Written by Tanya Koyfman
As in any illegal activity, those who break the law are much more familiar with those that try to enforce it than vice versa. The Russian underground is no exception, and members of different forums know much more about security sources and researchers that the latter know about them. Links to a wide variety of sites and blogs dealing with cyber security issues are frequently posted on forum discussions – sometimes in order to get advice or find out about a new malware that was reported; sometimes to promote sales of a tool or a service; and sometimes just to express feelings of frustration or to make a joke.
Taking into account the fact that Russian hackers often have difficulties with English, we found the phenomenon of referring English sources quite unexpected. Of course references to Russian sources dealing with security are seen as well, but far less than English ones.
Indisputably, the most famous “good guy” on Russian forums is Brian Krebs, a journalist who reports about the cyber-crime world. Links to his posts regarding different types of malware are very common on the forums, and catching his attention is considered a sales promotion act among malware vendors. For example, on one of the forum discussions regarding the sale of malware called “PowerLoader“, one of the repliers advices the seller to leak the malware files to Brian Krebs, “and this will be bring him a lot of clients, after Krebs will write a post about the powerful Russian hackers.” Another less delightful mention of Krebs’ name pertains to hackers’ concerns about infiltration of foreign impostors trying to obtain information or incriminate the forum members. Thus, every post written in English and not in Russian tends to be suspicious and the writer is contemptuously called “Krebsenish“.
The blog “Malware don’t need Coffee” dealing mostly with malware undoubtedly originates in the Russian underground as the author is embedded on some forums, is also well known to Russian forum members. The author is called Caffeine, and links to his malware/vulnerability reviews are frequently posted on them. The funny part of this is that sometimes a forum member uploads a post and instead of describing details or uploading images, he just gives a link to a post in the above-mentioned blog (that quotes another Russian source in more details).
One more Western celebrity among Russian hackers is the French blogger Xylibox, whose blog is dedicated to malware technical analysis. It should be mentioned that the blog is treated with respect and seriousness among the forums members, and is often cited in professional discussions and the sale of malware.
As we can see, the Russian underground is interested in the opposite side at least as much as the opposite side is interested in it. The forum members follow security sites and blogs, try to stay updated with the latest news and trends, and refer to them in their illegal malware sale business. Perhaps their life becomes even easier when someone else does all the marketing for them?!