Dark Web Marketplace Dark Web Marketplace-mask

Dark Web Shopping Center

Black Mirror – Looking at the Dark Web Marketplace for Cyber Crime

We all know about cybercriminals, but do we also understand where they get their tools of the trade? Let’s go to the dark side and have look at the black mirror reality of the cyber crime marketplace.

The cyber crime world is the counterpart of our world. In the same way that we use the (visible) web, they use the dark web, which has its own search engines, such as Onion. We purchase books from Amazon, items from Alibaba, and fashion from Zalando. They purchase IDs, financial accounts, and other financial and personal data from wholesalers who distribute stolen data directly or via affiliates for profit. As in the real world, they also provide “customer support” by teaching the most effective ways to sell this data to retailers or salespeople that post advertisements on dark web markets and forums.

SaaS and other software services also have their dark counterpart. Ransomware-as-a-Service (RaaS) is sold by cybercriminals to other cyber crooks who are technically unable (or unwilling) to develop their own kits for ransomware attacks. Prices can be as low as USD 39 for, e.g., the ransomware variant Stampado.  For this price, the would-be malicious hackers not only purchase the ransomware itself but also get a lifetime license, expanding their malicious capabilities forever.

Other types of crimeware kits are also for sale to initiate e.g., DDoS and ATM attacks. Let’s first have a look at the DDoS-as-a-service. On April 25, Europol announced that it had rolled up webstresser.org, a global marketplace that sold DDoS attacks to any cyber crook, anywhere, for a price as low as EUR 15.00 a month. Its operations were spanning the globe, with administrators located in the UK, Croatia, Canada, and Serbia and prime customers in the Netherlands, Italy, Spain, Croatia, the UK, Australia, Canada, and Hong Kong. Up to April 2018, there were 136,000 registered users, and 4 million attacks were launched mainly aimed at critical online services offered by banks, government institutions, and police forces.

For criminals that want to hack ATMs, special malware is available on the dark web for only $5,000. For this price, cybercrooks can buy Cutlet Maker on the dark web marketplace Alphabay. ATMs are vulnerable when they run on outdated operating systems such as Windows XP or on any other OS that is no longer supported. Some crimeware kits are even able to empty ATMs with a vendor-specific API without tampering with ATM users or their data. Cybercrooks like to remotely, keeping a safe distance from the ATMs themselves. They use cash mules to pick up and transport the loot. When the ATM is not vulnerable, the hackers gain access using a bank employee’s credentials that they obtained via email phishing or social engineering attacks.

But it does not stop there. A new crimeware kit for sale (known as Rubella Macro Builder) has been spotted on high-profile Russian-speaking and English-speaking dark web forums. It is already being used by various cybercriminal groups. It offers a quick, easy, and cheap way to launch malware spam campaigns. Priced at USD 500 in February 2018, the price for a three-month license was reduced to USD 120 by April 2018. The crimeware kit allows users to choose what payload they want to distribute, where they want to distribute it, and how they want to distribute it e.g., via executable, JavaScript, or Visual Basic Script. It allows for massive spam campaigns to reach as many potential victims as possible. Rubella Macro Builder, which uses phishing emails with Microsoft Word or Excel attachments as bait, can bypass basic antivirus protection. It has already victimized an Australian financial institution.

With all those new crimeware kits popping up on the dark web, it’s hard for organizations to know if they are properly protected. That’s where Cymulate’s Exposure Management and Security Validation platform comes into play. It contains several modules that are a great help for cybersecurity staff and IT teams to test if their organizations are vulnerable to ransomware attacks, phishing attacks, and the like, and if their security solutions such as AV hold up against e.g., Rubella Macro Builder. To learn how Cymulate’s BAS platform can help, contact us at Cymulate or sign up for a FREE assessment.