By: Ryan Francis
Underground markets offer a great variety of services for cyber criminals to profit from. These forums offer items ranging from physical world items like drugs and weapons to digital world items such as spam/phishing delivery, exploit kit services, “Crypters”, “Binders”, custom malware development, zero-day exploits, and bulletproof hosting.
The underground is filled with a heavy amount of jargon and slang that may be unfamiliar. Crypters are tools that encrypts malware in order to bypass detection by Antivirus engines. Binders are tools used to trojanize a legitimate program with a malware sample. Zero-Day exploits are techniques that exploit previously unpatched vulnerabilities, used by attackers to gain unauthorized access to computing systems. While “FUD” may mean “fear, uncertainty, and doubt” in the normal security world, in the underground forum world it means “Fully UnDetectable.” On the forums there are “rippers”, who are actors identified as ripping off and scamming other users without delivering useful services or contraband.
Luis Mendieta, senior security researcher at Anomali, does an analysis of the common underground marketplaces.
Sky-Fraud is a Russian underground forum that has been in operation since 2014. Its user base consists of 26,000 active users all between Russian speaking and English speaking languages. The services offered are very diverse. The following list of services can be found on Sky-Fraud:
- Escrow services.
- Bulletproof hosting services.
- PII (Personal Identifiable Information) and CC (Credit Card) data.
- Botnets, Exploits, Malware.
- BlackHat SEO (Search Engine Optimization) and Web design.
- Payment Systems: BTC (Bitcoin), Paypal, Webmoney, Entropay.
The registration system for this forum is open to anyone. Which makes it easier for scammers, non-reputable members, law enforcement and security researchers to access. The data found in this site seems to be low fidelity given the amount of amateur hackers that operate on the site. However, one notable actor related with bulletproof hosting was observed in this forum. Volhav operated not only on this forum but also in the other underground forum explained in the coming slides. It is possible that this actor is trying different forums in order to expand his services since his registration date was early 2016. Unfortunately, his activity is only limited to two entries.
Lampeduza is a Russian underground forum that specializes in carding, dump services, and overall credit card fraud. Several segments are also dedicated to hacking, anonymization practices, spam and black hat SEO (search engine optimization). This site was previously discussed in 2013 by krebsonsecurity when one of the forum members rescator was involved in the sale and distribution of the Target breach data. In addition, Lampeduza seems to be strongly related with the notorious carding forum rescator[.]cm, where credit card data related to the breaches of Target, Home Depot and Sally Beauty was offered for sale.
Access to the Lampeduza marketplace is lightly restrictive. In order to gain access a user first receives an invitation code from an existing member, and then they must pay $50. This makes the site a bit more exclusive and less polluted than other sites. However, the potential buyer also faces the challenge of weeding out bad vendors vs. good vendors. Fortunately, the site offers a reputation system in which the user can voice any complaints and action can be taken against the vendor if needed. This is a common feature among many of the anonymous marketplaces.
Data offered in this marketplace seems to be of medium value. The data from large retailers was being sold here as well.
Exploit dot in is a Russian language based hacking forum that resembles the operations of other hacking forums such as LeakForums and HackForums. Exploit dot in has been in operation since 2007, with around 35,000 total users. Members that are part of this forum are vetted before registration and currently require an active member to vouch for them. Some areas discussing non-criminal activities are readable by the public.
These include the topics of web design, programming and hardware. Other sections like security and hacking, virology, anonymity and marketplace require a valid user account. The services being sold in this forum include the following:
- Carding services
- Bulletproof hosting
- Malware distribution services
- Zero Day Software vulnerabilities
- Malware
- Exploit Kits
- Trojans
- Crypters
A lot of the value derived from this marketplace lies in the relationships between highly-connected users. Many of the real users have multiple profiles on other forums. By having a closed registration process this forum is less polluted with fake accounts than HackForums and LeakForums.
