WEBINAR | A Deep-Dive into 2023 Cyber Threats
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Beyond MDR
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Operational Technology
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Threat Hunting
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Threat Intelligence
Find cyber threats that have evaded your defenses.
Model Index
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
Phishing Analyzer
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
Integration Partners
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Blog
Company Blog
Case Studies
Brands of the world trust ReliaQuest to achieve their security goals.
Data Sheets
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
eBooks
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Podcasts
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
Solution Briefs
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
White Papers
The latest white papers focused on security operations strategy, technology & insight.
Videos
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
ReliaQuest ResourceCenter
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Threat Research
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
Shadow Talk
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
April 18, 2024
About ReliaQuest
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Leadership
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Careers
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
Contact Us
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
More results...
Cybersecurity reporting tends to focus on stories about governments and law enforcement agencies moving to catch the threat actors responsible for major cyberattacks. We rarely stop to think about the cybercriminal underground’s own policing activity.
Contrary to what you might expect, successful cybercriminal platforms are not the “wild west”. They have their own rules and regulations that are strictly enforced. Every day, forum administrators move to protect their own interests by banning problematic threat actors from the platforms they run.
If forum members aren’t playing by the rules, they can be temporarily or indefinitely banned. Often, a single transgression on a forum can be enough for a permanent ban, regardless of the individual’s contribution to the site. Banned users often have little scope to challenge these decisions. However, becoming a banned user can cause significant damage to a threat actor’s personal brand, resulting in reputational damages in the cybercriminal community and potentially cutting off their sources of income.
Just as we saw with several forums’ recent decision to ban profitable ransomware affiliate programs, what is best for the platform trumps self-serving, individual threat actor interests. Although forum administrators do weigh up the pros and cons of such controversial decisions, at the end of the day, forums want to protect their business, safeguard their brand, maintain administrators’ authority, and avoid unwanted attention.
In this article, we set out to examine six common reasons cybercriminals are banned from forums:
While some cybercriminals are out there trying to make an “honest” living by swindling the general public, others like to prey on their fellow forum members with attempted scams. The scam is usually advertising something for sale, taking someone’s payment for the goods or service, and never delivering on what was promised. This is probably the most frequently occurring reason that threat actors are banned from cybercriminal forums, and it is common across sites from many different language communities.
Victims of such scams seek recourse through forums’ arbitration processes, often resulting in the scammer’s expulsion from the site. If the claimant can prove that they were scammed through images or screenshots of a conversation with the fraudster, the defendant will usually be permanently banned from the forum. A forum administrator or moderator typically oversees the process, representing figures of authority in the lawless criminal underground.
On one popular English-language forum, for instance, a user approached the site’s arbitration system to accuse another member of not delivering them stolen credentials after they had paid the vendor. The claimant provided a screenshot that reflected their proof of payment to the scammer. After a forum administrator reviewed the case, the defendant was given a chance to explain their side of the story. When they did not respond to the accusation, the administrator ruled in favor of the claimant and the scammer was banned from the site.
On another high-profile Russian-language cybercriminal forum, one forum user filed a complaint directly against another member for taking USD 210 from them without delivering a specially-crafted phishing document that the claimant had purchased. They initiated an arbitration claim and provided “proof” of their dealings with the vendor in the form of conversation logs. The arbitration process showed that the defendant had impersonated the site’s escrow service in private messages. In addition, the defendant never responded to the accusation and the arbitrator banned the scammer from the site.
Arbitration processes can be avoided altogether if forum members use a legitimate escrow service—an arrangement where, after a deal has been agreed upon, the buyer sends their funds through to a neutral third party known as a “guarantor.” Only after the buyer has confirmed that the goods or services they receive from the seller meet their expectations or the deal’s agreed conditions will the guarantor release the money to the seller.
While forums have different thresholds for what they deem inappropriate content, it is common for them to have a set of rules laying out the regulations for that site so users know what’s acceptable on that platform. The forum team of administrators and moderators usually enforce these rules. Particularly on Russian-language forums, ordinary forum members also play a role in reinforcing rules through social reminders.
A common rule on Russian-speaking cybercriminal platforms is a ban on targeting victims located in Russia and countries in the former Soviet bloc. This rule has likely become the norm for Russian-speaking threat actors for a variety of reasons, including patriotism and the relative lack of wealth in CIS countries compared with the West. Users who flout this rule may receive a warning from a moderator, a “heads up” from other forum members, or even a full ban for a particularly egregious case.
A common rule on Russian-speaking cybercriminal platforms is a ban on targeting victims located in Russia and countries in the former Soviet bloc. —Photon Research, 2021
For instance, on one Russian-language cybercriminal forum, a user was looking for Telegram botnets that could be used to command and control malicious apps. In response to their search, another user suggested Russian-language bots being used to target individuals in CIS countries. Another threat actor implored the interested party not to use the bots because they targeted Russia and other CIS countries, or, as they put it, “don’t work on your own people!”
Other rules are designed to better protect a forum’s integrity. For example, one popular English-language cybercriminal forum prohibits users from having more than one account. This ensures that users cannot be impersonated. If a scammer impersonates another reputable forum member, they likely have a better chance of stealing from a victim. For instance, one user on the forum was found to be using an account that was almost identical to another user’s account. By inserting a “1” at the end of their username, they attempted to impersonate a reputable forum member in the hope that others would not notice. Needless to say, their disguise did not work, and they were banned under the site’s policy.
Other common cybercriminal platform rules include bans on spamming or artificially inflating reputation scores. Inflating one’s reputation can be done by making meaningless posts such as “thanks” or “cool”; users may do this to appear more legitimate or view hidden content on a site.
