No one is immune to be online scam—not even the people running the scams. A new analysis has revealed that cybercriminals who use hacking forums to purchase mining software and stolen credentials are repeatedly tricked and defrauded of thousands of dollars each time. And more than that, when criminals complain they are being scammed, they are also leaving a trail of their own personal information that could reveal their real-world identities to the police and investigators.
Hackers and cybercriminals often congregate on specific forums and marketplaces to do business with each other. They might advertise an upcoming job they need help with, sell a database of people’s stolen passwords and credit card information, or tout new security holes that can be used to break into people’s devices or systems. However, these deals often don’t go to plan.
New research, published by cybersecurity firm Sophos, looks at these failed transactions and people’s complaints about them. Matt Wixey, a researcher of Sophos X-Ops, who did market research.
Wixey examined three of the most prominent cybercrime forums: the Russian-language Exploit and XSS forums, plus the English-language BreachForums, which replaced it. RaidForums when it was confiscated by US law enforcement in April. Although the websites operate in slightly different ways, they all have a “arbitration” room where people who think they have cheat or being unjustly committed by another criminal, they can file a complaint. For instance, if someone buys malware and it doesn’t work, they can complain to the site’s administrator.
Complaints sometimes lead to people getting their money back, but often serve as a warning to other users, Wixey said. Over the past 12 months—the time period the study included—forum criminals lost more than $2.5 million to other scammers, the analysis said. Some people complain of losing as little as $2, while the average scams per site range from $200 to $600, according to research presented at the BlackHat Europe security conference.
Scams take many forms. Some are simple, others are more complex. There are often scams, Wixey said, where buyers don’t pay for what they received, or sellers receive money but don’t send what they sold. (These are often referred to as “scammers.”) Other types of scams involve fake data or security exploits that don’t work: One person on BreachForums said a seller tried to send them data Facebook has been made public.
In a serious incident on the Exploit forum, one account posted a lengthy complaint that they gave someone a Windows kernel exploit and weren’t paid the $130,000 they agreed to. Buyers say they will pay after testing the software but never have cash left over. “At each stage, he gave different reasons for delaying the payment,” a translation of the complaint said.
