Some people have turned to baking sourdough bread or participating in TikTok challenges during the coronavirus lockdown. Cybercriminals have put their own spin on passing time with online rap battles, poker tournaments, poem contests, and In-person sport tournaments.
The twist is that the prize for winning these competitions is sometimes stolen data and tools to make cybercrime easier, according to new research from Trend Micro.
Trend Micro analysts Erin Johnson, Vladimir Kropotov, and Fyodor Yarochkin described this new trend in the blog post, “Cybercriminals Gamble With Victims’ Livelihoods To Pass the Covid-19 Blues.” They found that about half of the online criminal platforms examined offered some sort of COVID-19-related entertainment program.
Kropotov, a senior threat researcher at Trend Micro, said that he and his colleagues monitor cybercriminal underground forums regularly to raise awareness about new threats and to stay a step ahead of cybercriminals.
Researchers noted that poker tournaments have become popular in the cybercrime underground, and with dozens of forum threads advertising tournaments. Players can join the poker club forums, join the related poker group in Telegram, or install an application from the poker room at a specific poker site and join the club using the app. Participants have to play at least three times to become a member, and then play at least four times a month to keep their membership active.
Poetry contests and rap battles also have become more popular and have occasionally crossed streams with the poker games:
“Cybercriminals used the poems submitted to the contest to promote tournaments and prizes. These poems are written with heavy use of forum slang and could feature such phrases as “Teri give socks,” referring to SOCKS proxies; or “Sphere,” which refers to the customized browser Linken Sphere that malicious actors use to mimic legitimate user environments.“
Prizes in these competitions have included:
- Access to cloud-based logs of stolen data, including PII and stolen credit cards
- Licenses for Linken Sphere, a customized browser that uses stolen credentials and system fingerprints to avoid anti-fraud system detection; used to monetize stolen credit cards or payment systems credentials
- A Visa Gold card (with a seven-month warranty) registered using leaked scanned IDs
- Two airplane tickets purchased using a stolen credit card
- A script to automate the creation of cloned websites and e-shops often used to harvest user credentials, PII, credit cards, e-wallets, and other monetizable assets by tricking users into logging in and shopping on a cloned version of a website
- Verified Yandex money and QIWI wallets registered to money mules used for money transfers, as a means of payment in e-shops, or to purchase virtual private server (VPS) and other necessary assets for their business
- A license for credit card fraud anti-detection software, along with 50 custom configurations to mimic the legitimate credit card owner while avoiding detection by antifraud systems
- Monetary prizes that were originally accumulated through criminal activities
As the writers of the blog post noted, the software licenses offered are highly useful for cybercriminals. The anti-fraud detection software Linken Sphere is about GHC600 per month, or GHC3000 for a six-month subscription.
The researchers concluded, “…criminally obtained assets being used as prizes for personal entertainment is a phenomenon that demonstrates the mentality of these criminals; the stolen assets are simply assets that can be awarded, traded, or given away.”