30
Apr 20

How Cybercriminals are Weathering COVID-19

In many ways, the COVID-19 pandemic has been a boon to cybercriminals: With unprecedented numbers of people working from home and anxious for news about the virus outbreak, it’s hard to imagine a more target-rich environment for phishers, scammers and malware purveyors. In addition, many crooks are finding the outbreak has helped them better market their cybercriminal wares and services. But it’s not all good news: The Coronavirus also has driven up costs and disrupted key supply lines for many cybercriminals. Here’s a look at how they’re adjusting to these new realities.

FUELED BY MULES

One of the more common and perennial cybercriminal schemes is “reshipping fraud,” wherein crooks buy pricey consumer goods online using stolen credit card data and then enlist others to help them collect or resell the merchandise.

Most online retailers years ago stopped shipping to regions of the world most frequently associated with credit card fraud, including Eastern Europe, North Africa, and Russia. These restrictions have created a burgeoning underground market for reshipping scams, which rely on willing or unwitting residents in the United States and Europe — derisively referred to as “reshipping mules” — to receive and relay high-dollar stolen goods to crooks living in the embargoed areas.

A screen shot from a user account at “Snowden,” a long-running reshipping mule service.

But apparently a number of criminal reshipping services are reporting difficulties due to the increased wait time when calling FedEx or UPS (to divert carded goods that merchants end up shipping to the cardholder’s address instead of to the mule’s). In response, these operations are raising their prices and warning of longer shipping times, which in turn could hamper the activities of other actors who depend on those services.

That’s according to Intel 471, a cyber intelligence company that closely monitors hundreds of online crime forums. In a report published today, the company said since late March 2020 it has observed several crooks complaining about COVID-19 interfering with the daily activities of their various money mules (people hired to help launder the proceeds of cybercrime).

“One Russian-speaking actor running a fraud network complained about their subordinates (“money mules”) in Italy, Spain and other countries being unable to withdraw funds, since they currently were afraid to leave their homes,” Intel 471 observed. “Also some actors have reported that banks’ customer-support lines are being overloaded, making it difficult for fraudsters to call them for social-engineering activities (such as changing account ownership, raising withdrawal limits, etc).”

Still, every dark cloud has a silver lining: Intel 471 noted many cybercriminals appear optimistic that the impending global economic recession (and resultant unemployment) “will make it easier to recruit low-level accomplices such as money mules.”

Alex Holden, founder and CTO of Hold Security, agreed. He said while the Coronavirus has forced reshipping operators to make painful shifts in several parts of their business, the overall market for available mules has never looked brighter.

“Reshipping is way up right now, but there are some complications,” he said.

For example, reshipping scams have over the years become easier for both reshipping mule operators and the mules themselves. Many reshipping mules are understandably concerned about receiving stolen goods at their home and risking a visit from the local police. But increasingly, mules have been instructed to retrieve carded items from third-party locations.

“The mules don’t have to receive stolen goods directly at home anymore,” Holden said. “They can pick them up at Walgreens, Hotel lobbies, etc. There are a ton of reshipment tricks out there.”

But many of those tricks got broken with the emergence of COVID-19 and social distancing norms. In response, more mule recruiters are asking their hires to do things like reselling goods shipped to their homes on platforms like eBay and Amazon.

“Reshipping definitely has become more complicated,” Holden said. “Not every mule will run 10 times a day to the post office, and some will let the goods sit by the mailbox for days. But on the whole, mules are more compliant these days.”

GIVE AND TAKE

KrebsOnSecurity recently came to a similar conclusion: Last month’s story, “Coronavirus Widens the Money Mule Pool,” looked at one money mule operation that had ensnared dozens of mules with phony job offers in a very short period of time. Incidentally, the fake charity behind that scheme — which promised to raise money for Coronavirus victims — has since closed up shop and apparently re-branded itself as the Tessaris Foundation.