One Chinese-language cybercriminal marketplace that we looked at, for example, had warnings repeated in bold letters on the site’s homepage, reminding users that such behavior is “frowned upon” and would lead to users being banned, regardless of their account status or whether they have funds deposited in their account.
Given their chosen profession, individuals earning a living on cybercriminal forums are guided by a different moral compass. However, each individual threat actor has an ethical line that they will not cross or tolerate for themselves or from others.
In the court of public opinion on cybercriminal forums, material related to the exploitation of children or pornography displaying minorsis often an intolerable offense. On an English-language cybercriminal forum, a user was banned for reportedly providing a link to pornography that exposed a minor. Despite some positive reviews in the post from other forum users, the forum administrator banned the user for violating the anti-child pornography policy.
Another instance of a post ruining a user’s reputation can be found on a prominent Russian-language cybercriminal platform, where a user advertised for sale a reputable account on another forum. Other forum users immediately condemned the post, and expressed shock that someone would sabotage their reputation with such a blatant offering. The accused defended themselves, claiming they had permission from the other forum team to sell the account and urged naysayers to contact the other forum. Despite this, multiple users called for the seller to be banned, resulting in their expulsion from the site.
Forum users actually call out other members they suspect to be law enforcement when they ask suspicious questions. As stakes are high, it’s a natural instinct to be suspicious of other users on a cybercriminal forum. After all, researchers, scammers, and law enforcement agents all have a presence in the cybercriminal underground.
Red-flags to other forum users include asking for specific company names or lacking a reputation score and history of posts on the forum. —Photon Research, 2021
A question such as, “What is the name of the company you are selling access to?” is an immediate red flag, and that user then risks being reported and banned from the forum. Suspicious account activity may also result in a ban. For example, a user that never makes any posts on a forum and only searches for the names of companies may be suspected of being a researcher.
Other accounts may be considered suspicious if they have made zero posts on the forum and don’t have a reputation score. In the screenshot below, one account on an English-language forum was suspected of being a scraping bot, meaning it was likely a mass scraping bot designed to extract content and data from the website.
In the Russian-language cybercriminal scene, paranoia is arguably even higher, especially with Western intelligence agencies attributing an increasing number of cyberattacks to Russia. In fact, many native Russian speakers on forums refuse to even work or discuss projects with native English speakers, as they deem it too risky or don’t want to work around the language barrier. If enough users suspect that a forum member is not who they say they are, there is a good chance they could be blacklisted.
The adage of “don’t bite the hand that feeds you” rings true here. While forum teams don’t always make the most popular decisions, becoming a forum’s critic can result in another user who is willing to defend the site reporting your account. The recent decision by Exploit, XSS, and RaidForums to ban the sale and advertisement of ransomware was very divisive. Exploit forum members bemoaned one user for their selfish reaction to the ban on ransomware. Their critique of the forum and vow to “make revenge” eventually resulted in their ban from the forum.
In some cases, a forum member criticizes the forum team or the forum itself. On one Russian-language forum, questioning the moderator or administrator is expressly forbidden, and on another, this activity can also be considered a serious offense.
One forum member learned this the hard way after they accused the forum of being compromised by law enforcement. The user even joked that the forum administrator’s real name was “Comrade sergeant Ivanov”. As you can imagine, the forum administrator did not find the joke funny, and the user was ultimately banned for their accusation.
Why would a user ban themselves from a forum? While it isn’t common, users have asked to be removed from forums either because they thought they were being tracked by law enforcement or because their account had been compromised. However, it’s ultimately up to the forum team if they will fulfill members’ requests.
In fact, one forum explicitly states in their account rules that “we do not delete accounts for whatever reason you have.” Digital Shadows (now ReliaQuest) recently observed a moderator on this site abruptly denying a member’s request that their account be deleted, pointing to the forum rule that accounts will not be removed for any reason, along with the tagline, “Think before you register.” Despite this, one user was recently allowed to have their account banned for unknown reasons.
On a different forum, the rules section establishes a remediation process for a hacked account. However, the rules also state that everyone is responsible for their own posts and they must take responsibility, even if their account is hacked.
A platform ban might not seem like a big deal, especially when there are tons of other marketplaces and forums where one can buy or sell similar goods and services. However, bans can often be a dark stain on a user’s otherwise great reputation or prompt the banned user to seek vengeance. Shortly after ransomware affiliate programs and a few ransomware operators were banned on Exploit, for instance, the site experienced retaliatory DDoS attacks suspected to be from previously-banned forum members. In addition, the site had to handle arbitration claims from members who were owed money by the DarkSide ransomware representative who was forced out of the forum.
Forum administrators and moderators ultimately have to maintain some “law and order” or they risk losing everything. In fact, lack of rule enforcement has been a contributing factor to the demise of numerous cybercriminal platforms—a lack of trust, discipline, and failure to moderate explicit content could cause a platform to unravel. For this reason alone, there have to be consequences for rogue cybercriminals that have little respect for authority. After all, platforms have a better chance of survival if they are well-moderated and take precautions against law enforcement by “flying under the radar.”
At Digital Shadows (now ReliaQuest), we continue to track the dynamics of cybercriminal forums and marketplaces. By building complete threat profiles for cybercriminal platforms, threat actors, and crime syndicates, we develop unique insight of great intelligence value. If you’d like to keep up to date with the state of the dark web and cybercriminal underworld, get a demo of SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) here. Alternatively, you can access a constantly-updated threat intelligence library providing insight across open, deep, and dark web sources cybercriminal-related trends that might impact your organization and allow security teams to stay ahead of the game. Get a free, seven-day test drive of SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) here.