Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

A Look Inside the Bustling Cybercrime Marketplace

The Inner Workings of The Underground Cybercrime Marketplace

The Inner Workings of The Underground Cybercrime Marketplace

Underground Cybercrime ForumsCybercrime’s underground activity, much like a Middle Eastern bazaar, is a loud and boisterous market. Buying, selling, haggling and cheating all take place in these marketplaces. Each marketplace houses other specialized-markets of illegitimate goods. There’s the credit cards market, the bot rental market, another one for viruses, and one more for the credentials – to name a few. How do these markets operate and how are hacker transactions being performed?

The Bustling Marketplace

Part 12 in a Series on Cybercrime – Read Noa’s Other Featured Cybercrime Columns Here

Underground Forums – In this marketplace only the initial match between the buyer and the seller are performed. The remaining activity – all dealings and exchange of goods – occur outside the forum. To enter the forum, a user must first login. Like an evil eBay, “buy” and “sell” ads are posted on the forum’s message board. To keep things running smoothly, each forum has its own bouncer – the site administrator. This is the individual who manages the forum and its level of trustworthiness. It turns out there is some honor among thieves, as a reputation-based system is in place that relies on feedback from other forum users. A user who performed successful past transactions is considered reliable and thus has priority on the message board. However, a “ripper” – an individual who does not deliver the goods upon payment – may have its message moved back in the queue or is banished from the forum altogether. Of course, the site administrator has a stake in this priority-system and is constantly bribed to ensure good placing on the message board. Bribery comes in the form of a subset of the goods (a percentage of the stolen credentials for sale), or as commission on the sale of goods.

Internet Relay Chat (IRC) channels – The IRC channel is analogous to an exclusive party where matches as well as transactions all occur within a specific IRC channel. Yet, these “parties” are considered much more secretive than their forum counterparts. While forums are picked up by search engines, IRC channels are not indexed by the search engines. Rather, IRC channels are known by word-of-mouth. The IRC user connects to an IRC network via a server. Once connected, the participant chooses the particular channel of interest. It is assumed that in order to have gained the knowledge of an existing IRC channel, the user is a serious participant, not just a party-crasher. Yet, different channels also employ a reputation-based system similar to that found in the underground forum. Once the user joined the channel, she may hop to any public communication and chime into the conversation. If a “match” is made during that conversation, the individuals take this conversation elsewhere – to an IRC room. In this room all communications are private, negotiations take place and the contracts are sealed.

Instant Messaging (IM) – Much of the secretive communication takes place as private messages on IM, after a match on the underground forum is made.

Social Networks – Hackers are finding ways to promote their services, and what other better way to self-promote than Facebook? As shown in the screenshot, hackers use Facebook profiles and post information on their Walls advertising their goods. They may provide a sample of their goods, a price-list and even references to the underground market sites they actively engage in. An interested buyer can then connect to the seller via a private message.

Cybercriminals Advertising on Facebook

Common Marketplace Currencies

The buyer and seller also negotiate on the payment and currency. Online payment services may be used, and the current trend is to use Liberty Reserve and WebMoney. The latter is the Russian equivalent to Paypal. Yet, just as common are offline monetary transfers. Western Union and MoneyGram are the more frequently used services for such cash transactions.

Advertisement. Scroll to continue reading.

Sealing the Deal

In all markets, usually just a single transaction is performed in order to complete the purchase. For instance, the simple sale of a bulk of stolen webmail accounts. However, things work slightly differently in the case of credit cards where an additional exchange of hands takes place. After a buyer obtains the credit cards, she now needs to re-enter the market-place – this time seeking an individual who knows how to cash out on the credit cards (for example, a plastic card manufacturer). In this case, the buyer of the stolen cards and the criminal who monetizes on the card, split their earnings 40%-60%. The higher percentage goes to the participant that took a higher risk – the one who cashed out on the cards.

Next Column – What are the Market Goods?

This column discussed the underground market scene. Next, we’ll discuss the different goods that are being exchanged and the trending prices for each type of commodity. Stay tuned as I discuss the fall of credit card numbers, and the rise of online credentials. I’ll also provide some advice on protecting your customer data from being traded in these underground markets!

Read More Cybercrime Columns in the SecurityWeek Cybercrime Section

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.