Attack of the Solo Cybercriminals – Frapstar in Canada
By now cybercrime has become the fastest growing criminal enterprise of the 21st century, run by efficient organizations with great professionalism. Today, news headlines are mostly about large-scale breaches orchestrated by large criminal syndicates. But smaller one-man operations can be equally devastating to the unwitting home users and businesses. This reminds us that cyber criminals come in all shapes and sizes and still lurk around every corner of the internet, waiting to prey on an unsuspecting victim.
In order to shed some light on these lone wolf hackers, we showcase the activities of an individual located in Canada, whom we investigated and reported to the Canadian authorities. This individual uses the handles ksensei21, frapstar and badbullz in various crime and hacking forums, and will be referred to in this report as Frapstar. Are the one-man cybercrime operators in the shadowy online crime underground the evolved version of the petty thief?
Individual thieves vs. Organized gangs
The online black market has several tiers that offer different levels of access to different kinds of services: There are “closed” portals – those that require cybercriminals to go through a long vetting process, and there are those that are more “open”, mostly operating in public forums with a low barrier for entry.
Not surprisingly, these tiers mirror the type of product and expertise available: the “closed” portals deal more with sophisticated malware and exploit kits – while the open portals serve as a wonderland for all kinds of smaller scale criminal activity, mostly dealing with credit cards, social security numbers, health insurance information and the likes.
Some researchers suggest that 80% of cybercrime stems from cybercriminal enterprises which have their own resources for developing malicious code, control their own botnets and treat their dealings like a legitimate business. That leaves about 20% carried out by individuals, who venture out on their own. This number is substantial and these independently operating criminals can cause significant damage: a recent Trend Micro research paper detailed how a one-man PoS malware operation captured 22,000 credit cards in Brazil.
FRAPSTAR – A Canadian specimen of the one-man cybercrime operators
Frapstar used the handles ksensei21, frapstar and badbullz and he actually used these same names across all kinds of crime/non-crime related platforms on the internet. We even found him openly searching for conspirators on the public Internet. This is clearly the mark of a one-man and relatively amateurish operation: most criminals that we track know better than to ask for conspirators, especially not in Canada — a large country with a small populace makes for an easy grid to track someone down. Cybercrime enterprises are not rampant in Canada as compared to the US, and this may explain why Frapstar is operating alone: groups mostly operate with cybercriminals in close geographic proximity..
Figure 1. Frapstar posting a “job offer” for other cybercriminals
Using an email address and handle associated with Frapstar, we discovered that he is also active in other online forums. In checking his posts, we found that he has posted about being a fan of expensive cars and owning an older model BMW 540i. On a popular BMW forum, he even states his name as “Chuck” and that he is located in Montreal; not to forget he adds his (gmail!) email-address for correspondence on these matters.
Figure 2. Forum post by Frapstar stating that he owns a BMW 540i (Click to enlarge)
Figure 3. Frapstar mentioning his name and location in a forum post (Click to enlarge)
Figure 4. Frapstar mentioning his Gmail email address in a forum post (Click to enlarge)
This finding gives a peek of what kind of lifestyle Frapstar has. He is obviously living comfortably and is able to afford some luxuries. We are not certain whether Frapstar has a different day job that supplements his cybercrime operations, but we believe that he is earning a substantial amount from his operations.
Virtual marketplaces for your criminal needs
Frapstar was very active in known cybercrime and hacking forums. These forums are platforms to sell sensitive information dumps – a known term for stolen information data that often include credit card and social security numbers, et.al. Cybercriminals can also purchase off-the-shelf malware directly from coders in these crime and hacking forums. Listed are the handles in these forums that we could identify as and attribute to Frapstar:
|frapstar||proven.su||PII & Carding forum|
|badbullzvenom||damagelab.org||Russian Hacking forum|
|badbullzvenom||exploit.in||Russian Hacking forum|
Table 1. Frapstar’s handles in crime and hacking forums
Lampeduza for instance is a well known crime forum and a marketplace for selling credit card dumps. Forum posts are de-facto bulletin boards that announce merchandise for sale with details about how the actual exchange will be conducted. The actual dealings go down via instant messenger applications such as Jabber or ICQ; payments are conducted via anonymous money transfers with providers such as Western Union, MoneyGram, WebMoney or Bitcoins; Frapstar’s preferred method for payment seems to be Western Union or WebMoney.
Looking at the different forums Frapstar frequented and the content of his posts, we concluded that he is in the “carding” business, i.e. selling credit card and possibly PII dumps; he also has Canadian passports to offer. Online fraud consists of two parts: 1) the stealing and collecting of data and 2) utilizing the stolen data through purchases or other means. Frapstar belongs to the first category as he sticks to selling the stolen credit card information as “dumps” for a sizeable profit.
Figure 6: Frapstar’s forum posts, where he talks about different kinds of services and job offers (Click to enlarge)
Figure 7: Frapstar’s service allow cybercriminals to replace credit card details if they’re already inactive
How crooks like Frapstar steal data
In our investigations we were led to the conclusion that Frapstar stole credit card details by using information-stealing malware he bought from other cybercriminals. He also bought spamming and botnet services to deploy the malware into victims’ systems.
Frapstar used a range of malware families to gain entry and maintain persistence in the targets’ environment. We tracked a domain registered to Frapstar: liveupdate[.]su hosted by Voxility in Romania, where we saw some malware hosted:
Upon further analysis, we’ve found that Frapstar primarily uses the following malware families in his operations:
|Zeus||Primary – botnet, Secondary – data stealing functions|
|Zbot||Primary – botnet, Secondary – data stealing functions|
|VBNA||Worm written in Visual Basic|
|Various||Scanners, Password Stealers, Droppers, Downloaders, and Backdoors|
Table 2. Malware types used
Based on the tools he used, we can make the assumption that Frapstar was able to affect both home users and businesses. His strategy, using multiple malware types resembles a Swiss Army Knife– Frapstar purchases malware with different capabilities and used each depending on his current needs. This also highlights a key fact about the user: Frapstar is a script kiddie who shops for malware on hacking forums but also possesses enough know-how to effectively use the malware.
Different means, same end
Frapstar and his fellow crooks are on the lower end of today’s billion dollar crime business, but they realize the promise of high returns in the face of relatively low cost and risk, and therefore, grasp the opportunity. Buying malware nowadays is easy and relatively cheap, which makes the idea of launching such a “career” very attractive for hundreds, if not thousands of one-man operators. However, whoever is launching the attack does not matter greatly to the user. Regardless of whether it is a one-man operator or a cybercrime enterprise, for the victim, it still causes significant financial loss and damage. What this really shows, is that there is a large bandwidth of different criminal types with varying scales at which they operate, and they are all targeting the same set of users.