Nobody is immune to being scammed online—not even the people running the scams. Cybercriminals using hacking forums to buy software exploits and stolen login details keep falling for cons and are getting ripped off thousands of dollars at a time, a new analysis has revealed. And what’s more, when the criminals complain that they are being scammed, they’re also leaving a trail of breadcrumbs of their own personal information that could reveal their real-world identities to police and investigators.
Hackers and cybercriminals often gather on specific forums and marketplaces to do business with each other. They can advertise upcoming work they need help with, sell databases of people’s stolen passwords and credit card information, or tout new security vulnerabilities that can be used to break into people’s devices or systems. However, these deals often don’t go to plan.
The new research, published today by cybersecurity firm Sophos, examines these failed transactions and the complaints people have made about them. “Scammers scamming scammers on criminal forums and marketplaces is much bigger than we originally thought it was,” says Matt Wixey, a researcher with Sophos X-Ops who studied the marketplaces.
Wixey examined three of the most prominent cybercrime forums: the Russian-language forums Exploit and XSS, plus the English-language BreachForums, which replaced RaidForums when it was seized by US law enforcement in April. While the sites operate in slightly different ways, they all have “arbitration” rooms where people who think they’ve been scammed or wronged by other criminals can complain. For instance, if someone purchases malware and it doesn’t work, they may moan to the site’s administrators.
The complaints sometimes lead to people getting their money back, but more often act as a warning for other users, Wixey says. In the past 12 months—the period the research covers—criminals on the forums have lost more than $2.5 million to other scammers, the analysis says. Some people complain about losing as little as $2, while the median scams on each of the sites ranges from $200 to $600, according to the research, which is being presented at the BlackHat Europe security conference.
The scams come in multiple forms. Some are simple, others are more sophisticated. Frequently, there are “rip-and-run” scams, Wixey says, where the buyer doesn’t pay for what they’ve received or the seller gets the money but doesn’t send across what they sold. (These are often known as “rippers.”) Other types of scams involve faked data or security exploits that don’t work: One person on BreachForums claimed a seller tried to send them Facebook data that was already public.
In one extreme incident on the Exploit forum, an account posted a lengthy complaint that they had provided someone with a Windows kernel exploit and hadn’t been paid the $130,000 they had agreed for it. The buyer said they would pay once they had tested the software but never stumped up the cash. “At each stage, he gave different excuses for delaying the payment,” a translated version of the complaint says.