By Lance James
Black Market White Washing: Why You Shouldn’t Take Legal Advice From Criminals
Fraudsters who operate shops in criminal marketplaces are constantly massaging their marketing pitches to assure prospective customers (and lurking law enforcement) that their service is legal. It’s become clear recently that some infosec professionals can’t seem to identify these services as bad, so these marketing efforts may have succeeded for one audience.
That is what happened recently when WeLeakInfo was taken down and a number of infosec people expressed shock and dismay that their favorite OSINT tool was gone. This isn’t the first time a password shop was taken down, but this one was unusually successful at whitewashing its origins in fraud and, disturbingly, some professionals seemed either unaware of this or did not care. Some even recommended the site, or a competitor, to their industry peers. Those professionals risk financing the same criminal gangs they are paid to stop.
A number of other cybercrime tools have attempted to make their way into mainstream use, with mixed success.
DDoS-For-Hire and the ToS Figleaf
One example is “booter” AKA “network stresser” services. These services were sold on criminal marketplaces as a way to knock video game opponents offline with DDoS attacks. Despite a business model obviously centered around abuse- shown both in advertisements and target demographic, booter owners believed they had an ace up their sleeve. Their ToS informed users that the booter was “for legal purposes only”, as a sort of legal figleaf. Under this speculative legal theory which was copied by nearly every vendor, booter owners assured their customers that the service was entirely legal and safe to use.
To quote the FBI in a 2018 indictment against a booter service named “Downthem”:
It should be noted that most, though not all, booter services that I have reviewed will offer some token language within their Terms of Service which attempts to absolve the booter service from responsibility for attacks launched by their customers. This language may include statements such as “Under this license you may not intentionally send a DDoS flood to an IP address not owned by yourself.” Based on my training and experience, I believe this language is essentially a pretense. Because RAA DDoS attacks by definition rely upon external services to act as “amplifiers,” they must flood traffic to those external services en route to the victim, impairing and degrading the capacity of those services, for which they have received no permission. Furthermore, many of the booter services I studied, including Downthem, offered services known as “resolvers” – the purpose of which is to obtain the IP address of a victim; such resolvers would be entirely unnecessary if any customer was targeting their own infrastructure.https://www.justice.gov/opa/press-release/file/1122336/download
This “ToS figleaf technique” has so far not protected any booters, nor has it prevented the police from paying a visit to many of their paying customers, like in “operation tarpit”.
In some cases, booters have marketed themselves as necessary network security tools, but with limited success, partly due to their unreliability. The only robust “legitimate use” I am aware of involved collecting evidence to take booters down.
Remote Access Trojans and More Bad Legal Advice
Another example of black market whitewashing comes from the vendors of “Remote Administration Tools” AKA RATs. This could potentially be seen as a muddy area, because this category of software is often critical for tech support and device management. Many mainstream video chat programs also have some form of “remote assistance” built-in. What separates legal from illegal?
It is often argued by RAT vendors’ defense attorneys that the seller isn’t responsible for the behavior of the customer and they themselves are neutral. They often argue that any attempts to take them down would criminalize the entire industry. Similar arguments were used by the author of the NanoCore malware, Blackshades, Orcus, LuminosityLink, other malware authors sitting in jail, and the journalists sympathetic to them. These arguments largely don’t address the allegations against them.
We don’t see the mainstream software industry protesting these takedowns. Why is that so? If you read the various RAT indictments, it always involves a conspiracy charge, where they knowingly supported customer criminal activity. The allegations were along these lines:
- The malware author advertised in criminal marketplaces, deliberately courted and supported a criminal demographic.
- Things like antivirus signatures and domain blocking diminish any “legitimate use” defense as it is difficult to legitimately deploy a product in an environment rife with so many efforts to remove it.
- They marketed features as deception techniques so their customers could bypass consent to get on victim computers. The focus was not on any specific technical feature but the fraudulent intent.
And if you read the indictments, these themes repeat dozens of times across a RAT’s features, chatlogs, advertisements, ultimately building an overwhelming amount of evidence that it wasn’t an isolated incident or a mistake- It was the business model.
Professionals in the pentesting world can relate to the issue of consent and deception. Pentesters may conduct phishing, but they do it under contract so it may be deceptive but not fraudulent.
When law enforcement took down RAT services, once again their customer lists became leads. One operation after the Blackshades takedown led to more than 100 arrests worldwide. In another instance, a security researcher was caught flat-footed as the FBI subpoenaed his personal email following the takedown of LuminosityLink.
