The darknet is a favorite place for cybercriminals who want to find like-minded people, share their experience, and sell or purchase new technologies to carry out their attacks. Stolen logins and passwords from user accounts and almost any malware — from botnets to IoT viruses-can easily be found on trading platforms in this segment of the Internet. A new Trend Micro study is devoted to the dynamics and main trends of such "supermarkets" for hackers, which we will talk about in this article.
This interest is not least caused by the fact that cybercrime leaves multinational corporations far behind in terms of profitability. For example, the average annual profit of cybercriminals is about 1.5 trillion US dollars, and such giants as Apple and Amazon for 2019 received "only" 260 and 290 billion dollars, respectively. In addition, the dark Web markets react very quickly to global trends. Almost immediately after the outbreak of the coronavirus pandemic, COVID-19 — related offers appeared on underground forums-from innocent ones, such as wholesale trade in respirators and toilet paper, to completely malicious software and tools for attacks using social engineering methods.
In 2019, the administrators of one of the largest underground markets, the Wall Street Market, tried to close their business, running away with the funds that buyers handed over to them for safekeeping until the sellers fulfilled their obligations. This attempt was connected with the increased attention of law enforcement agencies to the dark web and large trading platforms in it, which eventually resulted in the arrest of the administrators of this and two other portals. And towards the end of 2019, the Italian police conducted a successful operation to close another popular forum, Berlusconi Market. Both of these factors (and the administration's attempt to "loot the loot", and the closure of several large forums) were the reasons for the decline in confidence of Darkweb users in underground markets. In addition, the remaining popular forums, such as Empire, faced another problem in 2019 — constant DDoS attacks, which, according to rumors, were authorized by the same law enforcement agencies.
As a result, hackers are gradually mastering "legal" channels for communication and trading, which in the current conditions are more convenient and safer for them than the usual dark web sites. For example, not so long ago, we discovered a popular e-commerce platform registered in the name of a company from the Middle East. On this platform, any user can register to sell digital goods and services. In December 2019, it even hit the top 15,000 sites in the world and the top 5,000 in the United States (according to Alexa analytics).
At first glance, everything on this resource looks absolutely legal, and even in the terms of use of the platform, you can find information about the prohibition of the sale of illegal materials. But according to the same analytics data, more than half of the site's traffic is traffic from a popular underground forum cracked.to, and on another underground forum, Nulled.to, it is explicitly stated that its administrator is associated with the platform management. And all stores on this platform, links that can be found on underground forums of cybercriminals, continue to function despite the fact that they clearly violate its terms.
Also, the Discord app is starting to gain popularity, which is actively displacing Telegram from the position of an ideal messenger for communicating and conducting transactions between cybercriminals. First of all, this is due to a certain degree of anonymity for users that the application provides, and the ability to create your own servers. Judging by the fact that in the course of our research, we have repeatedly found servers that offer the same products and services as on underground sites, many hacker forums from the dark web have already taken advantage of this opportunity.
- Stolen Accounts — we found almost five million posts on underground forums related to this category. It includes a huge number of different types of accounts, including logins and passwords for online banking, online stores, food delivery services, entertainment portals and services (Netflix, Amazon, Hulu, Spotify and even Disney+, although this service appeared on the market only in November 2019). It is worth noting that the maximum popularity of the category does not mean maximum profitability for cybercriminals. The price tag for most accounts starts at $ 1, and access to a user's bank account can be obtained for as little as $ 5, and this situation has not changed much since our previous market analysis.
- Software and accounts for gaming. Games have long been a part of the modern way of life, but the scale of interest in them by hackers (and their customers) brought this category to the second place in our study. There are almost 3 million posts on underground forums dedicated to gaming. In this case, we are talking not only about traditional tools for hacking multiplayer and competitive games — ambots or wallhacks - but also about accessing rare accounts with a large number of in-game items or trading skins for popular games. For example, credentials from a Fortnite account can cost $ 999, which is understandable given the game's popularity and the fact that many Asian gamers spend huge amounts on purchases in in-game stores (especially MMORPGs).
- Credit card details. Almost two million messages on underground forums relate to stolen user card data. The cost of this data directly depends on the balance on the card, and credit cards with a confirmed large balance or credit limit can cost more than $ 500. In general, we can say that interest in maps remains consistently high, but prices in this category have fallen significantly in recent years. In 2015, one card was asked for $ 20, and now the starting price for credentials from a card with an unverified balance is about $ 1.
