The genesis of underground markets goes back to when communication used to take place via Internet Relay Chat channels. Fast forward to the 21st Century with the evolution of cryptocurrencies and anonymous communications the underground market ecosystem has evolved.
Underground markets offer a variety of services for cyber criminals to profit from, says Luis Mendieta, senior security researcher at Anomali. These forums offer items ranging from physical world items like drugs and weapons to digital world items such as spam/phishing delivery, exploit kit services, “Crypters”, “Binders”, custom malware development, zero-day exploits, and bulletproof hosting.
The underground is filled with a heavy amount of jargon and slang that may be unfamiliar. Crypters are tools that encrypts malware in order to bypass detection by antivirus engines. Binders are tools used to trojanize a legitimate program with a malware sample. Zero-Day exploits are techniques that exploit previously unpatched vulnerabilities, used by attackers to gain unauthorized access to computing systems. While “FUD” may mean “fear, uncertainty, and doubt” in the normal security world, in the underground forum world it means “Fully UnDetectable.” On the forums there are “rippers”, who are actors identified as ripping off and scamming other users without delivering useful services or contraband, Mendieta said.
He details the following marketplaces with each having a set of characteristics that stand out. Some forums are accessible only via the TOR network while others are only accessible via traditional web browsing (clearnet). Other forums specialize in services such as carding (Credit card fraud) and PII (personal identifiable information) fraud while others prefer to focus on zero-day exploits, botnet services and bulletproof hosting. There are also forums catering to a broader audience that offer a large variety of real world items ranging from Illicit drug sales, counterfeit items (passports, driver licenses, Money notes), and weapons.
Sky-Fraud Underground Forum
Skyfraud
Sky-Fraud is a Russian underground forum that has been in operation since 2014. Its user base consists of 26,000 active users all between Russian speaking and English speaking languages. The services offered are very diverse. The following list of services can be found on Sky-Fraud:
- Escrow services
- Bulletproof hosting services.
- PII (Personal Identifiable Information) and CC (Credit Card) data.
- Botnets, Exploits, Malware.
- BlackHat SEO (Search Engine Optimization) and Web design.
- Payment Systems: BTC (Bitcoin), Paypal, Webmoney, Entropay
The registration system for this forum is open to anyone. Which makes it easier for scammers, non-reputable members, law enforcement and security researchers to access. The data found in this site seems to be low fidelity given the amount of amateur hackers that operate on the site. However, one notable actor related with bulletproof hosting was observed in this forum. Volhav operated not only on this forum but also in the other underground forum explained below exploit.in. It is possible that this actor is trying different forums in order to expand his services since his registration date was early 2016. Unfortunately, his activity is only limited to two entries.
Lampeduza Underground Forum
Lampeduza is a Russian underground forum that specializes in carding, dump services, and overall credit card fraud. Several segments are also dedicated to hacking, anonymization practices, spam and black hat SEO (search engine optimization). This site was previously discussed in 2013 by krebsonsecurity when one of the forum members rescator was involved in the sale and distribution of the Target breach data. In addition, Lampeduza seems to be strongly related with the notorious carding forum rescator[.]cm, where credit card data related to the breaches of Target, Home Depot and Sally Beauty was offered for sale.
Access to the Lampeduza marketplace is lightly restrictive. In order to gain access a user first receives an invitation code from an existing member, and then they must pay $50. This makes the site a bit more exclusive and less polluted than the rest of the sites explained in this bulletin. However, the potential buyer also faces the challenge of weeding out bad vendors vs. good vendors. Fortunately, the site offers a reputation system in which the user can voice any complaints and action can be taken against the vendor if needed. This is a common feature among many of the anonymous marketplaces.
[ ALSO ON CSO: 8 of the most unsettling things you’ll find on the darknet ]
Data offered in this marketplace seems to be of medium value. The data from large retailers was being sold here as well.
