain themselves for not using a guarantor when requested

Figure 16: A user is called out in an XSS scam report for refusing a guarantor

Some scammers weaponize the concept of guarantors. Typically, this involves some form of impersonation attack, where a scammer impersonates an administrator or registers a misleading Telegram or Jabber name, as in the examples below:

A user warns others that another user is spoofing the Jabber handle of the guarantor

Figure 17: An example of a misleading Jabber name designed to impersonate the Exploit guarantor service

A user warns others that a scammer is using a misleading Telegram handle to make other users think they're an admin

Figure 18: A malicious Telegram handle designed to impersonate XSS administrators

A scammer who successfully impersonates a guarantor is likely to then disappear with the buyer’s funds.

The Exploit administrators have implemented a safeguard for this – a ‘fake Jabber checker,’ where users can submit Jabber names to check if they’re legitimate.

Blackmail

We noted one allegation of blackmail in the scam reports we examined, and it didn’t appear to be a particularly egregious one. The complainant, a database seller, alleged that a buyer threatened to accuse him of being a scammer if he didn’t send more data for free.

A scam report alleging blackmail

Figure 19: An Exploit scam report alleging blackmail

What this case does show is how seriously marketplace users take their reputation. An accusation of scamming can put a serious dent in a vendor’s credibility, and therefore impact their earnings.

What we didn’t see – although that’s not to say it doesn’t happen – were any outright examples of blackmail, where users dox others and threaten to expose them or report them to law enforcement (although there have been public accusations of this nature involving high-profile threat actors).

Backdoored malware

Moving on to more sophisticated attacks, we saw several scam reports about backdoored malware – that is, malware sold or distributed on the forums which contains code designed to covertly attack its operators and steal their data.

A scam report alleging that CypherRAT contains a backdoor

Figure 20: An XSS scam report alleging that a RAT sold by a user installs a backdoor

A scam report alleging that a piece of malware is backdoored

Figure 21: An Exploit user accuses the author of BitRAT of backdooring their malware

A particularly interesting example involves an Exploit user who purchased a (deliberately) fake copy of Axie Infinity – an NFT-based game – with the intent of defrauding legitimate users by distributing it and passing it off as genuine. The fake copy contained a backdoor which stole the stolen cryptocurrency.

A scam report alleging that a fake copy of Axie Infinity has been backdoored

Figure 22: A scam report about a backdoored fake copy of Axie Infinity

As with virtually every scam report we read, the irony of this situation was apparently lost on the victim.

Backdoored malware isn’t unique to criminal marketplaces. Security researcher BushidoToken reported in June 2022 that a software piracy site was serving up malware builders and panels backdoored with an infostealer. And research by security firm JFrog in February 2022 revealed that some malicious npm packages contained code designed to steal secret tokens from threat actors, who themselves steal tokens from legitimate users.

Typosquatting, phishing, and ripper sites

We noted numerous instances of typosquatting, phishing, and scam forum sites designed to either trick users out of a ‘registration fee’ or to steal credentials for genuine criminal marketplaces (with possible motivations including theft of cryptocurrency, impersonating users for future scams, or ruining users’ reputations).

In many cases, scammers adopted similar approaches to those used by traditional threat actors to target individuals and organizations, with some context-specific differences.

For example, we observed several cases where scammers had set up clones of current or former criminal marketplaces. Here’s a fake version of the Exploit site, which uses the misspelling ‘explolt’ in the domain name, but is otherwise an identical clone:

A clone of the Exploit homepage

Figure 23: The fake Exploit homepage

This site is probably intended to harvest credentials, or trick users into paying false registration fees, and appears to be well-constructed, redirecting to the genuine Exploit site.

Amusingly, some Exploit users, on becoming aware of this fake site, tested its security and found an XSS vulnerability:

An XSS attack against the fake Exploit homepage, showing a pop-up dialogue

Figure 24: An Exploit user’s screenshot of an XSS vulnerability in the fake Exploit site

We observed another fake Exploit domain – this one misspelled as ‘exlpoit’ – used in conjunction with a Jabber phishing attack. Judging by the conversation, this scam was designed to dupe users into paying a deposit fee, although the target didn’t fall for it on this occasion.

A screenshot of a Jabber conversation where a scammer tries to get a user to visit a fake Exploit link

Figure 25: An excerpt of the Jabber conversation between scammer and target

Other users aren’t so canny:

A user admits to falling for a scam and asks the admin to block their Jabber account

Figure 26: A user was fooled by a fake Exploit forum and entered their credentials

We saw a few other typosquatting examples, like ‘explolit’ and ‘exploti’, used with varying degrees of success. Some users spotted the scam, others fell for it.

XSS isn’t immune either. We observed an XSS clone (spelled as ‘xsss’) which was previously reported by journalist Lawrence Abrams. Upon entering credentials, the clone redirects to hxxps://fe-avv18[.]ru/send.php, which presumably processes and stores the harvested credentials.

We also noted a website, named ‘xsx’, which doesn’t look anything like the genuine XSS site but may be designed to fool inexperienced users. This site demands a $100 registration fee (a very common scam amount, as we’ll see in Part 3 of this series), and is reported on the XSS forum as a ripper site.

