Dank Kush or Fleet Vehicles?
by Sh0kwave
There are plenty of illegal ways to make money on the Internet. You can fire up Tor, join a Dark Market, and start selling your choice of illegal goods or services. You can buy an exploit kit and start a ransomware campaign. Or why bother, just buy raw Zeus logs (about $200 per gigabyte).
Or, you could try a unique scam I recently came across on the Clearweb, or Surface Web, if you prefer. I am not going to go into detail about how or why I ran across this particular scam, and I am not going to give the normal disclaimer that this is for informational purposes only. (Oops.)
It is trivial to duplicate a website, with something like GNU Wget:
Then you can modify your copy and make it malicious to your heart's content. Fake login screens that just record credentials and then send the victim to the legitimate site are popular. You stand that up with a name very similar to the one you copied, hoping people will accidentally make a typo and end up on your site ("typosquatting"). Or email links to your fake site, hoping people will go there and just give you their password. Those are tried and true methods of credential thievery.
Or you could make a really good copy of a big corporate website, but maybe not in their country of origin, and do something else. Maybe you could make a website copy that included privacy policies, pictures of products, logos, quotes and pictures of executives, job postings, stock quotes, maps to the headquarters, everything to make the site look dead-on balls accurate. (Watch My Cousin Vinny.) This takes more work than GNU Wget, but then maybe you could use it for more than just stealing passwords.
Pick a big, well-known company with a solid reputation - which is difficult these days, but try. Make a really convincing site, maybe in some country where they do business, but not where the headquarters are located. Maybe a country where cyber crime enforcement is lax. And then what do you do with it? How about sell fleet vehicles. Fleet vehicles, you ask? What are those? They are not as common these days, but plenty of corporations still have them. Companies buy vehicles, typically for sales people or employees who are required to travel a lot, or as perks for executives who live in countries where cash bonuses have significant tax implications. The companies allow these employees to use these vehicles for several years or so for free, and then they sell them off and buy a new fleet of vehicles. Sometimes these fleet vehicles are sold to company employees at a deep discount as an additional perk, or sometimes, occasionally, they are sold to the general public.
What if your dead-on balls accurate fake website was selling deeply discounted fleet vehicles for the low, low price of only several thousand dollars apiece? What if the company was also involved in shipping, and was also selling their used fleet of semi-trucks for a few tens of thousands of dollars each? Fake vehicle pictures, service records, just like a car dealership. Would anybody fall for such a scam? I leave it as an exercise for the reader.
Maybe not. Maybe they would not fall for actually transferring money, but maybe that was not the real scam. What if you had to "apply" to purchase one of these highly desirable vehicles? Make up some reason to have people apply, but have the application process include lots of personal information. Driver's license information (to make sure you are a safe driver), employment history, salary history, previous addresses, mother's maiden name, you get the idea.
Now let's suppose you are discovered after many people have purchased a vehicle and made bank transfers to you, and after many more have applied.
What will happen to you?
Prosecution? Jail?
Relax. Buy some dank kush from your favorite Dark Market vendor, and relax.