On 07 February 2018, the U.S. Department of Justice unveiled an indictment from 31 October 2017 against 36 individuals associated with the Infraud Forum, a cybercriminal forum specializing in payment card fraud. This was a result of an operation known as “Shadow Web” and claimed to make “one of the largest cyberfraud enterprise prosecutions ever undertaken by the Department of Justice.” The members of the forum are alleged to have caused over $500million in actual losses.
In the context of last year’s seizure of AlphaBay and Hansa dark web marketplaces, what does this mean for the evolution of the criminal ecosystem, and what is the potential impact on organizations?
Figure 1: A screenshot of infraud[.]wf, one of the latest editions of the Infraud Forum. Screenshot taken on 7 February 2018.
The Infraud forum has been through many incarnations, and there are several domains still carrying the Infraud name. The term “infraud”, however, first appeared on a WordPress blog known as the “infraud underground carders blog”. The earliest post on this site is dated 31 October 2010. These initial posts mainly provided advice on carding and ATM fraud, as well as reposts of news articles on criminal and fraudulent activity.
The first reference on this blog to a dedicated Infraud site appeared on 11 November 2010, when a post was added offering downloads for a ZeuS crimeware toolkit. The post contained a url link to a thread on infraud[.]ws.
On 24 November 2010, a new post was added to the site claiming that the name of the group behind the blog had changed to “Ministry of Fraudulently Affairs”.
Figure 2: Screenshot of Infraud underground carders blog
A post added on 07 December 2010 claimed that the infraud[.]ws domain had been blocked as it was reported to host malware and fraudulent content. The next day, the Infraud domain had changed to from infraud[.]ws to infraud[.]su.
As of 03 March 2011, the blog advised users to only visit hxxps://infraud[.]cc.
Figure 3: Post made on Infraud blog advising users to visit infraud[.]cc, a domain registered on 30 November 2010
The name Ministry of Fraudulently Affairs also appears on a separate LiveJournal blog site (hxxp://infraud.livejournal[.]com) where advertisements and links to the infraud[.]cc site were posted.
The “Infraud Journal” user profile for this blog site contained a link to the infraud[.]cc website, and a Twitter account (twitter.com/infraud) that is now suspended. The user stated their location was Borispol, Ukraine and used the Buddhist symbol Om as a logo. The account was created on 30 October 2010 and was last updated on 05 August 2014.
Figure 4: infraud profile on Infraud Journal blog
Online profiles using the “infraud” naming started appearing frequently across several criminal forums in December 2010 and January 2011. Many of these profiles used details and indicators previously used on the WordPress and Infraud Journal blogs, including the names “infraud” or “Ministry of Fraudulently Affairs”, and the Om Buddhist symbol as a profile picture. In this example from 26 January 2011 (below), the user infraud advertised an IP address and domains associated with the Infraud operation.
Figure 5: Post made to hpc[.]name forum by user “infraud” containing links to various infraud domains
How it worked
Between 2010 and 2018, the Infraud Forum switched to several different top level domains and attracted large numbers of members to the forum (Brian Krebs puts this number at almost 11,000).
The reputation of the forum also grew; a vendor with a presence on Infraud would have added legitimacy. Even some of the most reputable Automated Vending Carts (AVCs) – such as the popular site Joker’s Stash – sought a presence on the Infraud Forum (see below). While Infraud was not unique in this respect – Verified, Omerta, and Exploit are other examples of forums where vendors look to establish a reputation – it was certainly a significant player.
Figure 6: Post by JokerStash on wtl[.]pw
In order to facilitate these vendors, the forum had a specific section for vendors to advertise. Vendors like Unnicat, Dark4sys, and Deputat (all also named in the indictment) had a presence here.
The site extended beyond being simply a collection of credit card vendors, with separate exchanger and escrow services also available. Users could access these services at different access levels, such as a VIP.
Figure 7: A screenshot of Infraud[.]cc
The Infraud Forum is another example of the level of professionalization that exists within the criminal underground. This forum was clearly highly hierarchical and relied on its extensive networks and reputation to make a lot of money.
Many of the aliases disclosed in the indictment were at one point active across a host of different underground forums, including the AlphaBay forum. Although the full details of the law enforcement operation have not yet been released, it’s possible that the seizure of AlphaBay in 2017 provided valuable intelligence in this operation. Nevertheless, news that 36 prominent cybercriminals – who were active across several sites – have been closely monitored by international authorities will act as a further blow for the criminal community, which is still dealing with the impact of the AlphaBay and Hansa seizures.
The impact of this announcement should be placed into context. It’s worth noting that of the 36 individuals named in the indictment, only 13 have been apprehended. Indeed, although the site infraud[.]wf appears to have been seized, some sites that were run by vendors on the Infraud Forum remain active such as d4rksys[.]cc (see Figure 8 below), a site allegedly run by dark3r. This is similarly the case for sites run by Unnicat and Debutat. This is a reminder that, although Infraud was a significant player, there are many more forums and AVCs in operation, and the closure of one site will mean criminal actors will migrate to other forums.
Figure 8: A screenshot of d4rksys[.]cc, taken on 07 February 2018.
Shifts within the criminal ecosystem
Given the increased attention from law enforcement, it’s possible we will see more forums turning to new technologies to reduce the likelihood of domain seizure. Joker’s Stash has already moved its site hosting to a blockchain-based domain name system (DNS) provided by the cryptocurrency Emercoin. We’ve seen adverts demonstrating this change since around the end of September 2017, on multiple clear web carding forums.
Figure 9: Joker’s Stash advert on carding forum with link and instructions to latest Blockchain DNS site
The adverts direct users to a “Blockchain DNS” browser extension for Chrome and Firefox, which enable their users to connect to top level domains (TLDs) such as .bazar, .coin, .lib, .emc and others. Domains using these TLDs are not typically resolvable through generic browser configurations. As Emercoin’s domain name records are completely decentralized, they cannot be altered, revoked or suspended by any authority; only a record’s owner can modify or transfer it to another owner. The owners of Joker’s Stash therefore likely sought to avoid takedowns or other external disruption by moving to a blockchain solution.
This is not the first example of threat actors using blockchain-based DNS. Both operators of the botnet Necurs and point of sale (PoS) malware Kasidet have used the Namecoin peer-to-peer network which has no central authority, likely in attempts to avoid law enforcement takedowns of their command and control (C2) infrastructure. For the owners of Joker’s Stash, the use of Emercoin’s DNS might trump traditional DNS for the same reasons, but it still requires visitors to take additional steps in order to visit the site and that might drive away some of its businesses. In the end, as with a lot of security, the benefits might come at the sacrifice of ease-of-use.
No significant change anticipated
Unfortunately, the reality is that this latest piece of news constitutes no real decrease in the threat posed to merchants, consumers and financial institutions from card fraud. Nevertheless, we will be keeping tabs on any changes that occur from these latest arrests, as the cybercriminal community bounces back from another setback. To find out more about the underground carding ecosystem, download a copy of our previous research report, Inside Online Carding Courses Designed for Cybercriminals.
To get the latest threat intelligence news and research, subscribe to our email list here.