Exploit dot in Underground Forum
Exploit dotExploit dot in is a Russian language based hacking forum that resembles the operations of other hacking forums such as LeakForums and HackForums. Exploit dot in has been in operation since 2007, with around 35,000 total users. Members that are part of this forum are vetted before registration and currently require an active member to vouch for them. Some areas discussing non-criminal activities are readable by the public.
These include the topics of web-design, programming and hardware. Other sections like security and hacking, virology, anonymity and marketplace require a valid user account. The services being sold in this forum include the following:
- Carding services
- Bulletproof hosting
- Malware distribution services
- Zero Day Software vulnerabilities
- Malware
- Exploit Kits
- Trojans
- Crypters
A lot of the value derived from this marketplace lies in the relationships between highly-connected users. Many of the real users have multiple profiles on other forums. By having a closed registration process this forum is less polluted with fake accounts than HackForums and LeakForums. Out of the 35,000 total users on the site:
- 36 users are vendors.
- Only 1 user has an admin designation.
- Only 5 users are moderators.
- 54 users are verified users.
- 43 users are specialists.
This proportion of real, active accounts to non-active accounts is fairly common among many of the forums. It is also compounded by the anonymity of the users. The blacklist complaint threads are useful for weeding out rippers, but they lead to a heavy turnover in vendors. The successful vendors appear to have strong relationships with one another in other more closed forums or venues, allowing each of them to vouch for one another. Although it seems that the vendors almost always end up ripping off at least one of their clients, which results in their current profile becoming blacklisted. It is likely due to this high amount of turnover that the more interesting vendors seem to create a new profile with new contact information each time they offer new items for sale.
LeakForums Underground Forum
LeakForums surfaced in the hacking scene in 2011. It currently has a user base of 1 million users. LeakForums specializes in leaks related with PII, social media accounts and the trade of paid hacker tools (Keyloggers, RATs, Crypters, and Binders). Widespread malware including Njrat, Adwind and Orcus are also freely available for registered users. Other leak categories that are also covered.
- Serial keys for commercial programs (including MS Windows, MS Office, Antivirus engines)
- Stolen Credentials (Social media accounts)
- Hacked databases (Streaming service database leaks)
- Cracked programs of well-known trojan programs (including Njrat, Adwind, Orcus)
The quality of data found in this marketplace is very low. There are a great number of amateur criminals trying to increase their profile, but selling very low quality tools. This site also lacks reputation system that the more mature markets like Alphabay and TheRealDeal have. This makes it harder for a potential buyer to trust in the vendor. This marketplace is an initial source of many leaks, and in being able to obtain copies of well-known malware such as ORCA or Adwind to expand detection capabilities. Other than that the value of this forum is debatable.
HackForums Underground Forum
HackForums is one of the longest running hacking forums of the Internet. It was founded in 2006 and has approximately 600,000 total users. The forum covers several topics in information security such as: hacking, programming, computer games, web design, web development in addition to the sale of hacking tools and services. HackForums is notorious for housing a large amount of amateur hackers. Some more skilled criminals have been observed offering the following services:
- Stresser services (e.g. DDoS programs)
- RAT (Remote Access Tools)
- Stolen social media accounts (including Facebook, Twitter, YouTube)
- Crypters (tools that obfuscate malware from antivirus engines)
- VPS (Virtual Private Server), VPN (Virtual Private Network), and hosting services.
HackForums was spotlighted last year after the MalwareHunterTeam noted a campaign that appeared to originate from here. This campaign used the ORCUS RAT. Krebsonsecurity published an additional article on the authors behind this malware as well. The quality of the data found in this marketplace is very low. Similar to LeakForums this may be related to the lack of a reputation system and the non-vetted nature of the forum. Anyone with access to the link can register for an account and have instant access to the entire forum. This may have led to a large amount of amateur criminals on the forum.
This forum is prone to a high number of fake profiles, scammers and law enforcement personnel. Although this marketplace is useful for downloading a fresh copy of a given RAT builder to help build detection capabilities.
