Dark Web Shopping Center

Black Mirror – Looking at the dark web marketplace for cybercrime

We all know about cybercriminals, but do we also understand where they get their tools of the trade? Let’s go the dark side and have look at the black mirror reality of the cybercrime marketplace.

The cybercrime world is the counterpart of our world. The same way that we use the (visible) web, they use the dark web which has its own search engines such as Onion.to. We purchase books from Amazon, items from Alibaba and fashion from Zalando. They purchase IDs, financial accounts, and other financial and personal data from wholesalers who distribute stolen data directly or via affiliates for profit. As in the real world, they also provide “customer support” by teaching the most effective ways to sell this data to retailers or salespeople that post advertisements on dark web markets and forums.

Download our white paper on how to avoid being victimized by ransomware

SaaS and other software services also have their dark counterpart. Ransomware-as-a-Service (RaaS) is sold by cybercriminals to other cybercrooks who are technically unable (or unwilling) to develop their own kits for ransomware attacks. Prices can be as low as USD 39 for e.g., the ransomware variant Stampado.  For this price, the would-be hackers not only purchase the ransomware itself, but also get a lifetime license allowing them to become a lifelong hacker.

Other types of crimeware kits are also for sale to initiate e.g., DDoS and ATM attacks. Let’s first have a look at the DDoS-as-a-service. On April 25, Europol announced that it had rolled up webstresser.org, a global marketplace that sold DDoS attacks to any cybercrook, anywhere, for a price as low as EUR 15.00 a month. Its operations were spanning the globe, with administrators located in the UK, Croatia, Canada and Serbia and prime customers in the Netherlands, Italy, Spain, Croatia, the UK, Australia, Canada and Hong Kong. Up to April 2018, here were 136,000 registered users and 4 million attacks were launched mainly aimed at critical online services offered by banks, government institutions and police forces.

For criminals that want to hack ATMs, special malware is available on the dark web for only $5,000. For this price, cybercrooks can buy Cutlet Maker on the dark web marketplace Alphabay. ATMs are vulnerable when they run on outdated operating systems such as Windows XP or on any other OS that is no longer supported. Some crimeware kits are even able to empty ATMs with a vendor-specific API without tampering with ATM users or their data. Cybercrooks like to remotely, keeping a safe distance from the ATMs themselves. They use cash mules to pick up and transport the loot. When the ATM does is not vulnerable, the hackers gain access using a bank employee’s credentials that they obtained via email phishing or social engineering attacks.

But it does not stop there. A new crimeware kit for sale (known as Rubella Macro Builder) has been spotted on high-profile Russian-speaking and English-speaking dark web forums. It is already being used by various cybercriminal groups. It offers a quick, easy and cheap way to launch malware spam campaigns. Priced at USD 500 in February 2018, the price for a three-month license was reduced to USD 120 by April 2018. The crimeware kit allows users to choose what payload they want to distribute, where they want to distribute it and how they want to distribute it e.g., via executable, JavaScript or Visual Basic Script. It allows for massive spam campaigns reaching as many potential victims as possible. Rubella Macro Builder, which uses phishing emails with Microsoft Word or Excel attachments as bait, can bypass basic antivirus protection. It already has victimized an Australian financial institution.

Download our white paper on how to avoid being victimized by ransomware

With all those new crimeware kits popping up on the dark web, it’s hard for organizations to know if they are properly protected. That’s where Cymulate’s Breach & Attack Simulation (BAS) platform comes into play. It contains several modules that are a great help for cybersecurity staff and IT teams to test if their organizations are vulnerable for ransomware attacks, phishing attacks and the like, and if their security solutions such as AV hold up against e.g., Rubella Macro Builder. To learn how Cymulate’s BAS platform can help, contact us at Cymulate or sign up for a FREE assessment.

Filed Under: Phishing, Breach & Attack Simulation, Cyber Attacks, Cybercrime, Dark Web