Taking on the fraudsters
If you want to stop cyber criminals, it pays to get to know them...
It takes a lot of time to build up trust with these criminal. Analysts have spent years in the chat rooms gaining the confidence of the fraudsters. But it is not an easy task. The trouble with IRC is that aliases are not persistent. A criminal can have one name one day and the next a totally different one. The analyst can piece together enough information to spot the regulars, even if the names change.
Karmi says that criminals try to buy from people they trust or build up a good reputation. But, because nicknames can be changed at will on these channels, building that reputation or gaining trust is more difficult.
As the internet has grown up, so have the criminals. IRC is used by criminals as a basic way of connecting and talking to each other. Eventually though, they find more efficient ways of doing business. Forums have sprung up to host these communities. These forums hide in the darknet, using the TOR network - something that is not easily accessible by normal internet users.
The forums benefit the fraudsters. According to Karmi, they act as a platform to enable the sharing of knowledge between other fraudsters about specific methods as well as helping them solve each other's problems.
"This is a much more convenient place to sell your ware because here they just shout and there you can have a much more convenient way to publicise yourself," he says.
"The first thing you can see on a forum is that they [the fraudsters] have banners, they advertise." Karmi adds that on the forums criminals can maintain a single identity that they can build up to gain a good reputation. This helps them sell their wares.
While criminals consult with each other on how to commit crime, they are not the only ones to benefit. Karmi says the people hosting these forums also get a piece of the action.
"They offer escrow services and other ways to get a nice percentage of everyone's fraud," he adds.
"Just organising this service for fraudsters can be very beneficial even if you don't commit the crime yourself," he says of the people running criminal forums.
The criminal community organisers and their escrow services also combat a problem for criminals, mainly rippers. These are criminals that scam other criminals.
The people that run forums will hold onto money while a transaction goes through to prevent rippers from making off with money and leaving the criminal out of pocket. The people running the escrow service take their percentage.
These communities must realise that firms such as RSA are infiltrating them. Karmi warns that the communities themselves are more and more closing themselves off from the outside world to protect themselves. Gaining entry to them means having someone vouch for you, having recommendations from other people or having people responsible for you.
Once on the inside, the analysts can start carrying out their work. Usually this involves getting a criminal to share some information on stolen cards. This helps in identifying a breach.
"We ask for a sample to see if they are the real deal. He'll send us a batch. If we can get a number of cards from a single batch, in most cases we can identify the single point of compromise, because we are trying to help identify the compromised merchant," says Karmi.
"Even if we get two cards from this single batch, then we can identify that both cards were used in, say a particular chain of shops. We then know that business is the common point of compromise," Cohen adds.
"Oren [Karmi] will then work with either our customers or different issuing banks to try help identify that common point of compromise. Then we can share intelligence about the merchant that has been compromised."
He adds: "Oran and his team try to get as deep as possible and close as possible to the root [of the compromise] and expose the root."
"We have to be as close as possible to stop that [fraud]."