WEBINAR | A Deep-Dive into 2023 Cyber Threats
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Beyond MDR
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Operational Technology
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Threat Hunting
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Threat Intelligence
Find cyber threats that have evaded your defenses.
Model Index
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
Phishing Analyzer
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
Integration Partners
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Blog
Company Blog
Case Studies
Brands of the world trust ReliaQuest to achieve their security goals.
Data Sheets
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
eBooks
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Podcasts
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
Solution Briefs
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
White Papers
The latest white papers focused on security operations strategy, technology & insight.
Videos
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
ReliaQuest ResourceCenter
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Threat Research
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
Shadow Talk
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
April 25, 2024
About ReliaQuest
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Leadership
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Careers
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
Contact Us
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
More results...
One heart-warming aspect of modern society is the increased prevalence of charitable endeavors during times of crisis.
Philanthropy has loomed large in our minds during the ongoing COVID-19 (aka coronavirus) pandemic. In the United States, businesses have stepped in: Amazon’s Jeff Bezos has given $100 million to food banks, Microsoft’s Bill Gates has pledged funds to help develop a coronavirus vaccine, and Elon Musk has donated thousands of ventilators and protective masks. The story of 99-year-old Second World War veteran Captain Tom Moore has gripped the United Kingdom: He has raised over £18 million (at the time of writing) for the National Health Service by completing 100 laps of his garden before his 100th birthday.
The current spirit of charity has also reached the cybercriminal community, although the results in that environment have not necessarily been as successful as those seen in the offline world.
In late March, a user on the prestigious Russian-language cybercriminal forum XSS initiated an English-language thread to share free credentials for accounts with preloaded funds for the automated vending cart (AVC) sites Joker’s Stash and UniCC. In exchange, the user requested voluntary donations “to help COVID-19 patients and medical staff in Italy and Spain”. The user provided a Bitcoin wallet address to receive donations. Later that same day, the user updated their post to report that the accounts were no longer working, as an unknown forum user must have changed the passwords without leaving a donation.
XSS post sharing carding site credentials in return for coronavirus response donations
The next day, the user posted credentials for five more Joker’s Stash accounts but later updated the thread to announce that all the accounts’ passwords had been changed but no funds donated. The following day, the user shared what they promised were the last two sets of account credentials, noting that they had still not received any money. Although several forum members had voiced their support for the idea, it seems that no one went as far as putting their Bitcoin where their mouth was.
This whole episode got us thinking…
Charitable endeavors are promoted on these platforms more than you might expect, but voluntary aid is a gray area. In a world where anonymity—avoiding detection by law enforcement—is paramount, can you rely on good intentions?
Will a forum member channel donations to the promised charity, or make off with the money? And how about targeting charities with cybercrime?
Where does the murky moral line sit in the cybercriminal underground?
One post on the gated Russian-language cybercriminal forum Korovka laid bare the question of threat actors’ moral obligation. A user initiated a thread to canvass opinion on the feasibility of faking a charitable cause and collecting donations. They added that while they recognized that such a plan was “cruel,” they found themselves in an “extremely difficult financial situation”. Responses to the proposal were mixed, with one forum user calling the plan “amoral,” and another pointing out that cybercrime is inherently an immoral affair.
Korovka post mulling possibility of faking charitable cause to collect donations fraudulently
Voluntarily giving away hard-earned money is not an entirely foreign concept on cybercriminal forums. Several Russian-language forums—including WT1, Exploit, Verified, Delf Code, and Zismo—provide their members with the opportunity to make donations to the sites themselves. Some make it very difficult to locate the records of those who have voluntarily donated, meaning the donors to these platforms go largely unrecognized (although discerning site administrators may remember their generosity later). On other platforms, the arrangement is entirely less altruistic: A minimum donation results in a pre-defined increase in forum status, allowing donor users to bask in the added prestige their money has brought them.
