WEBINAR | A Deep-Dive into 2023 Cyber Threats
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Beyond MDR
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Operational Technology
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Threat Hunting
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Threat Intelligence
Find cyber threats that have evaded your defenses.
Model Index
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
Phishing Analyzer
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
Integration Partners
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Blog
Company Blog
Case Studies
Brands of the world trust ReliaQuest to achieve their security goals.
Data Sheets
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
eBooks
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Podcasts
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
Solution Briefs
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
White Papers
The latest white papers focused on security operations strategy, technology & insight.
Videos
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
ReliaQuest ResourceCenter
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Threat Research
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
Shadow Talk
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
April 18, 2024
About ReliaQuest
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Leadership
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Careers
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
Contact Us
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
More results...
On 07 February 2018, the U.S. Department of Justice unveiled an indictment from 31 October 2017 against 36 individuals associated with the Infraud Forum, a cybercriminal forum specializing in payment card fraud. This was a result of an operation known as “Shadow Web” and claimed to make “one of the largest cyberfraud enterprise prosecutions ever undertaken by the Department of Justice.” The members of the forum are alleged to have caused over $500million in actual losses.
In the context of last year’s seizure of AlphaBay and Hansa dark web marketplaces, what does this mean for the evolution of the criminal ecosystem, and what is the potential impact on organizations?
Figure 1: A screenshot of infraud[.]wf, one of the latest editions of the Infraud Forum. Screenshot taken on 7 February 2018.
The Infraud forum has been through many incarnations, and there are several domains still carrying the Infraud name. The term “infraud”, however, first appeared on a WordPress blog known as the “infraud underground carders blog”. The earliest post on this site is dated 31 October 2010. These initial posts mainly provided advice on carding and ATM fraud, as well as reposts of news articles on criminal and fraudulent activity.
The first reference on this blog to a dedicated Infraud site appeared on 11 November 2010, when a post was added offering downloads for a ZeuS crimeware toolkit. The post contained a url link to a thread on infraud[.]ws.
On 24 November 2010, a new post was added to the site claiming that the name of the group behind the blog had changed to “Ministry of Fraudulently Affairs”.
Figure 2: Screenshot of Infraud underground carders blog
A post added on 07 December 2010 claimed that the infraud[.]ws domain had been blocked as it was reported to host malware and fraudulent content. The next day, the Infraud domain had changed to from infraud[.]ws to infraud[.]su.
As of 03 March 2011, the blog advised users to only visit hxxps://infraud[.]cc.
Figure 3: Post made on Infraud blog advising users to visit infraud[.]cc, a domain registered on 30 November 2010
The name Ministry of Fraudulently Affairs also appears on a separate LiveJournal blog site (hxxp://infraud.livejournal[.]com) where advertisements and links to the infraud[.]cc site were posted.
The “Infraud Journal” user profile for this blog site contained a link to the infraud[.]cc website, and a Twitter account (twitter.com/infraud) that is now suspended. The user stated their location was Borispol, Ukraine and used the Buddhist symbol Om as a logo. The account was created on 30 October 2010 and was last updated on 05 August 2014.
Figure 4: infraud profile on Infraud Journal blog
Online profiles using the “infraud” naming started appearing frequently across several criminal forums in December 2010 and January 2011. Many of these profiles used details and indicators previously used on the WordPress and Infraud Journal blogs, including the names “infraud” or “Ministry of Fraudulently Affairs”, and the Om Buddhist symbol as a profile picture. In this example from 26 January 2011 (below), the user infraud advertised an IP address and domains associated with the Infraud operation.
Figure 5: Post made to hpc[.]name forum by user “infraud” containing links to various infraud domains
Between 2010 and 2018, the Infraud Forum switched to several different top level domains and attracted large numbers of members to the forum (Brian Krebs puts this number at almost 11,000).
