Connect with us

Hi, what are you looking for?


Malware & Threats

Marketing Tactics Grow More Sophisticated in Cyber Underground

Cybercriminals and the markets they use have changed in 2012, with both tactics for controlling attack campaigns as well as hackers’ marketing and sales strategies getting more sophisticated.

Cybercriminals and the markets they use have changed in 2012, with both tactics for controlling attack campaigns as well as hackers’ marketing and sales strategies getting more sophisticated.

In an interview with SecurityWeekTrend Micro Senior Threat Researcher Loucif Kharouni said that once the ZeuS and SpyEye creators left the scene, researchers have noticed a growing business in offering installation to other cybercriminals who would install ZeuS or for a fee.

Cybercrime Underground“You never get the toolkit by itself, they would provide you the binary to spread too,” he said. “Same thing for SpyEye, the latest version 1.3.48 is one year old now and similar to ZeuS, you would find some guys making the installation for you and provide you the binary. Same thing with Citadel, this is what we call SaaS (software as a service). Toolkit creators and exploit pack creators are now more reluctant to give away their creation.”

The notorious Blackhole kit has also moved towards a SaaS model to avoid any leaks of their code, he said.

“Compare to a toolkit, an exploit pack is just composed of a php file and could easily be manipulated if not protected,” he told SecurityWeek. “Compared to any other exploit pack, Blackhole is well coded, stable and reliable with a good infection rate, due to the latest exploits used and provided in the pack. The creator do not provide the pack itself and instead installs it for you and will protect the php files using the well know ioncube software which is used to encode php files.”

Advertisement. Scroll to continue reading.

This is also beneficial for the customer as they are not spending money on products that will be leaked and made available to everyone for free, he said.

Cybercriminals are also paying more attention to securing their tools and the servers they use, he noted. For example, attackers in Latin America have stopped using hijacked servers to host command and control (C&C) servers, spam tools or malware. Instead, they have begun using their own servers in data centers around the world and are staying off of Google search results by not registering any hostname and only using IP addresses, he blogged.

The time when researchers could find an open server is essentially over, and more and more cybercriminals are providing secure webhosting to other criminals, he wrote.

“Recent take downs and hacks have taught everybody in the underground a lesson,” the researcher blogged. “They now have to be more secure and cautious, protecting their servers against researchers and other criminals. Usually, researchers look for open folders and servers. This is basically looking for accessible folders and/or configuration files and also login shells to gain access to the server and start investigating it.”

To deal with today’s underground, researchers need to develop partnerships with Internet Service Providers (ISPs) for takedown operations and look for new ways to find information, he blogged.

“Security researchers need to adapt and adjust to these new methods and try to find new solutions to track attackers and follow the evolution of their business and operation,” he noted. “Scanning servers and hoping to find open servers isn’t enough anymore. Neither is monitoring forums – these are now used mainly to chat and advertise, but private messages are no longer being used to carry out business. Instead, they are used to exchange instant messaging accounts where the actual transaction is done.”

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...