While participating in HITBSecConf Malaysia, security analysts The Grugq and Fyodor Yarochkin present their study of the ins and outs of the Russian hacking community, hacking forums and culture.The Grugq: Hi everyone. This is Fyodor, I’m Grugq by the way. What this talk is on is it’s basically on the Russian underground hacking forums, and the Russian underground hacking culture. We’ve spent the last year…
The Grugq: … It used to be 6 months, and then 6 months turned into 12 months and extended to more than a year, so we have spent quite a long time sort of monitoring these forums.
Yarochkin: Intelligence gathering project.The Grugq: Yeah, open source intelligence gathering. It is still not open, but we are apparently making it into a service where you can purchase access to information about the trends within the underground community, but then we’ve had a lot of snags with the automated analysis that we need to do, we’ll get into that. So, roughly, this is a snapshot of what we have got so far (see right-hand image), so we are going to go over, basically, how both of us are experts at using our tongues. If there are any women that don’t believe us they can ask for a private demo. Yarochkin: So, what we set out to do is we wanted to create a framework for doing open source intelligence gathering, automated monitoring of hacking forums both in the Chinese web-sphere, and also within the Russian web-sphere, so it is like a multilingual thing.
The Grugq: The beauty of this idea is that Fyodor speaks Russian, Mandarin and English – mostly English. And I speak Thai, which has a huge hacking community, as everyone knows. And we work with Fyodor to help him with basically figuring out what’s the stuff that we should be paying attention to and work on that. And we also had to build something like a back-end technology for doing this really massive web-scraping that we had to do. Everything fell apart when we had to deal with that fucking rubbish that Russian hackers speak – it’s not pure Russian, it’s not like a subset of Russian; it’s just a bizarre lingo. Basically, we figured out that we had to automate this. We started out by making Fyodor read everything every day.
Yarochkin: … And click.The Grugq: This worked fine for me, but Fyodor started complaining, so we decided to automate the intelligence gathering part and then try and sift through a lot of the noise and extract the signal. So we had a fluctuating number of domains; we were dealing with ten top of the domains, each of these will have multiple sub web forums that we monitor, so there’re basically buyers, sellers, wipers, rippers, etc.
Yarochkin: And general hacking discussions which are usually quite crappy.
The Grugq: Yeah, it’s something like: “I need to get into my girlfriend’s Yahoo! webmail account, can you guys help me?” And then those guys go: “No, no, you’re so lame, if you have to ask you don’t know;” and some other dudes go: “Shut up man, you don’t know how to do it,” so it’s all pretty rubbish.
Yarochkin: I think the most interesting forums are actually these offerings of sales and buys – that’s basically where you can actually see what people are up to.The Grugq: So, actually, from this we’ve detected several trends which are now starting to actually show up like we saw them initially; they’re now showing up as issues that you guys have to deal with on the Internet, like all the fake antivirus stuff. The reason why we had to do most of the shit manually – and by “manually” I mean that Fyodor had to read it off – is because we’re dealing with natural language. Natural language is notoriously difficult to parse into something useful. It’s incredibly complicated and you are dealing with these kids that do not know how to spell.
Yarochkin: They don’t want to know how to spell. It’s basically one of the criteria of being cool.
The Grugq: Yeah, they use the Russian form of leetspeak as well, where they misspell things deliberately to be cool. Some of the words that they use have been taken from English; they convert them from English into Cyrillic, so they have multiple misspellings of the same word. We’ve got an awesome example of this, of why automated stuff doesn’t work.Yarochkin: How do you read foreign language forums normally? Any ideas on how to try to understand if you don’t know the language? You could use Google Translate. We’ve got a message here (see right-hand image).
The Grugq: Yeah, you take this, which is basically a very standard posting for an offering of a service. Some guys are selling something for 32 bucks. And what the fuck does that actually say? That’s the question. Let’s ask Google. Alright, so what does it say? It says: “We work long, know the market and needs of all. Adequate trafogony and people with loadami – always Wellcome. Way minimalok inappropriately recruit for peymenta, even with 1 Sell all come home on request. Interested in adult / biz cores.” So, yeah, good luck with that! Google is pretty fucking useless. The problem is manifold. So, Fyodor, could you quickly explain what this guy actually says?
Yarochkin: Basically, he is selling a traffic generating service.
The Grugq: Selling traffic to sites.
Yarochkin: He is also saying that people with big loads – big traffic generating capability – are always welcome.
The Grugq: Yeah, so this is basically mostly manual process.
Yarochkin: And the signature says: “I’m interested in adult / business traffic”.The Grugq: “Traf” (“Траф” in Cyrillic) – that’s not cores, that’s short for “traffic”, which is English. So, what you find is that the Russian hackers’ slang (see left-hand image) is made up of a combination of “Fenya”, which is Russian prison slang; anglonyms, which is basically loan words direct from English; the Rhyming slang, where they basically take words that sound like the English words but are Russian…
Yarochkin: Who can tell us what “mylo” (“мыло” in Cyrillic) stands for? It means “soap” if you literally translate it.
