The Russian internet is a dreamland for travel fraudsters
Russian travel fraudsters feel much safer on the Russian internet than anywhere else. You can find out why it is such a dreamland in this blog post.
Michał BarbaśIntelligence Specialist
8 April 2020
11 min read
On the Russian Internet, cybercriminals feel much safer than elsewhere. Sometimes Russian authorities don’t want to cooperate with Law Enforcement (LE) from other countries (especially from the West), in other cases, they choose to cooperate with their domestic cybercriminals. In one widely known case, Russian LE initially cooperated with US LE and imprisoned Maksim “aqua” Yakubets1 for hacking activity. But instead of delivering him to the US, they hired him2. There are also other possible reasons why Russian authorities are polite to their domestic hackers, but this is material for another paper.
Not that all hackers and fraudsters from Russia are in love with Russian authorities. Most of them still take safety precautions and sometimes hackers and fraudsters are busted even in Russia. But in most cases, when they are not leaving Russian territory, they are safe. There are many hacking and carding forums, even in the clearnet, which have a very long history and they are not getting seized by LE. Thanks to that, there are many vendors of various services and goods that can operate in the same places for many years. If one is looking for a cheap carded flight ticket or hotel booking, he doesn’t even need to go to Darknet Market (DNM) in the TOR network3. He can buy it on Russian language forums in the clearnet.
In most cases, Russian-speaking travel vendors have been working for a much longer time and on a larger scale then English-speaking travel vendors. It is pretty easy on Russian forums to find travel fraud vendors that provide services since 2016 or 2014 year and have a great reputation. On the other hand, widely available travel fraud vendors on English DNM are in business for a year or two. Sometimes on English DNM, there are vendors who claim they are doing this for a longer period but this is difficult to verify. As for English-speaking carding forums, there are almost no such vendors, and when they are available, they usually come from Russia. There are almost no carding flights and hotel topics on English forums. On the contrary, on every prominent Russian carding forum, there is a “carding flight/hotels/cars” section.
In the names of all subforums above, there are flights, hotels, tickets, and cars in various orders. S. Vendor is present not only in these 4 carding forums.
Some Russian-speaking travel fraud vendors have so much work that they need to hire employees. However, hiring staff in the cybercriminal world is not something new. Specializations and departmental division of work are similar to that in a normal, legal business. The most popular job positions in the Darknet and criminal part of Clearnet are PR and marketing specialists. It’s not a technical job and it can’t do very much harm to the business.
Probably none of English speaking travel fraud vendors hire employees or there is no proof of that. However, in the English sphere of Darknet, mostly in DNM, it’s noticeable, especially for PR and marketing issues. The reader should understand that for fraudsters selling fraud services and stolen merchandise is a business. Illegal and unethical, but still a business.
Below there is an example of a succesful Russian travel fraud vendor - lets call him S.Vendor. Fraudsters like him sell cheap airline tickets, hotel bookings and even fully organized vacations. The price of their services is a percentage of the original one given by online travel agencies. They acquire those services from a legal online travel agency by one of the few illicit techniques. One of the most popular is online carding — the practice of using a stolen credit card to buy merchandise or services via the Internet.
Main S. marketing graphic that can be found on many carding forums. Honestly, it could look better. There are many travel fraud vendors that are less advanced than S. and they have better graphics. What we can find out from this ad: 5 years on the market, over 5 thousand booking and air tickets to choose from, more than 2 thousand reviews, best discounts and promotions, support 20/7 (I think there is 20, not 24, because they sometimes need to sleep).
S. Vendor is one of the most visible Russian travel fraud vendors. He is very active on many Russian language forums and on many of them he has a moderator function or a VIP member status. Since 2016, he’s been selling flight tickets, hotel bookings and organized vacations. Airline tickets are offered for 50% of its market value, which is an average price when compared to vendors from English Darknet Markets. He sells hotel bookings for 25% of its real cost, which is cheaper than offers from DNMs described in the last article.
Apart from his activity on Russian forums, he is also one of the few Russian travel fraud vendors that advertise on English language forums. You may find his ads on fraud-related forums but also cryptocurrency or forex-related. However, most of them have a poor reputation and there isn’t any feedback. Only statements of disbelief and accusations of scam from other users on S. Vendor topics. It seems like all these English forums were randomly selected by S. and it didn’t give the expected result.
Clearly Russian speaking people are S. main target, his activity on Russian forums looks totally different. On many prominent carding forums, his topics have dozens of pages. Most of the posts come from him and his employees where they quote satisfied customer reviews with attached photos made on vacation (examples below). Often S. Vendor writes about special sales, i.e for a certain vacation destination. Sometimes he writes about other events which somehow influenced his business.
Russian travel fraud vendors publish photos from satisfied customers during a vacation with the vendor’s name on a sheet of paper.