- Spam. The automatic spam mailing software is mentioned in more than 600,000 messages. Prices for products in this category have not changed much since 2015 and start at about $ 20. Curiously, most of the proposals do not concern sending spam by e-mail, but an even more traditional channel-SMS. Mass mailing via this channel will cost from $ 25 to $ 50.
- Tools for creating fake news. This category is gaining popularity quite actively, but it appeared not so long ago, so now about half a million posts on underground forums are devoted to it. We noted the interest of cybercriminals in it in our 2017 study, and since then, "like factories", fake comments and promotion of topics of interest to the buyer have not gone away. The lowest prices for such tools are traditionally offered by the Russian-speaking segment of the dark web-from $ 1 per 10,000 likes, and prices have been stable for several years. A social media bot will set you back $ 25, and 1,000 likes on YouTube will start at $ 26.
As a "bonus" category, we should mention ransomware, which we found only about 80,000 mentions on underground forums. Despite the huge losses that tools from this category brought to enterprises around the world, and about $ 1 billion in profit for cybercriminals in 2016 alone, their starting cost remains quite low — from $ 5. At the same time, successful and well-established "malware" can cost more than $ 1,000 or even $ 3,000. Jigsaw is the most popular product on the market, followed by the acclaimed WannaCry.
1) The growing popularity of MaaS. Not only developers of antivirus solutions are able to sell their software by subscription. The MaaS (malware as a service)model it is actively gaining popularity in the cybercrime environment. Hacker forums offer not only the source code of their software or ready-made assemblies of "malware", but also technical support and timely updating of tools, that is, they use the equipment of large companies to ensure a stable monthly or annual income.
2) DeepFake — the popularity of this technology is constantly growing, and the potential for its use for illegal purposes is simply huge. Fake images and videos (and even voice recordings) modeled using neural networks will be used for attacks using social engineering, creating fake news and sextortion (blackmail with threats to publish real or fake sexual materials concerning the user), including with elements of technologies that are used in ransomware programs, for example, with a timer that counts down the time until publication.
3) Blockchain for cybercriminals. There are already active discussions on automating the settlement process between buyers and sellers on underground forums, related to the drop in confidence in the administration and the security of the dark Web as a whole described above. One of the ideas was the use of "smart" contracts and blockchain elements to completely eliminate the possibility of fraud on the part of participants in transactions.
4) Access to emerging markets. In our 2017 research, we predicted that cybercriminals are becoming more active in Africa — this prediction was fully justified. Also, Africa has already developed its own cybercrime groups that operate not only on its territory, but also around the world. In the next 3-5 years, the situation will only get worse.
5) Globalization. Underground markets are moving away from being divided into local communities. For example, many ads from the Russian-speaking segment can already be found on English and Arabic forums, which was not the case 5 years ago. This trend may well continue in the future, although some products remain unique to specific markets and regions.
6) The Internet of Things and fitness gadgets have long been used by hackers to create botnets and DDoS attacks, but with the development of 5G networks and the gradual increase in the performance of IoT devices, including fitness trackers, we can expect that cybercriminals will be able to use them for more sophisticated attacks, including collecting user data and subsequent blackmail.
7) SIM card cloning. Many companies already use two-factor identification with access to the account after receiving a special code on the mobile device. According to reports on underground forums, cybercriminals are quite actively interested in the possibility of stealing, replacing or cloning such cards, especially if it concerns management accounts. Such an operation will allow them to gain access to the company's infrastructure without having to hack it from the outside.
In conclusion, I would like to note once again that despite the efforts of law enforcement agencies and the constant development of cybersecurity systems, cybercrime and underground markets on the darknet will not disappear in the coming years. Therefore, the best thing that ordinary users and IT professionals can do is to take care of effective protection of their system and network infrastructure, otherwise in one of our next reports their data risks joining the ranks of hacker suggestions on one of these forums.