The reputation of the forum also grew; a vendor with a presence on Infraud would have added legitimacy. Even some of the most reputable Automated Vending Carts (AVCs) – such as the popular site Joker’s Stash – sought a presence on the Infraud Forum (see below). While Infraud was not unique in this respect – Verified, Omerta, and Exploit are other examples of forums where vendors look to establish a reputation – it was certainly a significant player.
Figure 6: Post by JokerStash on wtl[.]pw
In order to facilitate these vendors, the forum had a specific section for vendors to advertise. Vendors like Unnicat, Dark4sys, and Deputat (all also named in the indictment) had a presence here.
The site extended beyond being simply a collection of credit card vendors, with separate exchanger and escrow services also available. Users could access these services at different access levels, such as a VIP.
Figure 7: A screenshot of Infraud[.]cc
The Infraud Forum is another example of the level of professionalization that exists within the criminal underground. This forum was clearly highly hierarchical and relied on its extensive networks and reputation to make a lot of money.
Many of the aliases disclosed in the indictment were at one point active across a host of different underground forums, including the AlphaBay forum. Although the full details of the law enforcement operation have not yet been released, it’s possible that the seizure of AlphaBay in 2017 provided valuable intelligence in this operation. Nevertheless, news that 36 prominent cybercriminals – who were active across several sites – have been closely monitored by international authorities will act as a further blow for the criminal community, which is still dealing with the impact of the AlphaBay and Hansa seizures.
The impact of this announcement should be placed into context. It’s worth noting that of the 36 individuals named in the indictment, only 13 have been apprehended. Indeed, although the site infraud[.]wf appears to have been seized, some sites that were run by vendors on the Infraud Forum remain active such as d4rksys[.]cc (see Figure 8 below), a site allegedly run by dark3r. This is similarly the case for sites run by Unnicat and Debutat. This is a reminder that, although Infraud was a significant player, there are many more forums and AVCs in operation, and the closure of one site will mean criminal actors will migrate to other forums.
Figure 8: A screenshot of d4rksys[.]cc, taken on 07 February 2018.
Given the increased attention from law enforcement, it’s possible we will see more forums turning to new technologies to reduce the likelihood of domain seizure. Joker’s Stash has already moved its site hosting to a blockchain-based domain name system (DNS) provided by the cryptocurrency Emercoin. We’ve seen adverts demonstrating this change since around the end of September 2017, on multiple clear web carding forums.
Figure 9: Joker’s Stash advert on carding forum with link and instructions to latest Blockchain DNS site
The adverts direct users to a “Blockchain DNS” browser extension for Chrome and Firefox, which enable their users to connect to top level domains (TLDs) such as .bazar, .coin, .lib, .emc and others. Domains using these TLDs are not typically resolvable through generic browser configurations. As Emercoin’s domain name records are completely decentralized, they cannot be altered, revoked or suspended by any authority; only a record’s owner can modify or transfer it to another owner. The owners of Joker’s Stash therefore likely sought to avoid takedowns or other external disruption by moving to a blockchain solution.
This is not the first example of threat actors using blockchain-based DNS. Both operators of the botnet Necurs and point of sale (PoS) malware Kasidet have used the Namecoin peer-to-peer network which has no central authority, likely in attempts to avoid law enforcement takedowns of their command and control (C2) infrastructure. For the owners of Joker’s Stash, the use of Emercoin’s DNS might trump traditional DNS for the same reasons, but it still requires visitors to take additional steps in order to visit the site and that might drive away some of its businesses. In the end, as with a lot of security, the benefits might come at the sacrifice of ease-of-use.
Unfortunately, the reality is that this latest piece of news constitutes no real decrease in the threat posed to merchants, consumers and financial institutions from card fraud. Nevertheless, we will be keeping tabs on any changes that occur from these latest arrests, as the cybercriminal community bounces back from another setback. To find out more about the underground carding ecosystem, download a copy of our previous research report, Inside Online Carding Courses Designed for Cybercriminals.
To get the latest threat intelligence news and research, subscribe to our email list here.