Monday, 05 December 2016 21:55

Where Cybercriminals Go To Buy Your Stolen Data

By: 

With nothing more than a standard Web browser, cybercriminals can find personal, private information all over the public Internet. It isn't just legitimate services - from genealogy sites to public records and social media - that can be mined and exploited for nefarious purposes. Openly malicious criminal activities are also happening on the public Internet.

 

True, much of the cybercrime underground consists of private and established communities that don't appear in a normal search engine and are not accessible by regular users without special authorization.

 

However, according to the team at identity protection and fraud detection provider CSID, there are different levels of cybercriminal resources - and not all are so tightly protected. The quality and quantity of the more easily accessible forums are still high, say the CSID team, and anyone can access content such as stolen credit cards, cyberattack tools, and even advanced malware, which can be leveraged with minimal technical know-how required.

 

Adam Tyler, chief innovation officer at CSID, describes how black-market organizations are becoming more like traditional online businesses we visit and buy from every day. “For example," he says, "many sites now have their own Facebook, Twitter and even YouTube pages to advise their member base on new attacks and tools that are available.”

 

 

 

 

Data sold on criminal marketplaces “age quickly, meaning that once the information is stolen, it has to be used for fraudulent purposes quickly,” says Christopher Doman, consulting analyst at Vectra Networks. “The more times the information is abused for fraud, the more the information will be devalued.”

 

“Companies should have these marketplaces monitored, looking for trends in data breaches and attacks as well as to see if any of their data has been compromised,” says Carefree Solutions’s CEO Paul San Soucie. “One point that I’m not sure is evident is that there is more public and Dark Web research than any one IT person can handle. Researching and absorbing this information requires significant training and experience. Even large US banks that have dedicated security staff are not able to do some of the research and analysis that specialized reconnaissance teams can perform.”

 

San Soucie nevertheless suggests treading carefully when doing this research. "While you can get to most of these sites using standard https, I still consider them dark and strongly recommend accessing them via a VPN as both criminal and government sources track access in some cases.”

 

Read on for a collection of some of the popular sites where private data, credentials, and attack tools are up for sale, or even for free download.

 

Bonus Source: Novice Cybercrime Communities

Social sites, communities, marketplaces and other places for people new to the cybercrime underground to learn their craft have become increasingly available, easy to find, and easy to use, even for the most novice user.

'The introduction of low cost-domains, the availability of cheap shared web hosting, and the large number of free-to-use open-source community platforms has enabled fraudsters to easily set up and run dark web communities in a matter of a few minutes,' says Tyler. 'This has led to a huge explosion in the number of communities that are accessible and available, even for those hunting for information via a search engine.'

Image Source: CSID

 

Bonus Source: Novice Cybercrime Communities

 

Social sites, communities, marketplaces and other places for people new to the cybercrime underground to learn their craft have become increasingly available, easy to find, and easy to use, even for the most novice user.

 

“The introduction of low cost-domains, the availability of cheap shared web hosting, and the large number of free-to-use open-source community platforms has enabled fraudsters to easily set up and run dark web communities in a matter of a few minutes,” says Tyler. “This has led to a huge explosion in the number of communities that are accessible and available, even for those hunting for information via a search engine.”

 

AlphaBay Market and Forum

AlphaBay, founded in 2014 by alpha02 (a well-known carder) and DeSnake, has become the most popular cybercrime market in 2016, since some competitive sites have shut down. This market emulates popular e-commerce sites like eBay or Amazon in appearance, navigation, and features, and accept digital currency like Bitcoin. 

Yet, these customers aren't shopping for best-selling books, vintage watches, groceries or diapers; rather they are browsing the selection of tens of thousands of items offered by AlphaBay for items related to drugs, malware, exploits, hacked accounts, stolen credentials, and other illicit goods and services - including hacking services.

AlphaBay is better concealed and harder to access than some of the sites on this list; much of it cannot be found through a Google search. It is located on the unindexed, encrypted segment of Internet, the 'Dark Web,' and therefore must be accessed via the Tor network, which anonymizes all the traffic going to and from the site. 

That isn't so difficult to do, though.

'Thanks to Tor proxies, AlphaBay can be easily accessed through your normal web browser,' says Christopher Doman, consulting analyst at Vectra Networks. The Tor Browser with a pre-configured browser can be run off of a USB flash drive, for example.

'Because the information [on AlphaBay] is personally identifiable,' says Doman, 'it can be used in many ways, which include using the information as 'leads' to enable other scams and activities.'