In the Dark
In 2015-2016, Trend Micro published a series of reports united by a common theme: the economy of the cybercrime world. In 2020, we returned to the analysis of the darknet / darkweb and its markets in the study Shifts in Underground Markets: Past, Present, and Future ("Dynamics of changes in underground markets: past, present, and future"). Its purpose is to show how the development of technologies and the current situation in the world have affected pricing, the mechanisms of interaction between participants in underground markets on the dark web, and the popularity of certain categories of goods and services. We also wanted to know what the future holds for these markets and what ordinary users and IT security professionals can expect from their "buyers".This interest is not least caused by the fact that cybercrime leaves multinational corporations far behind in terms of profitability. For example, the average annual profit of cybercriminals is about 1.5 trillion US dollars, and such giants as Apple and Amazon for 2019 received "only" 260 and 290 billion dollars, respectively. In addition, the dark Web markets react very quickly to global trends. Almost immediately after the outbreak of the coronavirus pandemic, COVID-19 — related offers appeared on underground forums-from innocent ones, such as wholesale trade in respirators and toilet paper, to completely malicious software and tools for attacks using social engineering methods.
Distrust and "legalization"
In the years that have passed since our latest research in this area, the way of thinking of "residents" of underground trading platforms and their infrastructure has undergone major changes. First of all, they touched upon the methods of interaction between sellers and buyers, as well as reducing trust in the dark web and forums where cybercriminals publish their ads. It is also necessary to note the growing influence and interference of law enforcement agencies in the activities of the dark web.In 2019, the administrators of one of the largest underground markets, the Wall Street Market, tried to close their business, running away with the funds that buyers handed over to them for safekeeping until the sellers fulfilled their obligations. This attempt was connected with the increased attention of law enforcement agencies to the dark web and large trading platforms in it, which eventually resulted in the arrest of the administrators of this and two other portals. And towards the end of 2019, the Italian police conducted a successful operation to close another popular forum, Berlusconi Market. Both of these factors (and the administration's attempt to "loot the loot", and the closure of several large forums) were the reasons for the decline in confidence of Darkweb users in underground markets. In addition, the remaining popular forums, such as Empire, faced another problem in 2019 — constant DDoS attacks, which, according to rumors, were authorized by the same law enforcement agencies.
As a result, hackers are gradually mastering "legal" channels for communication and trading, which in the current conditions are more convenient and safer for them than the usual dark web sites. For example, not so long ago, we discovered a popular e-commerce platform registered in the name of a company from the Middle East. On this platform, any user can register to sell digital goods and services. In December 2019, it even hit the top 15,000 sites in the world and the top 5,000 in the United States (according to Alexa analytics).
At first glance, everything on this resource looks absolutely legal, and even in the terms of use of the platform, you can find information about the prohibition of the sale of illegal materials. But according to the same analytics data, more than half of the site's traffic is traffic from a popular underground forum cracked.to, and on another underground forum, Nulled.to, it is explicitly stated that its administrator is associated with the platform management. And all stores on this platform, links that can be found on underground forums of cybercriminals, continue to function despite the fact that they clearly violate its terms.
Also, the Discord app is starting to gain popularity, which is actively displacing Telegram from the position of an ideal messenger for communicating and conducting transactions between cybercriminals. First of all, this is due to a certain degree of anonymity for users that the application provides, and the ability to create your own servers. Judging by the fact that in the course of our research, we have repeatedly found servers that offer the same products and services as on underground sites, many hacker forums from the dark web have already taken advantage of this opportunity.
What, where, and how much?
In the course of our research, we divided all goods and services on underground markets into 18 fairly broad categories, which included various offers — from credit card data and drugs and drugs to encryption programs. You can find a full list of them in the text of the study itself, and in this post we will focus on the five most interesting categories.- Stolen Accounts — we found almost five million posts on underground forums related to this category. It includes a huge number of different types of accounts, including logins and passwords for online banking, online stores, food delivery services, entertainment portals and services (Netflix, Amazon, Hulu, Spotify and even Disney+, although this service appeared on the market only in November 2019). It is worth noting that the maximum popularity of the category does not mean maximum profitability for cybercriminals. The price tag for most accounts starts at $ 1, and access to a user's bank account can be obtained for as little as $ 5, and this situation has not changed much since our previous market analysis.
- Software and accounts for gaming. Games have long been a part of the modern way of life, but the scale of interest in them by hackers (and their customers) brought this category to the second place in our study. There are almost 3 million posts on underground forums dedicated to gaming. In this case, we are talking not only about traditional tools for hacking multiplayer and competitive games — ambots or wallhacks - but also about accessing rare accounts with a large number of in-game items or trading skins for popular games. For example, credentials from a Fortnite account can cost $ 999, which is understandable given the game's popularity and the fact that many Asian gamers spend huge amounts on purchases in in-game stores (especially MMORPGs).
