From Russia with Love.exe 3: Money Laundering and Botnet Services

In this entry the security analysts are focusing on other popular commodities sold on Russian hacking forums, as well as malware distribution services.

Yarochkin: One of the most valuable commodities on these forums is actually ICQ numbers. Even now, as of today, ICQ is one of the primary communication means for this whole scene. What you need is a good ICQ number, sometimes obfuscated so that an automated grabber won’t pick it up.

The Grugq: Yes, one of the most valuable commodities they have to sell each other is nice-looking ICQ number, like if you’ve got lots of double digits, etc. You see ads where they say, like: “This is 4 years old”. And I’m like: “Yeah, this is a good finely aged ICQ number, none of this new trash, you know”… We’ve got another kind of funny one, this is on the forum that’s no longer up. So, everyone knows about Steam accounts, right? It’s where you sign up and you can play games. If you purchase these accounts you will be able to download and run these games as for the registered, not as hacked or cracked or anything like that. And these go for about $3.

Steam accounts for sale

Steam accounts for sale

Yarochkin: Here on one of the forums we see an ad saying: “Steam accounts – 5 accounts for Left 4 Dead” (see right-hand image). The price is in roubles. So, it’s 220 roubles, and the exchange rate is about 1 US dollar for 30 Roubles, so it’s 7 bucks or so.

The Grugq: Obviously, the price of Steam accounts has gone up. So, there’re really a lot of different things that get sold, and some of those aren’t the things that you really think about as having any value, like ICQ numbers, or access to gaming accounts.

Yarochkin: There’s also a service for sending SMS from a spoofed number.

The Grugq: There’s also these identity services, where you can purchase a completely new identity based on passport scans. Fyodor actually had a theory on how the passport scans were captured.

Yarochkin: It was in my home city, Moscow, in the airport (undisclosed name). But actually it’s possible to get access to the systems which are used for immigration control: whenever you go through the immigration control your passport gets scanned. So, I think that’s one of the primary sources for the passport scan data. And it’s not only Moscow. I think at the airport of Bangkok it’s similar. Basically, you walk through the airport and you see some Ethernet plugs there – has anyone tried to plug in a cable and see what’s on there? The password is “cisco”.

Complete identity being sold

Complete identity being sold

The Grugq: …That is all speculation, by the way. So, this is a guy offering a complete package (see left-hand image).

Yarochkin: The funny thing is, it literally says: “For funds of any degree of dirtiness”. You get the whole package which includes bank account, online access, ATM card; you can withdraw $1000 per day; you can also increase the limit, this will cost you $30; you get the code map for online access; you get copy of the passport, and you get the SIM card. You can also order custom-made accounts: if you have a passport scan, this guy can do the rest of the stuff for you. He didn’t list the price there – you’re supposed to contact him.

A piece of cake

A piece of cake

The Grugq: One of the other things is – how long do you think it will take to find usable credit cards using these Russian forums? A wild guess? Starts from close to nothing.

Yarochkin: Slightly longer, because it takes a few seconds to type.

The Grugq: So, this is the number one Russian search engine.

Yarochkin: Yandex is like Google of Russia. The first link, if you put in something like “dump of credit cards” using the Russian forum slang, gives you names, addresses. If you are looking for more, you can actually buy it.

The Grugq: In terms of the question regarding whether there are people who buy this stuff or not, many people buy proxy services; I’ve bought proxy services. I know that there are people who complain about prices, like: “When I used to buy CCVs they never cost that much”. It’s hard to tell. And a lot of the stuff looks like they’re hitting the wrong markets, like they know that they want to make money, and they have figured out a way to make money – they just haven’t figured out that they can’t make money from each other. These dudes are really not very bright in terms of generating revenue from the resources that they have available. Like with the Skype credit – Skype credit is something that many people would be interested in buying at a discount rate. I guess that there are several people in this room who would purchase discount Skype credit. iTunes gift cards – 1 dollar per a 100-dollar card. I would pay money for that; that is a good value. The thing is – I don’t read Chinese very well, at all actually. So, posting on a Chinese forum is not a good way to find me as a consumer. Similarly, having posts for Skype credit on a Russian hacking forum is a great way to tell other Russian hackers that they can use their stolen credit cards, buy Skype credit, and try and sell it. It’s not a good way to convert stolen credit cards into actual cash money. This is a great opportunity for someone who wants to enter in a certain level of the Russian criminal market and really take over. You could access these Russian web forums and make them available to international market.

Money laundering service

Money laundering service

Yarochkin: I think you have to speak the language well, too, because, if you want to buy proxy servers, as soon as you don’t sound fluent enough, they’ll think you must be a cop. One more thing: aside from the credit card stuff, you can also buy money laundering service (see left-hand image).

The Grugq: This one is awesome! The direct translation of this – you’ll never get it. Basically, this is for money laundering – you can actually purchase money laundering services online.

Yarochkin: The title of the post is translated as “trash can for dirt”.

The Grugq: …Or, as we say in English – money laundering, obviously…The reason that it’s called “trash can” is…

Yarochkin: …Because the combination “trash can” in Russian sounds kind of similar to the word “washing”.

The Grugq: So, the word for “trash can” in Russian sounds similar to the word for “washing” – washing money, right?

Yarochkin: The code for Yandex Money is literally translated as “poison”, because the Russian word for “poison” coincides with the Russian abbreviation for Yandex Money – “ЯД”. So, another advertisement says: “I want to buy dirty grey poison, up to 120 thousand roubles; I take 40%, i.e. for 100% dirt you get 60% of clean money. I’m going to wire it via Alfa-Bank, Telebank, or clean Yandex Money account”.

The Grugq: So, you can “wash” your money. They can streamline the workflows and start going together – like complete packages – and then offering them in English. That way they would probably make more money.

Yarochkin: Another good business is selling traffic. What kind of traffic is that? It’s basically about clicks, real computer users’ clicks.

The Grugq: We saw an advertisement about this service on one of the forums. Basically, what it comes down to is they have the best infection ratio. So, for the amount of traffic that gets sent they guarantee the highest number of infected computers.

Yarochkin: Why would you need the infection ratio thing? If you build a botnet, what do you do? They have these “Partnerka’s” where they have some exploit-loaded malware; you get people clicking on it, and the ratio of the number of people who clicked on the link to the number of people who actually got infected and had feedback to the control center – that’s the infection ratio.

The Grugq: And these guys guarantee the highest level of infection ratio.

Yarochkin: You can actually buy the “guaranteed antivirus un-detection” service, where you get .exe binaries from them, and they give you something like a month guarantee. Aside from that, they typically have a website providing paid service, where, whenever the binary gets detected by an antivirus, they’ll just do another update. And it’s all really automated.

The Grugq: There’s a site that used to sell access to a botnet directly online – www.proxy.ru. They are apparently not up anymore. It was basically just a control panel for a botnet. It was awesome; they just rented direct access to a botnet.

Yarochkin: You could select it per country.

The Grugq: Yeah, you could filter it down the list, like, for example, I only want Netherlands IP addresses and I want only SOCKS proxies, and then – bang, done.

Read previous: From Russia with Love.exe 2: Virtual Currencies and Identity Dumps

Read next: From Russia with Love.exe 4: Geeks, Not Gangsters

Like This Article? Let Others Know!
Related Articles:

Leave a comment:

Your email address will not be published. Required fields are marked *

Comment via Facebook: