Researchers at Digital Shadows, a San Francisco-based provider of digital risk protection solutions, have analyzed the traffic statistics of several popular cybercrime forums and they have shared some interesting observations.
The research was conducted after Altenen, an English-language carding forum, boasted about the site’s number of visitors and revenue based on data obtained from a web statistics and analysis service named HypeStat. The administrators of Altenen shared the information in hopes of attracting more users.
After seeing Altenen’s post, researchers at Digital Shadows decided to look at the traffic statistics of several popular cybercriminal forums, and compared the findings to their own perception of these websites.
In addition to Altenen, the researchers analyzed the English-langage forums RaidForums, Nulled, Cracked TO and Cracking King, the German-language forum Crimenetwork, and the Russian forums Exploit and XSS. The data was obtained from HypeStat and Alexa, and it included rank, unique daily visitors, visiting countries, traffic sources, and daily revenue estimates.
While websites such as Altenen, Nulled, Exploit and XSS appear to have recorded increased traffic in the past 90 days — some of them used these statistics to promote their services — Digital Shadows pointed out that some of these forums may have used bots to manipulate the number of visitors and boost their ranking.
“Altenen’s drastic increase in rank, in particular, seems almost too good to be true, as none of the other forums we regard as popular, such as RaidForums, have experienced a similar increase during the same period,” Digital Shadows noted in a blog post.
The company also highlighted that traffic statistics don’t include visits from .onion domains and since these websites are likely visited by many through the Tor network, Alexa rankings don’t accurately represent the number of visitors.
Traffic data also shows that the average time spent by users on these forums ranges between 6 and 22 minutes. However, Digital Shadows experts believe this might not be very accurate either, as, for example, users apparently spend on average less than 8 minutes on Exploit, but since this is a fully gated forum, its visitors are not random guest users and they likely spend more than that on the site.
As for advertising revenue showed by traffic analysis services, the researchers believe they do not show a forum’s actual economy, as these websites can also earn money through paid memberships and commissions on each transaction.
Kacey Clark, threat researcher at Digital Shadows, told SecurityWeek that a key takeaway from this research is that website traffic metrics can be manipulated, including through the use of bots and VPNs, and some cybercrime platforms will use favorable traffic statistics data to gain more traction.
Clark noted that website traffic statistics have contextual limitations. “Context is critical when assessing forums. Numbers alone do not paint the full picture and do not provide an insight into the forum’s content and users, its true economy, or explain the fluctuations of visitor numbers.”
He explained, “Gaining an in-depth understanding of the cybercriminal underground demands a lot of manual labor over a long period of time; it cannot be acquired by querying website traffic metrics alone. Research like this highlights the need for the human-in-the-loop and the importance of combining a manual and automatic approach. Looking at big data can give a general oversight of what’s happening; however, without HUMINT, an array of important details and nuances will be lost.”
Related: Over 5 Billion Unique Credentials Offered on Cybercrime Marketplaces
Related: Collection of South Korean, U.S. Payment Cards Emerges on Underground Market