Vulnerabilities / Threats
1/24/2017
06:25 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

Meet Ripper.cc, A Reputation Service For Cybercriminals

Ripper.cc offers a service to help protect the genuine cybercriminals from the scammers in their midst.

Fraud, it turns out, is as big a problem in the cyber underworld as it is for legitimate enterprises. And just as businesses constantly refine processes and techniques for spotting fraudsters, so too apparently do the bad guys.

Security firm Digital Shadows issued an alert this week about Ripper.cc, a service designed to help cybercriminals weed out scammers selling fake credential dumps, invalid or used payment card data, and for failing to deliver promised goods after taking money for them.

Ripper.cc is not the first service to try and help shield cybercriminals from fellow scammers. Cybercriminals have long used blacklists, underground forums, and other means to warn one another of rippers in their midst. Since 2005, in fact, a Russian service named Kidala.info has maintained a database of rippers.

What makes Ripper.cc different is its level of sophistication and the quality of its service, says Michael Marriott, research analyst at Digital Shadows.

For starters, Ripper.cc has a much sleeker-looking, and therefore more usable, website, according to Digital Shadows. The operators of the underground reputation service also offer helpful extensions for Firefox and Chrome and for PsiPlus that highlight all the known rippers that might be present in an underground forum or site so visitors know to stay away from them.

The browser extensions allow the visitor to click through the warnings and pull up ripper profiles from Ripper.cc, along with any identifying information that might be available on the individual including forum accounts and the reasons for their being in the database, Marriott says.

The PsiPlus plugin for those using Jabber instant messenger warns users when they might be interacting with someone in the Ripper database. As with the browser extension, the PsiPlus plugin also lets users pull up the profile and full details of each scammer. In both cases, the purpose is early detection of rippers. 

The plugins address a critical shortcoming in blacklists and some of the earlier services like Kidala where all the data about known rippers is contained in one place.

"Ripper.cc’s browser plugins will highlight known rippers for you on any forum regardless of whether they have been banned on that particular forum or not," he says. "[That] means it’s cross-platform and doesn’t require you to do anything extra."

The creators of Ripper.cc appear to have taken steps to assure users about the trustworthiness of the scammer data in the database. They have tried to involve trusted members from within the underground community to participate in the project. Ripper.cc also has a process to ensure that all submitted complaints about potential rippers go through an arbitration process, Marriott says. Administrators from four well-known underground forums are part of Ripper.cc’s arbitration team.

"Nonetheless, there is no doubt that not everyone in the cybercriminal community will trust them," Marriott says.

For now, the operators of Ripper.cc seem content to monetize their service through advertisements. Currently, the site has only two advertisers, both underground sites. To advertise on the site, it costs $15 per month for a footer banner, $35 for a side banner, and $50 for a header banner.

The operators of the site appear to have considered other monetization options as well but have not implemented them yet. One is a subscription model where users would presumably pay a small fee to access the plugins. The other option that the operators of Ripper.cc have discussed is operating as an escrow agent and collecting a cut for each transaction.

If such a service becomes successful, cybercriminals could begin to operate with more confidence, Marriott says. "It will enable cybercriminals to significantly reduce the risks associated with rippers and the overall cybercriminal economy can become more profitable allowing for further growth."

Related stories:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Tipsh
50%
50%
Tipsh,
User Rank: Apprentice
1/26/2017 | 2:04:27 PM
ripper.cc
You're right half. We have already given an interview to a journalist motherboard in jabber, painted all the details as much as possible. Please do not judge us for previously.
Thx you.

adm ripper.cc
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
1/26/2017 | 11:19:04 AM
Re: Darknet Yelp
@jcavery: While the aggregation of collected data can certainly be helpful, to be fair, I highly doubt the cybercriminals in question are using their real identities (beyond a pseudonymous one) -- or, for that matter, that Ripper is storing IP addresses (and, even if they were, I suspect that the vast majority -- if not all -- of the cybercriminals in question are using Tor, VPNs, and/or other IP-masking tools).
jcavery
50%
50%
jcavery,
User Rank: Moderator
1/26/2017 | 9:45:46 AM
Re: Darknet Yelp
Nice, doing the FBI's job for them. Keep up the great work Ripper
Joe Stanganelli
100%
0%
Joe Stanganelli,
User Rank: Ninja
1/25/2017 | 10:25:24 AM
Darknet Yelp
So, basically, this is Darknet Yelp.

If they're considering different monetization models, I wonder if they'll go with advertising -- as did "regular" Yelp.

And then, from there, "regular" Yelp has been accused of extorting small business owners.  (Not sure how those accusations turned out or their veracity; I only know that there have been a number of such allegations.)

At some point, though, there has to be honor among thieves.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: just wondering...Thanx
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.