TheRealDeal marketplace
TheRealDealTheRealDeal is a dark web market that began with an emphasis on zero-day exploits. As the marketplace became more popular the services offered became more diverse. The following items are now offered in the marketplace:
- Weapons
- Counterfeit items (Bank Notes, Passports, Driver licenses)
- Stolen credit card data
- Hacked database dumps
- Illicit drugs (MDA, LSD, Pharmacy, Cocaine)
- Exploits:
- FUD (Fully UnDetectable by antivirus engines), one-day (vulnerability that has been disclosed but not patched) and zero-day (vulnerability that hasn’t been disclosed).
During 2016 this marketplace rose to the public’s attention after a number of high profile data dumps. The data dumps involved many well-known organizations. These dumps were offered by a single reputable member of this forum peace-of-mind. The quality of services in this marketplace can be considered a mixed bag. Each vendor’s reputation can be determined by their rank as well as the feedback provided in their profile.
Therefore, potential customers need to do more research into each vendor to determine whether they are legitimate. The marketplace also offers the multisig transaction method to provide additional security. One of the downsides of this marketplace is the ability to easily register for it. No vetting is required. Many non-reputable members, security researchers or law enforcement personnel are part of the marketplace. In addition to the marketplace, there is a more restricted forum that accompanies TheRealDeal. This forum includes more claims of illegitimate activities, but many are hard to verify.
AlphaBay Marketplace
The AlphaBay market is a newer forum that was created in 2014. This Tor-based market has sustained considerable growth since its inception. It currently houses 240,000 users and covers the following service areas:
- Dumps (Databases containing credit card data), Bank drops, CVV (Card verification value number) and CC (Credit Card) data.
- Illicit drugs
- Weapons
- Counterfeit items (Bank Notes, Passports, Driver licenses)
- Courses on how to make money through illicit activities.
- Malicious software: Exploits, Exploit Kits, botnets.
The quality of the products can be considered a mixed bag. It’s up to the potential buyer to ensure the vendor has the highest vendor level and trust level. In AlphaBay a level 5 with trust level 10 is considered high reputable vendor. In addition to this, the buyer must read the reviews to see if there are complaints. Credit card data and Personal Identifiable Information sold in this forum is of mixed quality based upon each vendor. Some of that data comes from compromised e-commerce sites as well as compromised point of sale terminals. AlphaBay ensures transactions are secure and seamless by offering the multisig transaction method, and two factor authentication to access the marketplace.
AlphaBay also offers Digital contracts, which is a system that utilizes the user reputation system to decrease the risk in transactions. Each contract costs $5 and paid to the market admins. The content of the contract is at the discretion of the users. Digital contracts don’t necessarily eliminate scamming entirely but do help to build trust among members. One strange aspect of AlphaBay is that it allows users to access the marketplace programmatically via an API. Out of 240,000 users between the forums and marketplace:
- Five vendors were ranked among the top reputable vendors (Trust level 10). These five vendors specialize in the sale illicit drugs (cocaine, crack, heroine).
- Twenty users were ranked as most notable based on amount of posts and participation.
There is a high correlation between top-ranking members of the marketplace and forum. Although this marketplace includes secure transactions and reputation systems for its users, it is still suffering from the same issues as TheRealDeal. The lack of initial vetting process allows anyone with the link to the marketplace to register. There is a considerable amount of non-reputable users, and suspected security researchers that are part of its user base.
Conclusion
Underground markets offer a variety of services that are very attractive to criminals from all walks of crime. They provide a fascinating view of how underground economies operate to anyone that has access to a web browser and TOR.
Most of the marketplaces are of questionable value, but there are a few handfuls of reputable criminals operating on the forums. The most useful markets are extremely exclusive and hard to access, but the open markets offer an initial view into these communities.
This story, "The unseemly world of darkweb marketplaces" was originally published by CSO.