Charitable cybercriminal endeavors were the subject of a report released this week by cyber intel firm Digital Shadows, which looked at various ways computer crooks are promoting themselves and their hacking services using COVID-19 themed discounts and giveaways.

Like many commercials on television these days, such offers obliquely or directly reference the economic hardships wrought by the virus outbreak as a way of connecting on an emotional level with potential customers.

“The illusion of philanthropy recedes further when you consider the benefits to the threat actors giving away goods and services,” the report notes. “These donors receive a massive boost to their reputation on the forum. In the future, they may be perceived as individuals willing to contribute to forum life, and the giveaways help establish a track record of credibility.”

Brian’s Club — one of the underground’s largest bazaars for selling stolen credit card data and one that has misappropriated this author’s likeness and name in its advertising — recently began offering “pandemic support” in the form of discounts for its most loyal customers.

It stands to reason that the virus outbreak might depress cybercriminal demand for “dumps,” or stolen account data that can be used to create physical counterfeit credit cards. After all, dumps are mainly used to buy high-priced items from electronics stores and other outlets that may not even be open now thanks to the widespread closures from the pandemic.

If that were the case, we’d also expect to see dumps prices fall significantly across the cybercrime economy. But so far, those price changes simply haven’t materialized, says Gemini Advisory, a New York based company that monitors the sale of stolen credit card data across dozens of stores in the cybercrime underground.

Stas Alforov, Gemini’s director of research and development, said there’s been no notable dramatic changes in pricing for both dumps and card data stolen from online merchants (a.k.a. “CVVs”) — even though many cybercrime groups appear to be massively shifting their operations toward targeting online merchants and their customers.

“Usually, the huge spikes upward or downward during a short period is reflected by a large addition of cheap records that drive the median price change,” Alforov said, referring to the small and temporary price deviations depicted in the graph above.

Intel 471 said it came to a similar conclusion.

“You might have thought carding activity, to include support aspects such as checker services, would decrease due to both the global lockdown and threat actors being infected with COVID-19,” the company said. “We’ve even seen some actors suggest as much across some shops, but the reality is there have been no observations of major changes.”

CONSCIENCE VS. COMMERCE

Interestingly, the Coronavirus appears to have prompted discussion on a topic that seldom comes up in cybercrime communities — i.e., the moral and ethical ramifications of their work. Specifically, there seems to be much talk these days about the potential karmic consequences of cashing in on the misery wrought by a global pandemic.

For example, Digital Shadows said some have started to question the morality of targeting healthcare providers, or collecting funds in the name of Coronavirus causes and then pocketing the money.

“One post on the gated Russian-language cybercriminal forum Korovka laid bare the question of threat actors’ moral obligation,” the company wrote. “A user initiated a thread to canvass opinion on the feasibility of faking a charitable cause and collecting donations. They added that while they recognized that such a plan was ‘cruel,’ they found themselves in an ‘extremely difficult financial situation.’ Responses to the proposal were mixed, with one forum user calling the plan ‘amoral,’ and another pointing out that cybercrime is inherently an immoral affair.”

Tags: , , , , , , , ,

17 comments

  1. The Sunshine State

    Great informative article ! Keep them coming Brian !

  2. Somehow that last paragraph really amused me. Do they really have any semblance of compassion? Really!?

    One crook, “I’m not sure if it’s moral to steal someone’s money during this pandemic?”

    Another crook, “Nah. Remember during normal times we steal money from old ladies anyway. So it’s OK now too. Don’t worry, Vasyylyiei.”

    • If youre talking about carders, many dont see themselves as stealing from individuals, but rather stealing from multimillion dollar CC companies. And you’ll find that many criminals of all sorts have lines they wont cross and often convoluted justifications for how what they do is not immoral because they steal from crooked companies, crooked banks and individuals who have insurance to cover their losses. Not saying I agree with them, but many criminals dont see themselves as bad people per se.

      • Yep. There are plenty of justifying that happens. And like it or not… a lot of non-criminals feed into this notion of “evil corporations”, that they use to justify it.

