Modern Underground Marketplaces and Digital Goods
Convenience has steered the growth of an ever-evolving digital world and online businesses have thrived on the opportunities that it has created. However, this has not only benefited legal eCommerce businesses, but has also allowed underground markets to proliferate.
There has also been an exponential increase in the number of hackers targeting governments, private organizations and businesses. Off-the shelf hacking tools and tutorials, available on underground cybercrime forums and marketplaces, have made it easier for hackers to operate. They might not even have the technical expertise required to build such tools from scratch. Some hackers may simply write a program that will on its own seek out services and products that will help them achieve their goals.
Evolution of Modern Dark Web Marketplaces
Silk Road, founded by Ross Ulbricht (aka Dread Pirate Roberts) in February 2011, was the first dark web marketplace to use both Tor and Bitcoin escrow. However, this marketplace was popularly known as a platform to sell illegal drugs. Silk Road was the first of its kind to accept a decentralized currency (Bitcoin) as payment for transactions. Silk Road itself did not have a decentralised economy though.
Merging an encrypted network, inaccessible to a significant part of the population, and a currency that is almost untraceable is bound to create a fertile ground for criminal activities. Silk Road was a Tor site that allowed users to access it anonymously. Fundamentally, dark web marketplaces are online platforms that facilitate the sale of illegal drugs, stolen data, forged documents, exploits, malicious software, etc.
Screenshot of Silk Road
Today, there are at least 30 known active dark web markets. Although it is difficult to trace transactions from the Bitcoin blockchain, these marketplaces receive most of their revenue from commissions on selling the following products: Drugs, data, counterfeit currency, weapons, cyber weapons, counterfeit pharmaceuticals, etc.
Dark web marketplaces operate just like other online marketplaces, such as eBay, Amazon or Craigslist, on which vendors advertise their products and prices. Likewise, customers place orders through the market’s website and get their orders delivered by sellers. The market, then, withholds the payment for the transaction from the sellers, until the buyer validates the receipt of items ordered. The buyer’s feedback adds to the seller’s credibility on the platform.
However, these marketplaces do not hold the buyer’s Bitcoins on local addresses, but rather, sends them to third-party escrow services. Upon proof of receipt from the buyer, the escrow service disburses the payment to the seller. If in case the transaction is not complete, customers can cancel the order to get a refund.
Modern Marketplaces – Digital Goods
For the purpose of explaining how marketplaces work, we will be taking the examples of dark web marketplaces like xLeet and Odin, as well as use screenshots of instances taken from these markets.
Modern markets, like xLeet, deal in digital goods that are categorized as follows:
Remote Desktop Protocols
Remote Desktop Protocol, developed by Microsoft, is a proprietary protocol that allows users to access a desktop or application on a remote host. Although RDP is intended to grant access to remote administrators, it is widely abused by hackers who gain unfettered access to computers to commit undetected malicious activities.
Threat actors usually hack/ create and sell admin or user RDP accesses. At present, over 3688 RDPs are being sold on xLeet alone. Buyers need to only search and filter for RDP accesses based on their host country, host business, IP blacklist, domain SEO details, vendor, source, price, date of creation to purchase goods that suit their needs. RDP accesses are usually sold for a price between $1.50 – $80.
RDPs for sale on marketplace (Source: xLeet.to)
When cybercriminals gain admin access to systems with the help of RDPs, they acquire initial access without having to rely on other malicious tools such as malware, or create elaborate phishing campaigns, as is the normal case. RDPs also provide attackers powerful means to evade detection and their actions go largely unnoticed. The SamSam ransomware attack, for example, leveraged RDP to penetrate undetected networks and infect them.
The broad variety of information obtained through RDPs include financial and sensitive credentials that hackers leverage to carry out other crimes, such as identity theft, credit card fraud, account takeovers, and more.
Tools like cPanel and WHM make server and website management easier. These software suites are used by over 70 million domains worldwide. However, the team implemented a faulty two-factor authentication (2FA) on their applications, which rendered them vulnerable to brute-force attacks. This helped attackers guess URL parameters and bypass the 2FA on accounts that used it.
cPanel checkers, crackers, credentials and accesses are very popular on dark web markets. As shown in the screenshot below, the marketplace has over 8,798 cPanel accesses for sale, currently. These are typically sold for $1.70 – $30.
cPanel accesses for sale (Source: xLeet.to)
Threat actors abuse SMTP (Simple Mail Transport Protocol) servers to carry out fraudulent, harmful mass mailing campaigns. They leverage spam-friendly SMTP servers to flood inboxes with spam. Spam-friendly SMTP servers are sold for $1-$25 and there are about 3,402 mailers available for sale at present.