These 'leads' may be used, for example, by:

- Craigslist sellers - to give themselves high ratings for past service
- Betting agencies - to manipulate audience voting in 'Dancing With the Stars'
- Lobbyists - to support their own causes by posting fake 'citizen' feedback


'Since AlphaBay can be easily accessed by criminals with tools such as the Tor browser, it also means that legitimate companies and researchers can also use the Tor browser to see what is for sale,' says Adam Meyer, chief security officer at SurfWatch Labs. 'Companies should be monitoring the listings for any threats that may impact their organization or those in their supply chain.'

Image Source: Carefree Solutions, SurfWatch Labs, Vectra Networks

 

AlphaBay Market and Forum

 

AlphaBay, founded in 2014 by alpha02 (a well-known carder) and DeSnake, has become the most popular cybercrime market in 2016, since some competitive sites have shut down. This market emulates popular e-commerce sites like eBay or Amazon in appearance, navigation, and features, and accept digital currency like Bitcoin.

 

 

 

 

Yet, these customers aren’t shopping for best-selling books, vintage watches, groceries or diapers; rather they are browsing the selection of tens of thousands of items offered by AlphaBay for items related to drugs, malware, exploits, hacked accounts, stolen credentials, and other illicit goods and services — including hacking services.

 

AlphaBay is better concealed and harder to access than some of the sites on this list; much of it cannot be found through a Google search. It is located on the unindexed, encrypted segment of Internet, the "Dark Web," and therefore must be accessed via the Tor network, which anonymizes all the traffic going to and from the site.

 

That isn't so difficult to do, though.

 

“Thanks to Tor proxies, AlphaBay can be easily accessed through your normal web browser,” says Christopher Doman, consulting analyst at Vectra Networks. The Tor Browser with a pre-configured browser can be run off of a USB flash drive, for example.

 

“Because the information [on AlphaBay] is personally identifiable," says Doman, "it can be used in many ways, which include using the information as ‘leads’ to enable other scams and activities.”

 

These "leads" may be used, for example, by:
  • Craigslist sellers – to give themselves high ratings for past service
  • Betting agencies – to manipulate audience voting in “Dancing With the Stars”
  • Lobbyists – to support their own causes by posting fake “citizen” feedback

 

“Since AlphaBay can be easily accessed by criminals with tools such as the Tor browser, it also means that legitimate companies and researchers can also use the Tor browser to see what is for sale,” says Adam Meyer, chief security officer at SurfWatch Labs. “Companies should be monitoring the listings for any threats that may impact their organization or those in their supply chain.”

 

Source: CardingMafia.ws

CardingMafia.ws is a carding community that provides tutorials and other information that's quite useful and valuable for fraudsters. According to the CSID team, customers can find tutorials on how to scam users, crack software, and steal credit cards.

'Visitors will also see advertisements and find direct-to-third-party suppliers of illegally obtained data, such as credit card data and PayPal account data,' says Adam Tyler, chief innovation officer at CSID. 'This is a global community that allows for collaboration on illegal tasks, giving the community the power to fully extract monetary value from its targets.'

'Malware and Trojan attacks are no longer an exclusive or technically advanced threat,' adds Tyler. 'The tools used to conduct these attacks are available to anyone with a modicum of knowledge and the ability to search online.'

(Image Source: CSID)

 

Source: CardingMafia.ws

 

CardingMafia.ws is a carding community that provides tutorials and other information that’s quite useful and valuable for fraudsters. According to the CSID team, customers can find tutorials on how to scam users, crack software, and steal credit cards.

 

"Visitors will also see advertisements and find direct-to-third-party suppliers of illegally obtained data, such as credit card data and PayPal account data,” says Adam Tyler, chief innovation officer at CSID. “This is a global community that allows for collaboration on illegal tasks, giving the community the power to fully extract monetary value from its targets.”

 

“Malware and Trojan attacks are no longer an exclusive or technically advanced threat,” adds Tyler. “The tools used to conduct these attacks are available to anyone with a modicum of knowledge and the ability to search online.”

 

DeepDotWeb

DeepDotWeb is essentially a central source for news, information, and search engine capabilities for the deep Web and its collection of criminal markets.

'While it is unclear who the owners are for this website, what is clear is that they are a group of people who want to educate people on the issues surrounding the dark Web,' says San Soucie.

The site reports on dark Web and marketplace issues. The information found on this site can be used to keep people safe while surfing or purchasing items on the dark Web. It can also be used for evil by people who are looking for illegal items or sites.

'Business should keep up with the news articles if they have concerns about their reputation or employees on the dark Web,' adds San Soucie.

(Image Source: Carefree Solutions)

 

DeepDotWeb

 

DeepDotWeb is essentially a central source for news, information, and search engine capabilities for the deep Web and its collection of criminal markets.

 

“While it is unclear who the owners are for this website, what is clear is that they are a group of people who want to educate people on the issues surrounding the dark Web,” says San Soucie.

 

 

 

 

The site reports on dark Web and marketplace issues. The information found on this site can be used to keep people safe while surfing or purchasing items on the dark Web. It can also be used for evil by people who are looking for illegal items or sites.

 

“Business should keep up with the news articles if they have concerns about their reputation or employees on the dark Web,” adds San Soucie.

 

freetrojanbotnet.com

Freetrojanbotnet.com is effectively an advanced malware distribution service that gives users access to various malware and other malicious tools for free download and use. The tools range from simple bot/rat Trojans to advanced MitB (man in the browser) variants like Zeus, Citadel, and SpyEye.

'Users can easily and freely download these packages and utilize them to conduct their own attacks,' says Tyler. 'Previously, some of the tools offered on the site were licensed for thousands of dollars every month. Now anyone can download them for free with no initial outlay or cost required.'

(Image Source: CSID)

 

freetrojanbotnet.com

 

Freetrojanbotnet.com is effectively an advanced malware distribution service that gives users access to various malware and other malicious tools for free download and use. The tools range from simple bot/rat Trojans to advanced MitB (man in the browser) variants like Zeus, Citadel, and SpyEye.

 

“Users can easily and freely download these packages and utilize them to conduct their own attacks,” says Tyler. “Previously, some of the tools offered on the site were licensed for thousands of dollars every month. Now anyone can download them for free with no initial outlay or cost required.”

 

fprvtzone.ws

Fprvtzone.ws provides both public (i.e., free) and private (paid-for) sections, where fraudsters can find tutorials on how to access data without authorization and how to use the stolen information. It is also a marketplace for individuals to sell, buy, and distribute illegally obtained data.

'Visitors can find tutorials on how to scam users, crack software, steal credit cards, and engage in various other illegal services,' says Tyler. 

Sites like fprvtzone confirm that valuable data is easily and freely accessible to nearly anyone who wants it. 'Companies need to be aware of the risks and ensure that they take steps to protect not only their personal information and accounts, but also their personal devices used to store and hold this data,' adds Tyler. 

Image Source: CSID

 

fprvtzone.ws

 

Fprvtzone.ws provides both public (i.e., free) and private (paid-for) sections, where fraudsters can find tutorials on how to access data without authorization and how to use the stolen information. It is also a marketplace for individuals to sell, buy, and distribute illegally obtained data.

 

“Visitors can find tutorials on how to scam users, crack software, steal credit cards, and engage in various other illegal services,” says Tyler.

 

 

 

 

Sites like fprvtzone confirm that valuable data is easily and freely accessible to nearly anyone who wants it. “Companies need to be aware of the risks and ensure that they take steps to protect not only their personal information and accounts, but also their personal devices used to store and hold this data,” adds Tyler.

 

HANSA Market

Created in response to the many exit scams cybercriminals have conducted over the past few years - where admins have shut down their sites, taking the hefty escrow accounts with them - HANSA is a Dark Web marketplace focused on the security of its users. 

'HANSA is claiming to side more with users in any dispute which is another attempt to get more 'buyers' to use the site,' says Meyer of SurfWatch Labs.

'The market boasts that its multi-signature escrow payment process ensures that theft from either party is impossible,' says Meyer, 'although they are not the only marketplace to offer those payment options.' 

Although HANSA vendors sell a variety of tools and information, pirated products appear most often. This includes software, video games, movies, books and other media as well as credentials to access related accounts, like online gaming platforms or Netflix.

Image Source: SurfWatch Labs

 

HANSA Market

 

Created in response to the many exit scams cybercriminals have conducted over the past few years – where admins have shut down their sites, taking the hefty escrow accounts with them – HANSA is a Dark Web marketplace focused on the security of its users.

 

“HANSA is claiming to side more with users in any dispute which is another attempt to get more 'buyers' to use the site,” says Meyer of SurfWatch Labs.

 

“The market boasts that its multi-signature escrow payment process ensures that theft from either party is impossible," says Meyer, "although they are not the only marketplace to offer those payment options."