A fake marketplace asks for a $100 registration fee and lists a Bitcoin address

Figure 27: The ‘xsx’ scam site

More commonly, we saw scams using domains similar to now-defunct criminal marketplaces, particularly Mazafaka (compromised in March 2021) and Direct Connection.

A scam report relating to a Direct Connection fake forum

Figure 28: A user falls for a scam which plays on the name of a defunct criminal marketplace

A chat between a user and a scammer who sends them a link to a fake marketplace

Figure 29: A user falls for another Direct Connection scam

Another chat where a scammer sends a link to a fake marketplace

Figure 30: Yet another Direct Connection scam

Other examples include typosquatting domains relating to the prominent criminal forum Verified, with misspellings such as ‘verifeid.’

Sometimes, scammers create sites which don’t imitate known marketplaces but use the same methodology, i.e., charging a registration fee:

A scam report where a user reports two fake marketplaces

Figure 31: Two alleged scam sites reported by an Exploit user

A scam report where a user asks if a forum is legitimate; they are told it is not

Figure 32: A scam site reported by an XSS user

Most of these scams involve fake registration fees, although we saw some variations of other scams, like rip-and-runs and fake tools, connected to scam sites. For instance, one XSS user rented malware from a site, which worked for two days before the C2 panel disappeared (followed shortly by the site’s owner):

A user describes, in Russian, how they were scammed on a site called grimxploit.com

Figure 33: A user reports being scammed by a malware rental site

The grimxploit homepage which shows various malware for sale or rent

Figure 34: The malware rental site in question

Scammers scamming the scammers who scammed them

Unsurprisingly, while scamming threat actors might be lucrative, it can also be a dangerous game. We observed a few instances where threat actors weren’t just indignant about being scammed – they wanted to get even.

An XSS user annoyed at an alleged scammer for selling non-working tools and sending scam invites, doxed them – revealing their name, address, mobile phone number, and social media profiles, and their mother’s name, phone number, and passport number. The accuser threw in a couple of photographs for good measure.

A scam report where a user posts personal information about a scammer and their mother, including photographs

Figure 35: An alleged scammer is doxxed on XSS

Over on Exploit, a scammer who phished new users with a fake Direct Connection marketplace link (see Typosquatting, phishing, and ripper sites) got short shrift from a user who recognized the scam:

A chat between a scammer and a user. The user realizes they are being scammed and tells them they're going to be reported

Figure 36: A user recognizes the Direct Connection/Mazafaka scam and challenges the scammer

The user then posted the scammer’s information on Exploit, and invited other users to harass them:

A user invites other users to harass a scammer on Telegram

Figure 37: The Exploit user invites others to harass the scammer on Telegram

The most interesting examples of scammers who scammed scammers getting scammed come from BreachForums.

Following the news that a scammer was pretending to be Omnipotent (one of the founders and administrators of RaidForums) to trick users into paying $250 to join the ‘new RaidForums,’ the BreachForums administrator started a contest: $100 to whoever “trolls this man the hardest.”

An admin posts an invitation to troll a scammer, providing various contact details and ideas for trolling

Figure 38: The BreachForums administrator announces a contest to troll a scammer

An 'invalid onionsite' browser message against a background of Google Image search results which insult scammers

Figure 39: One of the entries to the trolling contest. A BreachForums user sent this screenshot to the scammer, saying they couldn’t access the fake RaidForums site

The eventual winner convinced the scammer that their website was leaking sensitive information, by showing them a screenshot of the Apache Server Status page. The scammer ended up taking the site down because they thought it had been compromised.

A chat between a scammer and a user. The user posts a server status page and tells the scammer the server is in danger

Figure 40: Part of a long trolling thread targeting a BreachForums scammer

According to recent posts, the same scammer is back at it again, and the BreachForums administrator has started another trolling contest – this time with a $300 prize.

Finally, the BreachForums administrator scammed a scammer personally. An individual registered a Telegram username very similar to BreachForums, and was offering public databases for sale.

The admin offered to buy the username from the scammer.

An email chain between a scammer and admin. The admin offers to buy a Telegram handle; the scammer asks for an offer

Figure 41: The BreachForums administrator contacts a scammer and asks them to sell their Telegram handle

After some back and forth, they agreed on a price of $10,000, and the admin asked the scammer to transfer the group to his account. The scammer was concerned about being scammed, but the admin reassured them, citing their reputation:

The email chain continues. The scammer asks what prevents the admin from scamming them. The admin says their reputation.

Figure 42: The administrator reassures the scammer that they won’t get scammed

Once the scammer transferred ownership, the admin removed the scammer’s permissions and banned him. Without paying, naturally – making this a rip-and-run scam against a scammer.

A Telegram screenshot. The admin removes the scammer's permissions and then bans them

Figure 43: The BreachForums administrator bans the scammer

The scammer was not thrilled.

The scammer demands their money and makes a vague threat. The admin says they love their Telegram username

Figure 44: The scammer threatens the BreachForums admin

According to the admin, the scammer later attempted to DDoS BreachForums, but there have been no other repercussions since.

In the third part of our series, due out the same time next week (Wednesday 21 December), we’ll look at a specific, curious large-scale typosquatting scam, which involved a coordinated network of twenty fake marketplaces.

Leave a Reply

Your email address will not be published. Required fields are marked *