As I wrote above, not only S. Vendor posts in his topics on forums but also his employees responsible for marketing and client support. S. business has several entities on Telegram4 made for different purposes. This communicator is very popular among Russian fraudsters. Two Telegram accounts were made for communication with customers: first is for sale and second for client support. There are also two other channels on Telegram made for PR reasons. One of them is among the biggest carding channels in Telegram in terms of quantity of content. We can find here almost 3 thousand photos and 57 short movies made by S. Vendor customers on vacations. It is hard to tell how many people are in charge of this marketing network, but according to S. statements there is at least one such person- let’s call him B. Employee, who is in charge of marketing on every forum where S. Vendor offers his services.
B. employee is present on all forums where S. provides services. He pastes positive comments from customers with attached photos and posts information about sales. Lately, he’s been trying to convince other crooks to “run from Coronavirus”. As he writes, there are still available touristic destinations.
In every business, something can go wrong. The more popular a vendor is, the more impersonators he has. They are called scammers or rippers — fraudsters, who deceive other fraudsters. What an irony, right? One popular type of scam is the impersonation of a real, reliable fraudster. Many prominent fraud vendors have problems with imitators, and this applies to every type of illegal vendor on the Internet: travel frauds, stolen credit cards, stolen or carded goods, counterfeit documents, special software for hacking or carding, drugs etc. Such imitators try to deceive a new customer who is looking for a fraud service on the Net. When they find many positive comments on forums about, e.g. Johny Shop, they often try to contact him by Telegram. What will that new customer find? Accounts named as Johny_Shop, J0hny Sh0p, Johny Shop Official Channel, Johny Shop Promotions etc. And almost all will have the same official graphic as an avatar. Imitators troubles are maybe even more common among Russians vendors then English speaking vendors. S. Vendor is not an exception.
In July 2019 his problem with scammers and impersonators grew bigger. All his Telegram accounts and channels were frozen and marked as spam. But accounts of his imitators didn’t have problems, none of them were banned or accused of scam. As you can imagine, S. Vendor was really mad. According to information given by S., he tried to negotiate with Telegram support, but without success. He had to open new accounts on Telegram and start his marketing job from the beginning. The Telegram accounts I was describing a few paragraphs above are the new ones.
Such declamation was posted on all forums where S. Vendor is active, both in English and Russian language. For better understanding, we placed here the English version.
In 2018 S. Vendor opened a new type of business. He began to offer document photoshopping service. S. explicitly said he has a team responsible for this. He also created additional Telegram accounts for this type of service. When a fraudster wants to authenticate his Internet account on the bank, cryptocurrency exchange or money transfers, he often needs to send some documents like ID, passport, banking statements etc. Photoshopped documents offered by S. apply to documents like:
credit cards (8–13 $)
ID cards/ driver license (8–14$)
SSN (Social Security Number) (5$)
banking statement (8–12$)
utility bill (4–8$)
For clarification, they do not sell printed counterfeit documents. They edit document files on the computer to change it as their customer wants to. Why do crooks use such a service? Smaller companies’ ability to verify such documents is often insufficient. Such photoshopped files are for sure not perfect, but good enough to bypass e.g. verification on cryptocurrency exchange website. The growing supply of this type of services indicates a growing demand for it.
S. Vendor editing and photoshop service. Like you can see price list is in USD:
S. Vendor is a good example of a Russian travel fraud vendor. His business doesn’t depend on DNMs and he uses many carding forums as a marketing base. Thanks to that he increases his resistance to LE seizures of criminal forums and DNM. In case some Russian carding forum would be seized, which rarely happens, he is still present at many other forums. English travel vendors described in the previous article usually rely on 1 or 2 DNM, which are much more unstable than forums. S. actions during his Telegram bans and his Coronavirus-based ads show that he is aware of the surroundings and tries to quickly adapt to the situation and take advantage of current events.
Moreover, S. continues to develop his business. He is hiring employees responsible for marketing, PR and editing documents. That last one becomes his new business vertical and perhaps in the future, he will try to open another one. Currently, we didn’t find a non-Russian travel fraud vendor brand on English forums and DNMs which would develop in a similar way.
Yakubets and his co-conspirators are suspects of a long-running conspiracy to employ widespread computer intrusions, malicious software, and fraud to steal millions of dollars from numerous bank accounts in the United States and elsewhere since 2009. In 2019 U.S. Department of State offered a reward of up to $5 million for information on Yakubets. Currently, he lives in Russia and for sure he is not hiding. It is easy to find photos of him and his colorful Lamborghini with вор (Thief) on the car plate. ↩
The Onion Router (TOR) is a secure, encrypted protocol to ensure the privacy of data and communications on the web. It uses a series of layered nodes to hide IP address, online data, and browsing history. Originally developed by the U.S. government, it is now seen as a dangerous system that often is used for illegal or unethical purposes. There are other encrypted networks similar to TOR and they all together form Darknet. ↩
Telegram channels are similar to accounts on Twitter but without the comments feature. It is one side communication way, excellent for announcements and selling offers.↩
If you wish to protect your business from the threat of fraud posed by online cybercriminals, let us schedule a call to show you Nethone's advanced fraud solution can help you...