 

Although HANSA vendors sell a variety of tools and information, pirated products appear most often. This includes software, video games, movies, books and other media as well as credentials to access related accounts, like online gaming platforms or Netflix.

 

TheRealDeal Market

TheRealDeal Market, which was launched in early 2015 by four founders, focuses on selling malicious code and exploits.

'Law enforcement operations against the cybercrime forums Hell and Darkode in July 2015 led to arrests that tied up several members of TheRealDeal team,' says Adam Meyer, chief security officer at SurfWatch Labs. 'This caused the site to shut down for a few months last year until it relaunched in December 2015 under the management of the main admin, identified as S.P., and an old vendor.'

According to Meyer, the TheRealDeal recently made headlines for the sale of massive databases of user credentials stolen from LinkedIn, MySpace, and Yahoo, as well as a number of stolen healthcare databases.

'TheRealDeal was my previous go-to site to look for data breaches and zero-day exploits,' says San Soucie. 'I found hacked federal accounts and even a state DMV database for sale.'

'Cybercriminals can also find zero-day vulnerabilities, source code, and other stolen items for sale,' adds Meyer. 'For legitimate companies and researchers, these listings provide insight into the types of information and tools that cybercriminals find valuable.'

(Image Source: SurfWatch Labs)

 

TheRealDeal Market

 

TheRealDeal Market, which was launched in early 2015 by four founders, focuses on selling malicious code and exploits.

 

“Law enforcement operations against the cybercrime forums Hell and Darkode in July 2015 led to arrests that tied up several members of TheRealDeal team,” says Adam Meyer, chief security officer at SurfWatch Labs. “This caused the site to shut down for a few months last year until it relaunched in December 2015 under the management of the main admin, identified as S.P., and an old vendor.”

 

 

 

 

According to Meyer, the TheRealDeal recently made headlines for the sale of massive databases of user credentials stolen from LinkedIn, MySpace, and Yahoo, as well as a number of stolen healthcare databases.

 

“TheRealDeal was my previous go-to site to look for data breaches and zero-day exploits,” says San Soucie. “I found hacked federal accounts and even a state DMV database for sale.”

 

“Cybercriminals can also find zero-day vulnerabilities, source code, and other stolen items for sale,” adds Meyer. “For legitimate companies and researchers, these listings provide insight into the types of information and tools that cybercriminals find valuable.”

 

Source: Siph0n

Visible on the open Internet to the general public, Siph0n - which is operated by a group that call themselves security researchers - is a source that offers web application exploits, database dumps (from LinkedIn), and malicious tools (botnet source code), among other things.

'While the group touts that it is publishing the data and tools for security awareness, many hackers follow this site to get information and source code to create exploits,' says San Soucie. 'In some cases, databases that were listed here at no cost, end up on Dark Web market places for sale.'

San Soucie suggests that business owners have their security staff or consultants monitor Siph0n closely to ensure their data does not appear. They should also watch for third-party partners' data. 

'While it may be tempting to download some of the data directly to determine if a business or individual account is listed in the data source, keep in mind that malware can be embedded in the files,' warns San Soucie.

Image Source: Carefree Solutions

 

Source: Siph0n

 

Visible on the open Internet to the general public, Siph0n – which is operated by a group that call themselves security researchers – is a source that offers web application exploits, database dumps (from LinkedIn), and malicious tools (botnet source code), among other things.

 

“While the group touts that it is publishing the data and tools for security awareness, many hackers follow this site to get information and source code to create exploits,” says San Soucie. “In some cases, databases that were listed here at no cost, end up on Dark Web market places for sale.”

 

San Soucie suggests that business owners have their security staff or consultants monitor Siph0n closely to ensure their data does not appear. They should also watch for third-party partners' data.

 

“While it may be tempting to download some of the data directly to determine if a business or individual account is listed in the data source, keep in mind that malware can be embedded in the files,” warns San Soucie.

 

 

Author:  Sean Martin

Source:  http://www.darkreading.com/

Leave a comment

airs logo

Association of Internet Research Specialists is the world's leading community for the Internet Research Specialist and provide a Unified Platform that delivers, Education, Training and Certification for Online Research.

Get Exclusive Research Tips in Your Inbox

Receive Great tips via email, enter your email to Subscribe.

Follow Us on Social Media

Book Your Seat for Webinar GET FREE REGISTRATION FOR MEMBERS ONLY      Register Now