Black Mirror – Looking at the Dark Web Marketplace for Cybercrime
We all know about cybercriminals, but do we also understand where they get their tools of the trade? Let’s go to the dark side and have look at the black mirror reality of the cybercrime marketplace.
The cybercrime world is the counterpart of our world. In the same way that we use the (visible) web, they use the dark web which has its own search engines such as Onion. We purchase books from Amazon, items from Alibaba, and fashion from Zalando. They purchase IDs, financial accounts, and other financial and personal data from wholesalers who distribute stolen data directly or via affiliates for profit. As in the real world, they also provide “customer support” by teaching the most effective ways to sell this data to retailers or salespeople that post advertisements on dark web markets and forums.
SaaS and other software services also have their dark counterpart. Ransomware-as-a-Service (RaaS) is sold by cybercriminals to other cyber crooks who are technically unable (or unwilling) to develop their own kits for ransomware attacks. Prices can be as low as USD 39 for e.g., the ransomware variant Stampado. For this price, the would-be hackers not only purchase the ransomware itself but also get a lifetime license allowing them to become lifelong hackers.
Other types of crimeware kits are also for sale to initiate e.g., DDoS and ATM attacks. Let’s first have a look at the DDoS-as-a-service. On April 25, Europol announced that it had rolled up webstresser.org, a global marketplace that sold DDoS attacks to any cyber crook, anywhere, for a price as low as EUR 15.00 a month. Its operations were spanning the globe, with administrators located in the UK, Croatia, Canada, and Serbia and prime customers in the Netherlands, Italy, Spain, Croatia, the UK, Australia, Canada, and Hong Kong. Up to April 2018, there were 136,000 registered users, and 4 million attacks were launched mainly aimed at critical online services offered by banks, government institutions, and police forces.
For criminals that want to hack ATMs, special malware is available on the dark web for only $5,000. For this price, cybercrooks can buy Cutlet Maker on the dark web marketplace Alphabay. ATMs are vulnerable when they run on outdated operating systems such as Windows XP or on any other OS that is no longer supported. Some crimeware kits are even able to empty ATMs with a vendor-specific API without tampering with ATM users or their data. Cybercrooks like to remotely, keeping a safe distance from the ATMs themselves. They use cash mules to pick up and transport the loot. When the ATM does is not vulnerable, the hackers gain access using a bank employee’s credentials that they obtained via email phishing or social engineering attacks.
With all those new crimeware kits popping up on the dark web, it’s hard for organizations to know if they are properly protected. That’s where Cymulate’s Breach & Attack Simulation (BAS) platform comes into play. It contains several modules that are a great help for cybersecurity staff and IT teams to test if their organizations are vulnerable to ransomware attacks, phishing attacks, and the like, and if their security solutions such as AV hold up against e.g., Rubella Macro Builder. To learn how Cymulate’s BAS platform can help, contact us at Cymulate or sign up for a FREE assessment.