It takes a lot of time to build up trust with these criminal. Analysts have spent years in the chat rooms gaining the confidence of the fraudsters. But it is not an easy task. The trouble with IRC is that aliases are not persistent. A criminal can have one name one day and the next a totally different one. The analyst can piece together enough information to spot the regulars, even if the names change.
Karmi says that criminals try to buy from people they trust or build up a good reputation. But, because nicknames can be changed at will on these channels, building that reputation or gaining trust is more difficult.
As the internet has grown up, so have the criminals. IRC is used by criminals as a basic way of connecting and talking to each other. Eventually though, they find more efficient ways of doing business. Forums have sprung up to host these communities. These forums hide in the darknet, using the TOR network - something that is not easily accessible by normal internet users.
The forums benefit the fraudsters. According to Karmi, they act as a platform to enable the sharing of knowledge between other fraudsters about specific methods as well as helping them solve each other's problems.
"This is a much more convenient place to sell your ware because here they just shout and there you can have a much more convenient way to publicise yourself," he says.
"The first thing you can see on a forum is that they [the fraudsters] have banners, they advertise." Karmi adds that on the forums criminals can maintain a single identity that they can build up to gain a good reputation. This helps them sell their wares.
While criminals consult with each other on how to commit crime, they are not the only ones to benefit. Karmi says the people hosting these forums also get a piece of the action.
"They offer escrow services and other ways to get a nice percentage of everyone's fraud," he adds.
"Just organising this service for fraudsters can be very beneficial even if you don't commit the crime yourself," he says of the people running criminal forums.
The criminal community organisers and their escrow services also combat a problem for criminals, mainly rippers. These are criminals that scam other criminals.
The people that run forums will hold onto money while a transaction goes through to prevent rippers from making off with money and leaving the criminal out of pocket. The people running the escrow service take their percentage.
These communities must realise that firms such as RSA are infiltrating them. Karmi warns that the communities themselves are more and more closing themselves off from the outside world to protect themselves. Gaining entry to them means having someone vouch for you, having recommendations from other people or having people responsible for you.
Getting in
Once on the inside, the analysts can start carrying out their work. Usually this involves getting a criminal to share some information on stolen cards. This helps in identifying a breach.
"We ask for a sample to see if they are the real deal. He'll send us a batch. If we can get a number of cards from a single batch, in most cases we can identify the single point of compromise, because we are trying to help identify the compromised merchant," says Karmi.
"Even if we get two cards from this single batch, then we can identify that both cards were used in, say a particular chain of shops. We then know that business is the common point of compromise," Cohen adds.
"Oren [Karmi] will then work with either our customers or different issuing banks to try help identify that common point of compromise. Then we can share intelligence about the merchant that has been compromised."
He adds: "Oran and his team try to get as deep as possible and close as possible to the root [of the compromise] and expose the root."
"We have to be as close as possible to stop that [fraud]."
-
RSAC Conference 2025: AI and quantum complicate securityOrganizations are grappling with the complications of adopting AI for security
-
RSAC Conference 2025 was a sobering reminder of the challenges facing cybersecurity professionalsAnalysis Despite widespread optimism on how AI can help those in cybersecurity, it’s clear that the threat landscape is more complex than ever
-
RSAC Conference day three: using AI to do more with less and facing new attack techniques
-
"There needs to be an order of magnitude more effort": AI security experts call for focused evaluation of frontier models and agentic systemsNews Evaluating the risks of dynamic, evolving AI networks is slow work for cybersecurity analysts
-
Cyber defenders need to remember their adversaries are human, says Trellix research headThere's a growing overlap between nation-state actors and cybercriminals, but these attackers are real people who make mistakes
-
RSAC Conference day two: A focus on what attackers are doingFrom quantum to AI, experts discussed how new and experimental technologies could be used by hackers to access and decrypt sensitive data
-
RSAC Conference Day One: Vibe Is 'All In' on AI for SecurityNews Artificial intelligence took center stage as RSAC Conference looks at how the discussion has moved from generative AI to agentic AI
-
RSAC Conference 2025 live: All the latest from day threeLive blog ITPro is covering RSAC Conference 2025 live – find out all the day-three news right here
