A former FBI official says the sprawling Russian black-market forum for illegal hacking and fraud services known as Infraud Organization – its motto was “In Fraud We Trust” – was operated like a “dark-web cousin of major commercial marketplace sites”. The official said it shows one thing: that we’re clearly not just fighting solo hackers at this point.
The US Department of Justice (DOJ) earlier in the month indicted no fewer than 36 people in a transnational bust of the forum, which it said was responsible for more than $530m in losses over the course of its seven-year history.
According to the indictment, Infraud was created in October 2010 by Svyatoslav Bondarenko, aka “Obnon,” “Rector,” and “Helkern,” a 34-year-old from Ukraine. It was allegedly set up to promote Infraud as the “premier destination” for carding – purchasing retail items with counterfeit or stolen credit card information, prosecutors said.
The money came from trading in stolen credit card numbers, taxpayer numbers, compromised accounts, and materials to create counterfeit cards. The crooks were also allegedly involved in malware, money laundering, and so-called “bulletproof” hosting services designed to host other illegal online operations. From the DOJ’s announcement:
Under the slogan, “In Fraud We Trust,” the organization directed traffic and potential purchasers to the automated vending sites of its members, which served as online conduits to traffic in stolen means of identification, stolen financial and banking information, malware, and other illicit goods.
It also provided an escrow service to facilitate illicit digital currency transactions among its members and employed screening protocols that purported to ensure only high quality vendors of stolen cards, personally identifiable information, and other contraband were permitted to advertise to members.
Infraud had all the markings of a disciplined, well-run organization, according to the indictment: one that employed administrators to manage day-to-day operations and strategic planning, approved and monitored membership, and meted out punishments and rewards to members. Infraud also allegedly had “super moderators” who oversaw and administered specific subject-matter areas according to their fields of expertise; moderators who presided over one or two specific sub-forums within their areas of subject-matter expertise; vendors who sold illicit products and services to members; and both VIP and regular memberships.
But none have enjoyed the longevity or scope of Infraud, which had 10,901 registered members as of March 2017.
On Thursday, NBC News published comments on the Infraud bust from John P. Carlin and David Newman. Carlin was the assistant attorney general for the DOJ’s National Security Division (NSD) and served as chief of staff and senior counsel to former FBI Director Robert S. Mueller III, where he helped lead the FBI in its goal to handling security threats, including cyber threats. Newman is a former special assistant to President Barack Obama, associate White House counsel, and director on the National Security Council staff.
The two former security officials said that the most important message for the public from the sweeping indictment is that companies aren’t just dealing with rag-tag script kiddies nowadays; rather, they’re basically up against other well-run companies:
While these types of multi-jurisdiction arrest sweeps are intended to send a message to cyber-criminals, the most important message in the near term is for the public: In today’s environment, companies are not just up against solo hackers, but highly skilled enterprises that rely on an international collection of criminal and cyber expertise.
… highly skilled enterprises that are also likely being sheltered from the eyes of the law by countries that find it convenient to overlook their criminal activities, Carlin and Newman suggest. They noted that the DOJ’s public statement sent out thank-yous to a long list of cooperating law agencies around the world, but that Russia was “conspicuously absent” from that list, even though the indictment indicates that the site was hosted in Russia.
Among other things, the indictment alleges that in 2011 the site’s founder issued a decree that banned the buying and selling of contraband involving Russian victims, a tactic experts noted is used to discourage Russian law enforcement from taking down a Russian-hosted server.
This is how shipshape the Infraud site was run:
The group’s leadership imposed a rigid hierarchy to maintain order on the site, delegated authority to system administrators and other associates who held roles of varying responsibility ranging from “Moderators” to “Super Moderators” to “Administrators.” It also relied on a system of strictly enforced rules and user-generated feedback to maintain quality control. Longstanding site members were promoted to “VIP Member” status to honor their contributions and solicited advice on the “In Fraud We Trust” discussion forum.
At the time of the bust, Wired quoted former FBI cybercrime agent EJ Hilbert, now a vice president of cybersecurity at security firm Gavin DeBecker and Associates, who speculated that Infraud used the same sort of “bulletproof” hosting that the site itself sold: the type that keeps servers tucked far away from western cops, that covers operators in a blanket of anonymity, and that frequently shuffles sites around to stay a step ahead of investigators.
They were sitting in countries outside the jurisdiction of Western law enforcement. That’s why something like this can remain live for an extended period of time.
While the Infraud bust was one of the largest takedowns of a dark-web market in history, the DOJ’s schematic of the organization reveals that a majority of the accused are still at large:
…which means that we should gird our loins for predation from more well-organized enterprises, including at the hands of much of the Infraud gang. Carlin and Newman said that the way things are going, it’s going to take some serious investing and some fancy footwork to keep out of the clutches of criminal enterprises like this one:
Meeting this threat takes a serious investment in technological safeguards as well as a willingness to adapt to an evolving threat. Companies and individuals should invest now in protections against these kinds of threats and begin planning for scenarios in which their systems are breached and their information finds its way to these kinds of dark corners of the internet.