The underground malware trade is a perilous place. And as one recent case demonstrates, even if a cybercriminal has been vetted by trusted parties, the product on offer can still turn out to be a scam.
A newly released trojan, designed to infect targets' computers and siphon off their banking information, gained attention last month. Called "Sphinx," it was supposedly based on the previously successful Zeus malware, and came with a couple of novel features: all of its traffic was routed through the Tor network, and it apparently had the ability to intercept certificates as they were being used, in order to bypass security warnings.
Shortly after being advertised on a hacking forum, an administrator of the site marked the sellers of Sphinx as verified, presumably meaning that the trojan was legitimate.
The creators answered a barrage of questions from potential customers, about whether they had fixed issues in the original Zeus, and how it worked. Hype in the forums grew, with users desperately asking the Sphinx owners for more details, in the hope of getting in on the action.
“Hoping to grab this before price rise,” one user wrote. “Why be a king when you can be a god ?” wrote another.
One user even said “Soon the researchers will catch on and start to blog about this new Zeus variant.”
The price even doubled to $1,000, and Sphinx uploaded several screenshots of the malware's supposed control interface.
Then last week, Sphinx was marked as a scam on another hacking forum. A supposed conversation between an unhappy customer and the Sphinx creators was pasted, detailing how there was apparently a problem with how the malware routes through Tor.
“many peoples have the same situations, he got money but dont work,” the user wrote.
“Scammer status set,” came the reply from a forum staffer. Others who bought the software complained, with one saying “Also paid for this 1 week ago and yet to receive any files,i have proofs but hoping Sphinx sorts it out.”
Another apparent victim chimed in, saying “I will live and learn.”
The creators of Sphinx did not respond to a request for comment.
So even when those with clout vouch for other cybercriminals, it's worth remaining sceptical.