In need of a fresh example that malicious and fraudulent adversaries continue professionalizing, and standardizing demanded cybercrime-friendly products and services, all for the sake of monetizing their experience and expertise in the profitable world of cybercrime? Publicly launched around the middle of 2013, a product/training course targeting novice cybercriminals is offering them a manual, recommendations for open source/free software, as well as access to a private forum set up for customers only, enlightening them to everything a cybercriminals needs to know in order to stay secure and anonymous online. The standardized OPSEC offering is targeting novice cybercriminals, and also has an interesting discount based system, offering $10 discounts for every feedback from those who’ve already taken the course.
Sample screenshots advertising the product/standardized training course:
What does the OPSEC manual cover?
- Basic host security
- Setting up Virtual Machines
- Setting up encrypted backups
- Setting up and securely using email clients
- Setting up a firewall
- Basics of OpenVPN and i2p
- Basics of Bitcoin use
- How to configure popular browsers for maximum security and anonymity
- How to use Socks4/Socks5 servers (malware infected hosts)
- How to anonymously use the most popular Web payment processes such as WebMoney, Yandex etc.
- How to securely communicate online using free/public/community tools
Next to the actual manual/standardized training course, the vendor has also set up a cybercrime-friendly community to be exclusively used by his customers, to further discuss related anonymization/OPSEC tactics.
Sample screenshots of the ad promoting the cybercrime-friendly community set up exclusively for customers:
The price for the training package? $40 for the manual, and access to the forum, and $30 for the manual and access to the forum in case the customer provides relevant feedback about the product/training course. Over the years, we’ve seen numerous attempts to standardize knowledge, either through localization (translating the original documents), or through similar training courses aiming to educate cybercrime-friendly ‘knowledge workers’. Although we expect to continue observing such knowledge-based monetization attempts on behalf of cybercriminals, we’re certain that the tactics, techniques and procedures (TTPs) that are truly shaping the success of their fraudulent and malicious campaigns, would not get a mention in such a standardized form.