WeLeakInfo and the Risks of Financing Criminals
The recent takedown of WeLeakInfo seems to have taken the infosec community by surprise in a way that most booter and RAT takedowns have not. I suspect it’s because there’s little industry demand for DDoS and trojan products compared to the unmet demand for low budget breach lookup tools for OSINT purposes.
This wasn’t even the first leaked password vendor to go down. WeLeakInfo was a competitor of Leakedsource and Leakbase which were taken down by police in 2017.
Unlike many other tools with origins in online fraud, WeLeakInfo successfully marketed to a number of cybersecurity professionals who were apparently unaware that this is a tool for fraudsters, written by fraudsters, initially sold on fraud forums. WeLeakInfo and its criminal competitors were recommended within the industry as an OSINT resource and even integrated into the OSINT browser extension “Mitaka” by people who may not have known. It is alarming that infosec people are encouraging their peers to purchase fraudster tools, both putting their peers at personal risk, and unwittingly funneling money to gangs that finance more database breaches.
Perhaps people decided to trust WeLeakInfo’s legal advice? Before their website was seized, their FAQ page featured a great example of a ToS figleaf.
Q: Is this service legal?
A: This service is 100% legal and our Terms of Service helps us with this, by outlining strict usage guidelines for the service.”.
WeLeakInfo has been compared to “Have I Been Pwned”, a legitimate service run by someone who probably listened to his lawyer. The most obvious difference between these two services is that HIBP won’t hand out passwords to 3rd parties, whereas selling passwords to 3rd parties is the entire point of WeLeakInfo. HIBP likely made this policy decision to reduce harm, and indeed it makes the service impossible to use for fraud. Conversely, it’s less useful if you’re a 3rd party like a bank and your customers aren’t motivated to use HIBP themselves.
There are other legitimate security vendors who will hand over the passwords, but they only sell to identified parties with specific purposes. They are also very expensive.
As you consider future “leaked password” vendors, keep in mind the following red flags that WeLeakInfo had:
- Their payment methods were repeatedly banned, so they took cryptocurrency.
- They relied solely on the “ToS figleaf” with no enforcement against abuse.
- The operators took great pains to remain anonymous.
- They don’t vet their customers.
- Initial advertisements appeared on Hackforums, and it was popularized in fraudster communities years before the industry discovered it.
- The $2/day price point appeals to the fraudster demographic.
- Refusal to remove people’s PII from being sold to fraudsters
Historically, leaked password sites have paid hackers for “exclusive” database dumps, creating market demand to attack more sites. Ask your lawyer what it’s called when a person gets paid to solve a problem they’re making worse.
It’s too early to tell whether WeLeakInfo’s seized data will result in more investigations of their customers.
Using Criminal Services for Legitimate Purposes?
If you want to tinker with the underground, a lawyer is just a starting point. You need protocols and policies. Get to know your local FBI. This is not to annoy you or slow you down (though, it will do both). It’s because this is all a gray area, and your goal is not to win a court case but to avoid one. Because of this, you need more than the bare minimum letter of the law. You need to avoid an “appearance of impropriety”, and exercise “due care”- all great phrases to ask your lawyer about.
If you hired a lawyer, they may have questions. Maddening… important… questions.
- Can your vendor provide GDPR documentation?
- Is this anonymous vendor a sanctioned entity or in a country on the OFAC sanctions list?
- By purchasing, are you giving material support to a terrorist org?
- To what degree are you incentivizing more hacks?
- Did all affected parties give consent?
- What could threat actors do to you personally, or your company, if they found out who you are?
- How do you plan to minimize harm?
Despite all these issues, companies write reports on criminal services. Stolen PII is available on password shops like WeLeakInfo, also stolen credit card shops, SSNDOB shops, RDP shops, and so on. It is a completely different game from conventional OSINT or pentesting. The underground is inherently dangerous. Messing up a pentest gig can make your boss mad at you. Messing up a threat intel engagement can make violent criminals mad at you.
The underground is dangerous in ways you don’t expect. For example, what if criminals’ bad legal advice is not the only thing they lie about? We have seen underground vendors’ claims about “not keeping logs” are often false, and many will even log customers’ plain text passwords, not out of ignorance, but because they want to hack their customers. Logs are power.
Every major threat intel company has a protocol for safely interacting with criminal websites. These protocols were built over years of work between researchers and lawyers. I’m not going to tell you how to do these things safely with the criminal underground, because I am not taking on that responsibility. I am only suggesting you may be doing things unsafely if you learned anything new from this post. Don’t take legal advice from someone on a hacking forum, or Twitter, and certainly don’t take it from me. Get your own lawyer.
Update: It looks like the Department of Justice was thinking about this too. They just released legal guidance for people interacting with and purchasing from illicit sources. You can read about it here.