LeakForums surfaced in the hacking scene in 2011. It currently has a user base of 1 million users. LeakForums specializes in leaks related with PII, social media accounts and the trade of paid hacker tools (Keyloggers, RATs, Crypters, and Binders). Widespread malware including Njrat, Adwind and Orcus are also freely available for registered users. Other leak categories that are also covered:
- Serial keys for commercial programs (including MS Windows, MS Office, antivirus engines)
- Stolen credentials (social media accounts)
- Hacked databases (streaming service database leaks)
- Cracked programs of well-known trojan programs (including Njrat, Adwind, Orcus)
The quality of data found in this marketplace is very low. There are a great number of amateur criminals trying to increase their profile, but selling very low quality tools. This site also lacks a reputation system that the more mature markets like Alphabay and TheRealDeal have. This makes it harder for a potential buyer to trust in the vendor. This marketplace is an initial source of many leaks, and in being able to obtain copies of well-known malware such as ORCA or Adwind to expand detection capabilities. Other than that the value of this forum is debatable.
HackForums is one of the longest running hacking forums on the Internet. It was founded in 2006 and has approximately 600,000 total users. The forum covers several topics in information security such as: hacking, programming, computer games, web design, web development in addition to the sale of hacking tools and services. HackForums is notorious for housing a large amount of amateur hackers. Some more skilled criminals have been observed offering the following services:
- Stresser services (e.g. DDoS programs)
- Remote Access Tools
- Stolen social Media accounts
- Crypters
- Virtual Private Server, VPN and hosting services.
HackForums was spotlighted this year after the MalwareHunterTeam noted a campaign that appeared to originate from here. This campaign used the ORCUS RAT. Krebsonsecurity published an additional article on the authors behind this malware as well. The quality of the data found in this marketplace is very low. Similar to LeakForums this may be related to the lack of a reputation system and the non-vetted nature of the forum. Anyone with access to the link can register for an account and have instant access to the entire forum.
TheRealDeal is a dark web market that began with an emphasis on zero-day exploits. Later on as the marketplace became more popular the services offered became more diverse. The following items are now offered in the marketplace:
- Weapons
- Counterfeit items (bank notes, passports, driver licenses)
- Stolen credit card data
- Hacked database dumps
- Illicit drugs
- Exploits
- Fully UnDetectable by antivirus engines, one-day (vulnerability that has been disclosed but not patched) and zero-day (vulnerability that hasn’t been disclosed).
During 2016 this marketplace rose to the public’s attention after a number of high profile data dumps. The data dumps involved many well-known organizations. These dumps were offered by a single reputable member of this forum peace-of-mind. The quality of services in this marketplace can be considered a mixed bag. Each vendor’s reputation can be determined by their rank as well as the feedback provided in their profile. Therefore, potential customers need to do more research into each vendor to determine whether they are legitimate. The marketplace also offers the multisig transaction method to provide additional security. One of the downsides of this marketplace is the ability to easily register for it. No vetting is required. Many non-reputable members, security researchers or law enforcement personnel are part of the marketplace. In addition to the marketplace, there is a more restricted forum that accompanies the Real Deal. This forum includes more claims of illegitimate activities, but many are hard to verify.
The AlphaBay market is a newer forum that was created in 2014. This Tor-based market has sustained considerable growth since its inception. It currently houses 240,000 users and covers the following service areas:
- Dumps, bank drops, card verification value number and credit card data.
- Illicit drugs
- Weapons
- Counterfeit items
- Courses on how to make money through illicit activities.
- Malicious software: Exploits, Exploit Kits, botnets.
The quality of the products can be considered a mixed bag. It’s up to the potential buyer to ensure the vendor has the highest vendor level and trust level. In AlphaBay a level 5 with trust level 10 is considered high reputable vendor. In addition to this, the buyer must read the reviews to see if there are complaints. AlphaBay ensures transactions are secure and seamless by offering the multisig transaction method, and two-factor authentication to access the marketplace. AlphaBay also offers Digital contracts, which are a system that utilizes the user reputation system to decrease the risk in transactions. Each contract has a cost of $5 and paid to the market admins. The content of the contract is at the discretion of the users. Digital contracts don’t necessarily eliminate scamming in its entirely but do help to build trust among members. One strange aspect of AlphaBay is that it allows users to access the marketplace programmatically via an API.