Receive free Cyber Security updates
We’ll send you a myFT Daily Digest email rounding up the latest Cyber Security news every morning.
Cybercriminals in Turkey have teamed up with recently arrived Russian émigré hackers to flood a once moribund online marketplace with tens of millions of newly stolen personal credentials, an evolution in the transnational nature of such fraud.
Thousands of men, many of them trained software engineers, fled Russia for Turkey last September after president Vladimir Putin ordered military conscription for the war in Ukraine.
Some of them, Turkish police and security researchers said, turned to relatively low-level online scams and fraud to support themselves, pairing up with established Turkish counterparts to avoid detection, launder their earnings and sell credentials harvested from computers around the world into the European market.
The recent surge in activity has prompted the Turkish police to investigate, two officers — who asked not to be named — said, although the criminals use sophisticated online techniques, known as cloaking, to evade detection.
In contrast, criminals based in Russian-speaking countries tend to operate relatively openly, since enforcement from their governments has been lax.
They said that in recent month the cybercriminals had fed off each others’ skills to create cartels that are chipping away at the monopolies of better-known traditional Russian and Belarusian gangs
“In less than one year, the reports have increased a lot,” said one of the officials, based in Antalya, a coastal region popular with Russians.
The second police official noted that these newly formed gangs are careful not to prey on Turks to minimise the scrutiny of local authorities.
The Turkish police did not respond to a request for comment.
The cybercriminals’ marketplace of choice, dubbed by security researchers as the Underground Cloud of Logs, has in recent months been flooded with tens of millions of stolen credit cards, passwords and login credentials.
This trove, discovered by information security specialist Osher Assor at Auren Cyber Israel, leverages sophisticated code that sends freshly stolen credentials to a large number of clients who sign up for the data flows on Telegram groups.
The data is harvested by a common malware which seems to evade most known antivirus software. Assor believes the malware — nicknamed Redline — is downloaded inadvertently by people using illegal websites to play video games or pirated versions of popular software.
But making the data Redline harvests especially valuable is the fact that it also steals the cookies, or small pieces of personally identifiable code, that reside in people’s browsers, allowing the hackers to impersonate the victim online and even copy the credit cards that people save to make online shopping easier.
“The data is more valuable because it is fresh, almost live,” Assor said. “Password trading is not new, but what is unique here is that the information arrives ‘fresh’ — each update contains a package with hundreds to thousands of logs stolen in the last few hours, keeping the cookies ‘hot’.”
In screenshots of conversations with a Turkish hacker that Assor shared with the Financial Times, hundreds of Telegram groups appear to market access to the freshly scraped data, often for as little as $50 a week. Each bundle has thousands of entries — one screenshot showed 76mn different data points, collated for ease of use.
A Turkish information security specialist, who asked not to be named because contact with the hackers falls under a legal grey area in Turkey, said he had penetrated one of these Telegram groups masquerading as a buyer.
Over a period of months, he watched as the newly arrived Russian hackers taught their Turkish counterparts sophisticated code to collate the vast amounts of data being harvested, while the Turkish criminals leveraged their contacts in western Europe, especially Germany, to secure better prices for efficiently organised data sets.
In other chats, he witnessed a group celebrating massive hauls, discussing ways to convert stolen cryptocurrency into Turkish lira, and even elaborate ways to purchase real estate to receive a Turkish passport.
“None of these are big-time hackers, but they’re very efficient and have learned how to automate things very well — their output is increasing rapidly,” he said.
Assor’s interactions with the group show the same — professional marketing, and even customised guidance. In one instance, a Turkish hacker even gave him restaurant advice for Istanbul.
But when asked about his connections to the Russians, the hacker demurred.
“No, bro,” he replied. “I don’t want to know — the important thing is not to know [their] face, but to be with talented people.”
Read the full article here