SMTP/Mailers for sale (Source: Odin.to)
Quite often spam email messages are commercial in nature. Threat actors masquerade as contacts found in legitimate emails to defraud victims. Region/ country-based updated email lists are very popular among sellers and buyers. Login credentials and combos of email addresses and passwords are primarily used in brute-force attacks.
Earlier, stolen credentials and records were exclusively sold by select vendors. But the industry has expanded significantly. Today, various hacked databases are broken down into combos of credentials alone and sold for a considerable price, usually between $2 and $999.
Email combos for sale (Source: Odin.to)
Webmail services such as Gmail are accessible through browsers, unlike email client softwares like Microsoft Outlook. Threat actors, for several reasons, target administrative credentials on such webmail services. To begin with, Office 365 admins manage mailboxes, accounts, etc. for each domain. A compromised admin account may allow retrieval of user emails or even the complete takeover of other email accounts on the domain.
Webmail is commonly used for social engineering attacks. It could also potentially allow threat actors to abuse password reset attempts or single-sign-on systems. Attackers could leverage the reputation of the compromised domain to send out a new wave of attacks.
14548 webmails are available for sale on the xLeet as of now. The marketplace allows interested buyers to filter webmail based on the nation of the victim, hosting, and the date the post was created. The price range usually falls between $1 and $10.
Office365 Webmail for sale (Source: xLeet.to)
Godaddy webmail for sale (Source: xLeet.to)
On May 5, 2020, GoDaddy revealed that an unauthorised attacker compromised the SSH credentials of approximately 28,000 GoDaddy web hosting accounts. With over 19 million customers, 77 million domains managed, and millions of hosted websites, GoDaddy is a popular web hosting company.
GoDaddy wrongly handed over the control of certain accounts and domains to a malicious actor. This allowed the actor to alter DNS records and take over a number of internal email accounts. They were also able to add or modify any files and gain access to storage.
Over the years, the number of data breaches targeting organizations and individuals have increased multifold, affecting their sensitive information. There are several dark web marketplaces where hackers sell data exfiltrated from a variety of platforms and accounts . This includes data related to:
Email marketing, webmail business, networking resources, hosting/ domain, gaming, graphic/ developer, VPN/ socks proxy, shopping accounts (Amazon, eBay, etc.), program accounts (Antivirus, Adobe, etc.), streaming apps (music, sports, Netflix, HBO, etc.), dating apps, e-learning, Torrent/ file hosts, void/ sip, social media accounts, and more.
Accounts for sale (Source: xLeet.to)
Email accounts, depending on the sensitivity of the content, sell for about $1.00 – $60.00 per account. This includes accounts from major email service providers such as Yahoo and Gmail. With a mere email address a hacker can carry out other malicious attacks, from collecting personal data to using them as part of a botnet. Personal accounts may expose sensitive/ personal information, and any banking communication can reveal information that a scammer can leverage to make transactions on the victim’s behalf.
In 2016, Adaware reported how a dating site “Mate1” sold 27 million accounts of its users to hackers. Although it sounds strange to target a dating website, the personal data that such websites obtain from its users can be used to perform identity theft. Threat actors could impersonate the victim and persuade other people on the victim’s contact to transfer money into the scammer’s bank account.
Meetmindful accounts for sale (Source: xLeet.to)
More recently in January 2021, a well-known hacker leaked the data of more than 2.28 million users registered on dating website MeetMindful.com. The data from the site was shared on a freely accessible hacker website known for trading in stolen databases. The data was posted for free, for anyone to download. The data, however, contained a wealth of knowledge submitted by users while setting up profiles on MeetMindful’s website and other smartphone applications including hacked Netflix, porn pages, free flight airline accounts, Fortnite accounts, etc.
Once such data is out in the public, no one can prevent it from being traded or shared. But, we can monitor these marketplaces and their activities and analyze buyers’ intentions, which would help us prepare for further attacks on any organization.
Monitoring dark web marketplaces and forums can give us a good idea of what organizations are being targeted. To find out whether your data is part of a data breach, use data breach alert systems. Security solutions such as CloudSEK’s XVigil scour surface web and dark web, to identify potential cyber threats relevant to specific organizations and set up alerts to keep you up to speed with the latest threat intelligence.