Malware and hacking services are becoming commoditized. Ransomware as a service has become popular this year. More effective security tools have cybercriminals looking for new tools and techniques to more effectively target victims and bypass security. And malware developers are continually looking for new markets where they can connect and sell their services.
In the past, we have discussed the rise of the DarkNet as a cybercrime marketplace. But the reality is that many attackers simply use sites such as eBay, Craigslist, and other well-known sales and bartering sites to buy and sell information, tools, and techniques. As it turns out, not all marketplaces need to exist on the DarkNet to service the cybercriminal industry.
A relatively new black-market place has begun to attract new sellers. Browsing through the site is eye-opening. The marketplace changes rapidly, as many of the things for sale have short shelf lives. On one day there were enough fake and stolen credit cards that you could sort and purchase credit cards by US ZIP codes if you choose. However, as you can see from the marketplace home screen below, on the day I captured this image stolen accounts were more abundant than stolen credit cards.
Figure 1. Black-Market Home Screen
As you can see from the list below, there were plenty of hacked accounts from different service providers for sale. A quick analysis of the accounts showed that some of the accounts were simply demo accounts or free 30 day trials. The warning “let the buyer beware” is more true in these sorts of market than their legitimate counterparts. However, there did seem to be some legitimate accounts on this site.
Figure 2. Stolen accounts for sale
As with most online marketplaces, seller and buyer reputation feedback is important, and even here seems to help drive the decisions of most users interested in engaging in a transaction. While this site is still relatively small compared to other marketplaces we have explored, we were still able to see some active sellers on the site:
Figure 3. Seller reputation feedback screen
Normally, when we see a large number of user accounts for sale, it often means that the target source website may have been compromised in an attack, and it seems likely that the website’s username or password database was stolen.
What I have started to learn from looking at these records is that many users use the same username and password for multiple websites, as they show up again and again. The conclusion we can draw is that once malware, phishing, or some other attack has compromised the credentials and data of users, attackers are able to extrapolate multiple usernames and passwords for multiple sites from a single set of data. For example, as I pointed out earlier, many websites offer entertainment services provide a free 30-day trial, and many attackers create a large quantity of free trial accounts using these stolen usernames and passwords and then sell them on these websites. A savvy cybercriminal may not only be able to use this data to anonymously use this free trial service, but could also use this data to hit common online sites, such as a bank or Amazon, as users tend to use the same username and password in multiple places.
We will no doubt see more black market marketplace activity rise, especially with the holiday season fast approaching. Stolen credit cards, usernames, and passwords can be used in multiple online locations for purchasing goods and services. In many cases, given the flurry of being that accompanies this season, many of these illicit purchases will pass unnoticed by the victim for a long time.
At the same time, attackers are on the lookout for new information and services they can sell on these marketplaces, and would-be buyers continue to be on the lookout for new data to exploit and new tools to target their next victims.