Security researchers have uncovered evidence of administrators on cybercrime forums scamming their own customers.
Threat intelligence firm Digital Shadows was sent a tip-off leading it to a cross-site scripting (XSS) forum thread. It contained direct messages between the moderator and administrator of the Altenen forum, and one unlucky user.
Altenen is an English-language cybercrime forum that has been around for nine years. Like many similar sites, it processes payments via an escrow system – with the site admins managing the escrow account.
In this case, a customer bought a laptop from another Altenen user, and then messaged the moderator asking them for a confirmation receipt that the money had been received. Instead, they were sent a demand for an additional ‘escrow fee’ of $120.
After haggling the moderator down to $80, the user paid. However, when the purchase fell through and the user requested the escrow fee back, the moderator ceased all communication.
A further message from the site admin revealed that the whole incident had been a scam.
“Not all users who approached the scammers ended up becoming targets. In some cases, the user was told that it’s a scam and they’re not being targeted because of certain criteria,” Digital Shadows explained.
“Muslims weren’t targeted, and neither were the forum’s ‘high profile’ members. This mirrors behavior seen on Russian-language forums, in which entities in the CIS region are not targeted.”
In a separate incident, a user seeking “verified seller” status in order to sell point of sale (POS) malware on the site was asked to pay $500 for the privilege.
“The admin suggested that the user turn his malware development skills against the forum’s own users, by developing a Bitcoin stealer and deploying it onto the forum, as there are many users on the forum with large amounts of Bitcoin,” Digital Shadows reported.
The cybercrime underground goes out of its way to cement trust between buyers and sellers, with most sites using rating systems not dissimilar to Amazon or eBay, to improve transparency and user experience.
At first glance, that would seem to run at odds with the evidence uncovered by Digital Shadows. However, the scams appear to be highly targeted at certain user types to avoid alienating valuable members.
“When an escrow scam is being perpetrated by the forum’s staff, the scammers are free to scam as many users as they wish,” Digital Shadows argued.
“If the forum is able to attract a constant influx of naive members, it can stay online no matter what damage to its reputation is done by the scam’s revelation.”