[BreachExchange] Upstart crime site woos Raid Forums orphans

Mon Apr 4 11:36:58 EDT 2022

https://www.csoonline.com/article/3655637/upstart-crime-site-woos-raid-forums-orphans.html#tk.rss_news

Breach Forums launches as alternative to mysteriously torpedoed illicit
cybercrime community.

John P. Mello Jr.By John P. Mello Jr.

Contributor, CSO | APR 1, 2022 1:26 PM PDT

A new crime site for hackers is positioning itself as an alternative to
Raid Forums, a popular watering hole for threat actors before it was
mysteriously taken down in February.

The new site, Breach Forums, was launched by an old Raid Forum hand who
goes by the handle "pompompurin," according to a blog post this week by
Flashpoint, a threat intelligence company. In the welcoming thread to the
forum, pompompurin stated that the new hacker community was being created
as an alternative to Raid Forums.

“If RaidForums does ever return in any official capacity,” pompompurin
wrote, “this forum will be closed and this domain will redirect to it.”

With a little more than 1,500 members, Breach Forums has a long way to go
before it reaches the 748,348 members Raid Forums had before its demise.

A market for a forum to buy and sell stolen credentials

Raid Forums was a mid-tier English-language hacking forum that attracted a
wide international audience of threat actors, Flashpoint explained. The
forum was one of the most popular illicit online forums on the public
internet and was notorious for its high-profile database leaks and
offerings. Breach Forums aims to fill the vacuum in the fraud community
created by the closure of Raid.

Breach Forums is on its way to replacing Raid Forums, observes Dan Piazza,
technical product manager for Netwrix, an IT security software company.
"However," he adds, "there are also dark web alternatives that previous
Raid Forums users may flock to instead. Only time will tell," he says, "but
there's clearly a market for a surface web forum where credential breaches
can be bought and sold."

"At least a chunk of the activity and function of Raid Forums will make its
way to Breach Forums," adds Casey Ellis, CTO and founder of Bugcrowd, which
operates a crowdsourced bug bounty platform. “I wouldn’t be surprised if
the starting from scratch aspect of that shift will result in some new and
novel ways to use this type of community."

Single enforcement event not likely to have significant impact on cybercrime

Piazza downplayed the impact that the rise of a Raid Forums proxy will have
on security professionals. "I personally don't think this will have much
impact on security professionals," he says. "Raid Forums wasn't the only
site offering this kind of community—especially when you consider the dark
web and private discussion groups in chat software like IRC."

"I am not sure much really changes," added John Bambenek, principle threat
hunter at Netenrich, an IT and digital security operations company. "On the
internet, crime still pays, so until takedowns—and more importantly,
arrests—radically increase, there isn’t much incentive against criminals
remaining criminals. Much like a seizure of a large cache of drugs and
guns, "no single enforcement event has a long-term significant impact on
crime."

ESET Distinguished Researcher Aryeh Goretsky, though, maintains that
monitoring criminal ecosystems can be tricky. "It requires not just time
and patience, but specialized skill sets, temperaments and knowledge about
the participants and their behaviors, interests, and activities," he says.
"Having to restart learning, of course, can be difficult in a new and
unknown environment."

Ellis adds that the main challenge for security professionals posed by the
demise of Raid Forums is its disruption to breach and threat intelligence
sources. "In some ways, having a stable criminal community, which can be
observed or infiltrated by benevolent researchers, is as valuable a
defensive asset as it is useful for the bad guys," he says. "When a source
gets burnt like that, the ability to glean intelligence gets burnt as well."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20220404/ece87fd6/attachment.html>