Security Experts:

A Look Inside the Bustling Cybercrime Marketplace

The Inner Workings of The Underground Cybercrime Marketplace

Underground Cybercrime ForumsCybercrime’s underground activity, much like a Middle Eastern bazaar, is a loud and boisterous market. Buying, selling, haggling and cheating all take place in these marketplaces. Each marketplace houses other specialized-markets of illegitimate goods. There’s the credit cards market, the bot rental market, another one for viruses, and one more for the credentials – to name a few. How do these markets operate and how are hacker transactions being performed?

The Bustling Marketplace

Part 12 in a Series on Cybercrime - Read Noa's Other Featured Cybercrime Columns Here

Underground Forums - In this marketplace only the initial match between the buyer and the seller are performed. The remaining activity - all dealings and exchange of goods - occur outside the forum. To enter the forum, a user must first login. Like an evil eBay, “buy” and “sell” ads are posted on the forum’s message board. To keep things running smoothly, each forum has its own bouncer - the site administrator. This is the individual who manages the forum and its level of trustworthiness. It turns out there is some honor among thieves, as a reputation-based system is in place that relies on feedback from other forum users. A user who performed successful past transactions is considered reliable and thus has priority on the message board. However, a “ripper” – an individual who does not deliver the goods upon payment – may have its message moved back in the queue or is banished from the forum altogether. Of course, the site administrator has a stake in this priority-system and is constantly bribed to ensure good placing on the message board. Bribery comes in the form of a subset of the goods (a percentage of the stolen credentials for sale), or as commission on the sale of goods.

Internet Relay Chat (IRC) channels - The IRC channel is analogous to an exclusive party where matches as well as transactions all occur within a specific IRC channel. Yet, these “parties” are considered much more secretive than their forum counterparts. While forums are picked up by search engines, IRC channels are not indexed by the search engines. Rather, IRC channels are known by word-of-mouth. The IRC user connects to an IRC network via a server. Once connected, the participant chooses the particular channel of interest. It is assumed that in order to have gained the knowledge of an existing IRC channel, the user is a serious participant, not just a party-crasher. Yet, different channels also employ a reputation-based system similar to that found in the underground forum. Once the user joined the channel, she may hop to any public communication and chime into the conversation. If a “match” is made during that conversation, the individuals take this conversation elsewhere - to an IRC room. In this room all communications are private, negotiations take place and the contracts are sealed.

Instant Messaging (IM) - Much of the secretive communication takes place as private messages on IM, after a match on the underground forum is made.

Social Networks - Hackers are finding ways to promote their services, and what other better way to self-promote than Facebook? As shown in the screenshot, hackers use Facebook profiles and post information on their Walls advertising their goods. They may provide a sample of their goods, a price-list and even references to the underground market sites they actively engage in. An interested buyer can then connect to the seller via a private message.

Cybercriminals Advertising on Facebook

Common Marketplace Currencies

The buyer and seller also negotiate on the payment and currency. Online payment services may be used, and the current trend is to use Liberty Reserve and WebMoney. The latter is the Russian equivalent to Paypal. Yet, just as common are offline monetary transfers. Western Union and MoneyGram are the more frequently used services for such cash transactions.

Sealing the Deal

In all markets, usually just a single transaction is performed in order to complete the purchase. For instance, the simple sale of a bulk of stolen webmail accounts. However, things work slightly differently in the case of credit cards where an additional exchange of hands takes place. After a buyer obtains the credit cards, she now needs to re-enter the market-place – this time seeking an individual who knows how to cash out on the credit cards (for example, a plastic card manufacturer). In this case, the buyer of the stolen cards and the criminal who monetizes on the card, split their earnings 40%-60%. The higher percentage goes to the participant that took a higher risk – the one who cashed out on the cards.

Next Column – What are the Market Goods?

This column discussed the underground market scene. Next, we’ll discuss the different goods that are being exchanged and the trending prices for each type of commodity. Stay tuned as I discuss the fall of credit card numbers, and the rise of online credentials. I’ll also provide some advice on protecting your customer data from being traded in these underground markets!

Read More Cybercrime Columns in the SecurityWeek Cybercrime Section

Noa is a private consultant specializing in building thought leadership teams within tech companies. She is one of SecurityWeek’s first columnists with previous columns focusing on trends in the threat landscape. Her current interest lie on the business-side of security. Noa has worked for Imperva as a Sr. Security Strategist and before that, as a Sr. Security Researcher. She holds a Masters in Computer Science (specializing in information security) from Tel-Aviv University.