Earlier this week, the Department of Justice unsealed indictments against no fewer than 36 individuals alleged to have been involved with the Infraud Organisation cybercrime forum, which netted an estimated $530 million in stolen profits from financial institutions, consumers, and other victims worldwide.
A few things immediately stand out about this particular criminal enterprise:
Hiding In Plain Sight: Unlike many other cybercrime forums that operate under the cloak of anonymity afforded by the dark web, Infraud was readily accessible to anyone with a Web browser. To evade prosecution, the Infraud forum was hosted on ‘bulletproof’ servers hosted in Russia (which services were naturally also made available to its forum members)
Resilience of the Marketplace: Not only was this forum readily available, it likewise proved to be remarkably durable. Unlike underground dark web marketplaces like Silk Road and AlphaBay, Infraud remained operational for more than seven years, demonstrating that even a well-orchestrated judicial crackdown is still severely hamstrung by the whims and quirks of other sovereign nations.
A Highly Coordinated Criminal Enterprise: The days of individual hackers working in isolations have been supplanted by hierarchical, well-orchestrated crime rings that have adopted many of the same organizational principles -- such as the division and specialization of labor resources -- of the modern enterprise. In fact, we are starting to see many of these syndicates leverage similar sophisticated machine learning technologies that are being employed by legitimate businesses (a topic for another day).
Perhaps most illuminating of all is the breadth of products and services available to the 11,000 Infraud forum members – which even include third-party escrow services to settle transactions between merchants and buyers. It’s the modern day equivalent of a Turkish bazaar with a dizzying array of tools and services available to conduct any manner of criminal activity.
According to Andy Greenberg at WIRED:
“The indictment accuses those dozens of defendants, located from Moldova to the Ivory Coast to Bangladesh, of trading in stolen credit card numbers, Social Security numbers, compromised accounts, and materials to create counterfeit cards. They were also allegedly involved in malware, money laundering, and so-called "bulletproof" hosting services designed to host other illegal online operations.”
So what lessons might we take away from this latest crackdown?
- Collaborate or Suffer the Consequences: Infraud is just one of many fraud rings that is both global in scale and highly organized. As John P. Cronan, acting assistant attorney general of the Justice Department’s criminal division said of the indictment: “Infraud operated like a business to facilitate cyberfraud on a global scale.” This should serve as a wakeup call to enterprise organizations that in order to protect themselves and their customers, they must also identify opportunities to collaborate within and across industries.
- The Long Arm of the Law Can Only Reach So Far: Why bother hosting a cybercrime forum on the dark web when you can simply host your illegal marketplace on servers in a country that readily turns a blind eye to criminal malfeasance? Businesses must accept the sober reality that globalization and the slow deterioration of the nation-state has wrought: we must not only become more self-reliant but should also take a more proactive and open stance towards sharing fraud intelligence.
- Nature Abhors a Vacuum: Just as we’ve seen countless times with so many illicit Dark Web marketplaces, every time one is shut down, others will quickly emerge to fill their place. Not only that, but the new entrants will often be less constrained by legacy architecture and will be all the more challenging to shutter. So long as there’s demand in the market, it will be filled.
- Data Breaches Feed Password Reuse: Stolen credentials are the fiat currency of sites like Infraud and it is incumbent on businesses to invest in educating consumers on the consequences. Ironically, it was sloppy password hygiene on the part of one of Infraud’s moderators that led to his unmasking. As Brian Krebs points out in his analysis: “A confidential source who asked not to be named told me a few years back that Rafael had used the same password for his skimming sales accounts on multiple competing cybercrime forums. When one of those forums got hacked, it enabled this source to read Rafael’s emails (Rafael evidently used the same password for his email account as well).”
The risk of credential vulnerability will continue to be an issue so long as passwords remain the primary method of consumer authentication. While we should all celebrate the diligent work by authorities to bring this massive fraud ring to justice, it should serve as a good reminder to not recycle passwords across sites and instead give preference to online services that offer strong multifactor authentication capabilities such as those enabled by iovation’s mobile MFA LaunchKey solution.