Visit any Russian-language cybercriminal forum, and you will quickly come across a surprising number of threads offering goods and services for free, or even entire sections devoted to giveaways. The most common commodities shared in this manner are account credentials for streaming services and credit-card details (although the validity of this information is often lacking, given the widespread distribution). This spirit of selflessness may appear remarkable, but consider the factors behind this phenomenon.
Often cybercriminals are sharing by-products obtained via an unrelated cybercriminal scheme. For instance, a threat actor who has established a botnet of infected computers might search the botnet logs for login information for online bank accounts. Along the way, they may discover that the logs contain credentials for a whole host of other sites and services. Maliciously exploiting the funds in the compromised bank accounts is the real goal here, so the threat actor can afford to share the other credentials they had no intention of using anyway. At other times, cybercriminals may share “second-hand” credentials for accounts that they have already used for nefarious purposes. (Typically, threads selling credentials highlight the fact that they have not been used in this manner.)
XSS giveaways section
All of a sudden, these giveaways don’t seem so generous. The illusion of philanthropy recedes further when you consider the benefits to the threat actors giving away goods and services. These donors receive a massive boost to their reputation on the forum. In the future, they may be perceived as individuals willing to contribute to forum life, and the giveaways help establish a track record of credibility.
There does seem to be examples of charitable schemes on cybercriminal forums, and charity is sometimes used as a selling point. On the Russian-language carding forum Verified, a service providing bank drops in the United States promoted the fact that it donates a portion of its profits to charity as a way to market the service.
Drops service advertisement on Verified highlighting charitable donations
In general, cybercriminal forums soliciting real donations can be categorized in two ways: solicitations of help for the threat actor or their families, and solicitations to assist an unrelated cause.
Posts describing personal problems and appealing for financial aid have received mixed responses on cybercriminal forums. In one example of a positive outcome, a user on the Russian-language forum Antichat benefitted from the generosity of the forum’s administrators. The user had applied for paid coding work on a project organizing “cryptoattacks”, passed the interview tests and was promised work and payment, but never received any funds. When complaining about this injustice on the forum, the user explained that they needed the money to pay for their father’s cancer medication. Other forum members also claimed to have been deceived by the project organizer, sharing correspondence as proof. Ultimately, the Antichat administrators banned the project’s organizer and arranged a “whip around” among forum members, raising $700 for the medical treatment.
Announcement of sum sent to a user for medical treatment, with subsequent message of thanks
The author of a January 2019 post on Exploit was not so lucky. They received scathing responses to their post attempting to raise money for their sister, who had allegedly been burned in an accident and could not afford to pay for an operation.
Exploit post soliciting donations for medical treatment
The response to the user’s appeal indicated that the forum community collectively decided this was a scam attempt..
The difference in these two cases may lie in the Antichat member’s obvious distress at being scammed out of money and fellow forum members having had similar experiences they showed proof of. A sudden post, such as the Exploit member’s―lacking real detail, posts from other users to support their claims, or evidence that the user had tried to improve their situation themselves first―would ring alarm bells. The issue of apparent intent could also be at work: The defrauded Antichat user seems to have posted only to vent their frustration, with no intention of gathering money from the forum community, but the Exploit user openly sought funds.
These cases highlight the tricky nature of charity on cybercriminal forums: To be willing to donate money, forum members must be sure they can trust that the money will end up where they think it will. After all, there is no honor among thieves, and the numerous new threads each day in every forum’s arbitration section show that these sites are rife with cybercriminals trying to scam and deceive each other. Perhaps because individuals attempting to fraudulently obtain donations with fake charitable schemes present a high risk, schemes designed to help outside parties have historically proven more successful.
Sometimes forum members post messages describing the desperate situation aided by their chosen charities, appealing to fellow forum members to lend their support. Such posts often appear around the time of the New Year’s holidays in former Soviet Union countries: Just as in the West, the festive season boosts charitable donations.