The Grugq: So, what could “soap” be? Email, obviously, because the Russian word for “soap” sounds very similar to the English word for “email”.
Yarochkin: And also, there’re lots of cases where they just take an English word, they use a direct dictionary translation into Russian, and then they’ll be using it all over. If you go back to the image with the Russian posting, you’ll see “всегда велком” – the latter is basically just a Russian-spelled English word “welcome”.
The Grugq: Alright, so the automated translation – if we could get that right, we’d probably make more money than we ever would on just being able to sell the intelligence from this. So, that’s a bit of a snapshot of some of the issues that we’re dealing with. The things that we found are significantly more interesting: there’s a large number of different scams and schemes that are being played out on these boards. What we mostly pay attention to are the buyer and seller boards, where there’re people who are trying to sell services or products, and other guys who want to buy specific services or products. There are guys that get out there and say: “I need a load of traffic to these websites so I can do installations.” What will happen is someone will have websites that will basically run Trojans that will install onto boxes. And they want other guys to send traffic to those websites so that they can install their stuff onto those boxes. And they are willing to pay you money for every install that they run.Yarochkin: Yeah, and you might be getting up to about $32 per single installation.
The Grugq: That can add up quickly, you can make $32 at home with your mother’s PC.
Yarochkin: So, a little bit of classification on the types of activities that we’ve seen so far (see right-hand image).The Grugq: How do people actually make money? We’ve picked four arbitrary categories; you could go a lot finer, you could go a lot larger. There’s the Extortion thing (see left-hand image) which uses spyware that charges you to install it. Yarochkin: We can show you the screen (see right-hand image). Have you seen this before? It’s in Russian, but there’re also international versions.
The Grugq: It says you are running a fake version of Windows. You have to send an SMS to this number and then you will get a special code to unlock your computer. It basically shuts down your box until you send the SMS which is premium-rate.
Yarochkin: So far we’ve seen two options. One is you need to send an SMS to the number, and they charge your phone. And another one is you just need to pay online with your credit card, and it’s a really bad idea to hand over your credit card details.The Grugq: More interesting schemes are the “Partnerka” ones; the word comes from “partnership program” in Russian.
Yarochkin: If you look at this ad (see left-hand image), this is a real advertisement from one of the forums, it says “Installation Partnership Program”.
The Grugq: Sounds pretty legitimate, doesn’t it?
Yarochkin: And what kind of installations are those? They pay you for displaying their web content, which would be like an exploit loaded with malware. You may have heard about the case where people were opening The New York Times and got infected with stuff, because some of these guys bought advertising service and they used Flash with an exploit in it. So chances are you go to The New York Times – and you get the stuff installed on your box.The Grugq: The way these guys operate (see right-hand image) is they actually set up legitimate credit card payment gateways; they set up their own credit card processing systems, these are Visa / Mastercard regulation compliant and also PCI compliant, so other people can’t hack them. And then what they do is they look for partnerships, web funds.
Yarochkin: If they charge people on their credit card and someone complains that it’s an illegitimate charge and the gateway doesn’t return the money back, then Visa basically cuts it off. So they have to stay connected to the Visa payment gateways, and they actually have a policy where if you for example buy this software, or if you unlock Windows and then you realize it was all fucked up – then they’ll actually give your money back. But the people who actually realize this stuff and ask for the moneyback – there’s much fewer of those than the people who don’t.The Grugq: These guys make significant money, and they partner with webmasters and other scum. We’ve got a screenshot here (see left-hand image). These are partners who are making 30% of every payment. Here’s the top ten of the moneymakers (see image below). If you look at the numbers – around 150K, 100K, 90K, etc. – these guys are making real money: on a monthly basis, that’s not too bad, particularly in Russia. You can live quite well there if you earn that much. Yarochkin: Unless you live in Moscow, then that’s a pretty sufficient amount.
The Grugq: The “Partnerka’s” are now starting to drive a lot of the online activity. All the hacking stuff is now moving to these partnerships. What we saw earlier is sort of loose collections of people that offered this and that, like “I’m selling access to Skype” or whatever. Nowadays we’re seeing that it’s more organized, with these dudes going like “We are a firm offering this service. We will pay you at this rate”.
Yarochkin: And they actually also do hires. Have you seen advertisements about an established company hiring, for instance, a Financial Manager, and you get, like, 30% from every transaction? Have you seen that kind of ads? The way it works, basically, is it’s like a money mule. How do people get traced? Usually through a banking transaction. The people who organize the whole thing don’t want to leave the record of banking transactions. So, what they do instead is they hire people – it’s like an illegal job – and once you get hired you get money (like WebMoney) on your account, and you are supposed to transfer it somewhere else. For every transaction you complete, you get 30%. And in certain occurrences, they also require that you give up your username and password so you get “better” trust relationship with your company. So they get pretty scrupulous with the whole identity control.