  3. Perhaps the penalties applied to cybercriminals are too lenient, making many feel that taking the chance of getting caught is worth it. #puritanism

    • Quite the opposite in the US. The US “justice” system tends to make examples of “hackers” and throws the book at them. See Aaron Swartz for an example. The problem is many of these cybercriminals are in countries like Russia, where law enforcement doesnt care as long as you dont target Russians. What happened to Aaron Swartz was a tragedy, and an example of law enforcement gone off the rails because people think cybercriminals get off too easy.

      • The ideals of “justice by deterrence” is pretty flawed and not practical in the real world.
        The biggest reason, of course as Anon mentioned, is jurisdiction. There is no punishment for the vast majority, because they’ll never get arrested, let alone extradited and prosecuted.

        But even then… deterrence can only go so far. It is limited in its practical application, and effect on people.
        The chance of getting caught is low. So even the death penalty would not deter the majority of cybercriminals. Nor would threat of torture.

        Even if enforcement were to increase along with penalty, so that change of getting caught was much higher…. there are still limits on deterring criminality.
        If the rewards are high, it will be worth it for many many criminals. In the cyber world, there only needs to be a few hundred career criminals to account for a lot of crime. Its not like they need to show up in person.
        So deterrence, even if effective, only filters some of the people out of the criminal world… leaving fewer, but more profitable cyber criminals.

        • George Fleming

          That is the truth, Joe. It is true everywhere, for example in lawyer discipline:

          “…Lawyers constantly condemn the failure of the criminal justice system to deter crime for precisely these reasons – because of its alleged indifference, procedural niceties, or excessive lenience.

          Indeed, we know that the efficacy of social control varies even more strongly with the likelihood of punishment than it does with the severity of the sanction.

          Yet on both counts, especially the former, the professional disciplinary system falls far below the wholly inadequate standards of the criminal law. Lawyers can hardly present their travesty of a penal system as an effective deterrent.” [“Why Does the ABA Promulgate Ethical Rules?” by Richard L. Abel, Connell Professor of Law, University of California at Los Angeles School of Law, 59 Texas Law Review 639, 1981]”

  4. It is somewhat amusing that these “actors” are running into the same problems legitimate businesses do. It is also amazing that they don’t simply go legitimate all the way, since the skill set is similar, and they wouldn’t have to worry about getting busted anymore. With the problems they are having, I’d think the “profit margin” may even be close to the same as if they did actually go legitimate. Their sudden self examination of “morals” is laughable!

    Many of the mules that get fooled into these schemes don’t even know they aren’t in a legitimate business – the ads that attract them in the newspaper want ads, make them believe they are doing a work at home business above reproach. Yeah, I know that is stupid, but not everyone has a 140 IQ either. I used to watch those want ads and phone the paper to ask them to remove them, and I never got any flak from the papers for asking, and they understood that removing them was saving someone from a lot of heart ache.

  5. “Responses to the proposal were mixed, with one forum user calling the plan ‘amoral,’ and another pointing out that cybercrime is inherently an immoral affair.”

    This reminds me of the line in the musical, “My Fair Lady” when Eliza’s good for nothing father responds to Professor Higgins’s question on whether he has any morals with, “Sorry Guvnor, I can’t afford them.”

  6. Holy Shnikeys! Did I just see a section named “Conscience vs. Commerce”?! If I wasn’t so disgusted by everything cyberthug what Cyberhero Krebs calls “ne’r do wells”, I’d maybe almost could muster anything but contention for any of ’em. Nah, I take that back…

    Interested by the sentence, “Responses to the proposal were mixed, with one forum user calling the plan ‘amoral,’ and another pointing out that cybercrime is inherently an immoral affair.”, particularly because I had never heard of the word “amoral” LOL I did a google[dot]com search for “amoral vs. immoral” and the first listing was a grammarly[dot]com entry:

    “Amoral means (1) neither moral nor immoral, or (2) lacking moral sensibility. So while immoral and amoral might share a little common ground, there is a clear distinction: immoral things are bad, and amoral things are either neutral from a moral perspective or simply removed from moral considerations.”