In one example on the Russian-language carding forum Club2CRD, a user announced their intention to involve the forum community in their habit of visiting children’s homes and donating material goods.
Club2CRD post soliciting donations for children’s home
The user stated that they wished to help an orphanage accommodating young children with illnesses or whose parents have HIV, and would create a Bitcoin wallet for member donations. A few days before the start of the new year, they said they would withdraw funds and purchase the goods, providing all receipts as proof of purchase. The post stated that the user could not predict what exactly they would buy, as they would contact the children’s home to ascertain their exact needs. To highlight their trustworthiness, the user said that “not a single claim has been put forward against me” (i.e. no accusations of scamming or foul play), and that there was there no reason to “doubt my decency.” They added that the scheme had received the consent of the forum administrators.
Ultimately the user did not receive as much money as they had hoped, although they did post screenshots of Bitcoin transactions showing that the wallet had received over $500 in donations. To prove that they had been true to their word, the user posted images of children’s toys and washing supplies, along with a sticky note featuring their forum alias and the name of the site.
Images used as “proof” of purchase from the Club2CRD user named on the note
Digital Shadows (now ReliaQuest) has observed similar schemes on other cybercriminal sites. A 2016 Christmas fundraiser on Exploit allegedly raised over $1,300. The organizer praised the “good-natured people [who] still remain on the forum, people who can and want to help the kids”. The same user went on to organize similar schemes in 2017 and 2018, with the latter appeal reportedly raising $4,645. Just as on Club2CRD, the organizer posted images of goods they purchased with the funds to “prove” that the money was rightfully spent.
Exploit New Year’s fundraiser announcements in 2016, 2017, and 2018
One Exploit user recognized the Exploit community’s seeming propensity to respond favorably to such charitable appeals, noting that the New Year’s fundraisers had shown that “many people were not indifferent to this issue.” They proposed establishing a charitable fund on the forum, saying that donating money in this way would be “a plus for karma at the least, and at the most, helping people who need it,” with the forum members becoming “a kind of modern Robin Hood”.
The issue of “karma”—finding ways to atone for the harm caused by cybercrime—is a topic discussed not infrequently in Russian-language cybercriminal communities. In this instance, the post noted that in arbitration cases (disputes between two forum members resolved by an impartial third party), compensation could be paid to the charitable fund, rather than going into the forum’s coffers.
Exploit post exploring the idea of a forum charitable fund
The difficulty, the post said, would be in the logistics of organization. Although creating a separate thread and a discrete Bitcoin wallet for anonymous donations would be easy, finding someone to run the fund whom the other forum members trusted would be “one of the main problems”. The user concluded that “a girl” would be the best candidate and should be appointed by the forum administrator. Although the forum community responded warmly to this idea, Digital Shadows (now ReliaQuest) could not find any evidence that the plan was actioned. Perhaps the inherent difficulties of actually implementing such a scheme—and the eternal issue of trust—stymied the proposal before it ever became a reality.
Another idea that never got off the ground was a 2017 proposal to collect money to buy flowers and gifts for 10 to 20 older women in the war-torn regions of eastern Ukraine, for Women’s Day on 8 March. The proposed plan seemed to cover all the organizational bases:
Although other forum members responded positively to the plan, it seems to have never materialized.
Exploit post proposing 8 March gifts for older women in eastern Ukraine
As Digital Shadows (now ReliaQuest) has noted repeatedly, the cybercriminal world has found its way to replicate establishments and customs that form a daily part of real life, so it’s not surprising that the notion of charity also has a presence in the underworld. Just as in real life, some charitable events take off and strike a chord with a large number of people, while other endeavors—even for worthy causes—fizzle out and fail to attract funds.
It will be interesting to see whether, as forums’ sophistication continues to develop, charity is embedded formally in the forum system. Given some cybercriminals’ propensity to view charitable efforts as a way to create good “karma” and negate their crimes, it’s likely to be a recurring element on cybercriminal platforms.