- Credit card details. Almost two million messages on underground forums relate to stolen user card data. The cost of this data directly depends on the balance on the card, and credit cards with a confirmed large balance or credit limit can cost more than $ 500. In general, we can say that interest in maps remains consistently high, but prices in this category have fallen significantly in recent years. In 2015, one card was asked for $ 20, and now the starting price for credentials from a card with an unverified balance is about $ 1.
- Spam. The automatic spam mailing software is mentioned in more than 600,000 messages. Prices for products in this category have not changed much since 2015 and start at about $ 20. Curiously, most of the proposals do not concern sending spam by e-mail, but an even more traditional channel-SMS. Mass mailing via this channel will cost from $ 25 to $ 50.
- Tools for creating fake news. This category is gaining popularity quite actively, but it appeared not so long ago, so now about half a million posts on underground forums are devoted to it. We noted the interest of cybercriminals in it in our 2017 study, and since then, "like factories", fake comments and promotion of topics of interest to the buyer have not gone away. The lowest prices for such tools are traditionally offered by the Russian-speaking segment of the dark web-from $ 1 per 10,000 likes, and prices have been stable for several years. A social media bot will set you back $ 25, and 1,000 likes on YouTube will start at $ 26.
As a "bonus" category, we should mention ransomware, which we found only about 80,000 mentions on underground forums. Despite the huge losses that tools from this category brought to enterprises around the world, and about $ 1 billion in profit for cybercriminals in 2016 alone, their starting cost remains quite low — from $ 5. At the same time, successful and well-established "malware" can cost more than $ 1,000 or even $ 3,000. Jigsaw is the most popular product on the market, followed by the acclaimed WannaCry.
Trends and the future of trading on the darknet
We took a look at the current situation in the world and made a number of assumptions about what awaits underground markets and ordinary users suffering from the actions of cybercriminals.1) The growing popularity of MaaS. Not only developers of antivirus solutions are able to sell their software by subscription. The MaaS (malware as a service)model it is actively gaining popularity in the cybercrime environment. Hacker forums offer not only the source code of their software or ready-made assemblies of "malware", but also technical support and timely updating of tools, that is, they use the equipment of large companies to ensure a stable monthly or annual income.
2) DeepFake — the popularity of this technology is constantly growing, and the potential for its use for illegal purposes is simply huge. Fake images and videos (and even voice recordings) modeled using neural networks will be used for attacks using social engineering, creating fake news and sextortion (blackmail with threats to publish real or fake sexual materials concerning the user), including with elements of technologies that are used in ransomware programs, for example, with a timer that counts down the time until publication.
3) Blockchain for cybercriminals. There are already active discussions on automating the settlement process between buyers and sellers on underground forums, related to the drop in confidence in the administration and the security of the dark Web as a whole described above. One of the ideas was the use of "smart" contracts and blockchain elements to completely eliminate the possibility of fraud on the part of participants in transactions.
4) Access to emerging markets. In our 2017 research, we predicted that cybercriminals are becoming more active in Africa — this prediction was fully justified. Also, Africa has already developed its own cybercrime groups that operate not only on its territory, but also around the world. In the next 3-5 years, the situation will only get worse.
5) Globalization. Underground markets are moving away from being divided into local communities. For example, many ads from the Russian-speaking segment can already be found on English and Arabic forums, which was not the case 5 years ago. This trend may well continue in the future, although some products remain unique to specific markets and regions.
6) The Internet of Things and fitness gadgets have long been used by hackers to create botnets and DDoS attacks, but with the development of 5G networks and the gradual increase in the performance of IoT devices, including fitness trackers, we can expect that cybercriminals will be able to use them for more sophisticated attacks, including collecting user data and subsequent blackmail.
7) SIM card cloning. Many companies already use two-factor identification with access to the account after receiving a special code on the mobile device. According to reports on underground forums, cybercriminals are quite actively interested in the possibility of stealing, replacing or cloning such cards, especially if it concerns management accounts. Such an operation will allow them to gain access to the company's infrastructure without having to hack it from the outside.
In conclusion, I would like to note once again that despite the efforts of law enforcement agencies and the constant development of cybersecurity systems, cybercrime and underground markets on the darknet will not disappear in the coming years. Therefore, the best thing that ordinary users and IT professionals can do is to take care of effective protection of their system and network infrastructure, otherwise in one of our next reports their data risks joining the ranks of hacker suggestions on one of these forums.