    So that’s basically having a conscience of convenience or having character that only REALLY shows its true nature when you’re SURE no one else is watching….

    These people will be (and probably already are) cyberpimping out their grandmothers and/or grandchildren by virtue of cyberpimping having been “simply removed from moral considerations”; I mean look they even made me say “cyberpimping”, which even just writing feels immoral, twice (oops now thrice) for the first time ever in one sentence that was supposed to be about cyberamorality… LOL

    So either way you look at it, Cyberhero Krebs, looks like the answer is still “commerce…” 🙁 Keep fighting the good fight BK, you and Schneier are legends in my book (and by book I don’t mean MS Word or Google Docs or even MS Notepad, I mean one of those spiral notebooks with lines in it that you write on with a pen and isn’t USB, wifi, mobile, etc. – line-height and margins already come preset; you share by ripping out pages; you delete by also ripping out pages but then crumpling them up and throwing them in a trash can – and if you want it shredded you tear up the page into pieces before crumpling; if you want encryption you use pig latin; you alternate color pallets by using different pens and if you want clipboard functionality you use a pencil with an eraser; if you want authentication and timestamping write yer f^cking name and the date in the top right corner of the page; and finally, if obfuscation is your concern, just write like I do and half the time you won’t be able to pretty-print any of it your own damn self)

  7. Sorry if this is slightly off-topic, but was a thought that was generated by watching one of the videos from an ad on this site showing Mitnick demoing a MFA using drivers’ license scans (looks promising).

    My comment isn’t about their product but a realizati0n I had at something he said when talking about user names and passwords being stolen through data breaches, which brings me to my point:

    FFS WHO IN THE HELL STILL STORES NON-HASHED PASSWORDS IN A DATABASE IN 2020??!!! I’ve never had any desire to know anyone’s password, being responsible for providing anyone’s forgotten password, being able to change anyone’s password, being able to reset anyone’s password, etc. so every app I’ve written uses MD5 and that’s it…

    And actually in extreme cases of forgotten passwords where authentication is critical but still has to be done online, when push comes to shove they will (increasingly more so I’ve noticed) allow you to eMail a photo of the front and back of your ID sometimes along with another photo of you holding the ID next to your face without obscuring any part of said face)… So now that I think of it actually that new product Mitnick demoed is actually pretty cool…

    Thanks again Cyberhero Krebs

  8. On the off chance that youre discussing carders, numerous dont consider themselves to be taking from people, yet rather taking from multimillion dollar CC organizations. What’s more, you’ll see that numerous lawbreakers of various types have lines they wont cross and frequently tangled supports for how what they do isn’t corrupt in light of the fact that they take from warped organizations, screwy banks and people who have protection to cover their misfortunes. Not saying I concur with them, however numerous crooks dont consider themselves to be awful individuals as such.

  9. I trust on this, lots of cybercriminal weathering this COVID19 issue and minting the money out of it.

    Credit card must move for some other technology which will help us avoid such frauds.

  10. Thanks for your informative blog. I recently got a really weird spam comment on my blog – thought I’d share, as for whatever reason, it’s your blog they’re advertising!

    An example:
    https://files.koskila.net/public/5TceCbeanp.png

    The spammy comments were posted on this article:
    https://www.koskila.net/web-part-page-maintenance-mode/

    And they pointed to this tag archive:
    https://krebsonsecurity.com/tag/emil-darbinian/

    Feel free to hide/unapprove this comment if you see fit, just thought I’d ping you about this!

    Cheers!

  11. I would say that companies are the most exposed to the current situation. Many of them “abandon ships”, making them an easy prey for hackers.

  12. thanks for the news.. how to save us from these activities of cyber crime.. recent the ransom ware attacks were also in news..