Social Networking on Internet Scammer Forums
With social networking sites like MySpace and Facebook all the rage among the 18 to 24 set, it's not hard to see why so many young people are drawn into hacking and online crime: After all, most criminal hackers learn the tricks of their trade at Web forums and online chat networks that also serve to connect buyers with sellers of stolen consumer data.
But building social networks takes time, and finding your way around hacking forums can be an intimidating (and potentially dangerous) endeavor. Fortunately, there's an easy way for researchers and investigators to get the lay of the land without getting their virtual feet wet: a free software tool called "PieSpy."
PieSpy is a "bot," or automated program, designed to graphically map social networks within Internet relay chat (IRC) channels, the preferred method of communication among most online criminals. There are literally thousands of these simple, text-based networks, that predate modern instant-messaging systems, catering to almost every topic imaginable. Most IRC networks are used to to facilitate real-time online communication between two or more people at once, just like instant-message networks such as AOL Instant Messenger or MSN Messenger. But there are dozens of IRC channels that serve as open marketplaces for all variety of stolen consumer data. Virus and worm writers also use IRC to update and control their networks of infected computers.
To the administrator of an IRC server, a PieSpy bot looks just like any other user who happens to be lurking in the channel. All the while, the program is using a set of rules to infer relationships between pairs and groups of IRC channel members that provides insight into the social hierarchy of an IRC channel. Each time a new communication occurs on the channel, PieSpy redraws the map and takes a unique snapshot of it. Run PieSpy in a busy IRC network overnight and and you can create a slick time-lapse video of the map evolving and growing like some elaborate, genetic mutation.
I've used this nifty little program on several occasions to map some of the more heavily-used IRC fraud forums, most recently a very popular one known as "ccpower" (the "cc" stands for credit cards). In the image to the right you can see a number of users communicating with one another, with the darker blue lines indicating stronger (more frequent) relationships. Interestingly, two of the individuals near the center of the diagram, "Ccards" and a user named "the," switched places after several hours, suggesting one had handed control over the channel to the other after some time.
Of course, creating pretty maps only gets you so far. Logging the channel's communications and doing some creative Googling brings more interesting results. I managed to trace a bunch of the users in this channel back to an online fraud forum called TalkCash.net (don't go there unless you know what you're doing), where some of the users post even more information about themselves, such as their birth date, e-mail address, and country of origin.
For example, the user "McT0ni" in the graphic above is an administrator of both the IRC channel and TalkCash, and is a 19-year-old male who most likely resides in Germany (if his e-mail address is a reliable indicator). A quick Google search on his e-mail address shows that he, at one time, used it as a drop box for user names and passwords stolen in a phishing scam targeting AOL users.
Posted by: xqzyl | June 27, 2007 10:23 AM | Report abuse
Posted by: Middle America | July 1, 2007 10:32 AM | Report abuse
Posted by: zindar | July 6, 2007 2:43 PM | Report abuse
Posted by: fotinorod | July 7, 2007 2:37 PM | Report abuse
Posted by: govokinolij | July 12, 2007 8:30 AM | Report abuse
Posted by: GorOffimi | July 16, 2007 8:27 PM | Report abuse
The comments to this entry are closed.