Wandering in the underground, from exploit kits to hacking services

Pierluigi Paganini April 09, 2013

The cybercrime industry knows no crisis, new services are offered in the underground and criminals operating in different sectors are increasing their interest in the possibility to adopt cyber tools to organize prolific scam and fraud.

Underground offers everything necessary to commit a cyber crime, from tools for hacking services and in many cases all is supported by excellent customer care. The criminal market is continually expanding, from the daily collaboration between groups of cybercriminals new opportunities arise and very often they are operating in a very short time.

Account/credential data are among the most requested products in the underground, instead of directly monetize the precious information cyber criminals prefer to sell them to a third party, a business that allow them high profits in relatively low risk.

Acquisition of FTP credentials, PayPal and Steam accounts is the first step in the success of fraudulent and malicious campaigns, to further secure criminal operations are typically offered  anonymization services to avoid tracking down on security firms and law enforcement.

Recently Dancho Danchev published an interesting post that revealed the existence of a cybercrime-friendly service that offers access to tens of thousands of compromised accounts, the case is not isolated and the popular security expert described the model of business of criminals.

Once again the service is provided in the Russian underground, one of the most active, several thousands of Russian Vkontakte, LiveJournal Twitter, Mail.ru and Skype are offered for sale and what is really surprising is the warranty offered by seller on their validity.

According the Danchev’s investigation  the individuals behind the service claims to have been in the possession of over 100 million accounting credentials, which have been obtained through “private methods”. The model of sale is consolidated, criminals offer the precious credentials to an attacker that could exploit them to conduct further attacks for various purposes.

The possibility to acquire the information reduce drastically the time to spend to realize cyber frauds and concurs to the increase of number of crimes committed, the sale of this time of information  also sustains the demand related to pre-configured malicious infrastructures such as botnets. Serviced such as botnet renting and bullet proof hosting are also increasing fueling the profits of the relentless criminal enterprise. Following sample screenshot of the cybercrime-friendly service:

cybercrime-friendly service


Credentials and credit card numbers aren’t the only products sold in the underground, a recent study proposed by  Solutionary’s Security Engineering Research Team (SERT) revealed large diffusion of  malware and exploit kits.

The study demonstrated that the cyber threat represented by exploit kits is increasing the incidence and what is really surprising is their efficiency despite the use of well-known vulnerabilities, within the total amount of exploits sold in the underground, around 60% are more than two years old, and 70% the exploit kits analyzed (26)  were released or created in Russia.

Most popular and pervasive exploit kit is BlackHole 2.0 that exploits fewer vulnerabilities than other kits do, meanwhile most versatile of these is Phoenix exploit kit that supports 16 % percent of all vulnerabilities being exploited. Over 18% of the malware instance detected were directly attributed to The BlackHole exploit kit that is a web application that exploit known vulnerabilities in most popular applications, frameworks and browsers such as Adobe Reader, Adobe Flash and Java.


The principal reason for the diffusion of the exploits is their efficiency motivated by the inadequacy of the patch management process of private businesses that don’t update their systems rapidly, in many cases entire infrastructures aren’t updated for long time for this reason there are still vulnerable to old exploit code dated back to 2004.

The study states:

“With a large concentration of exploit kits focusing on client-side exploitation (targeting desktop and end-user applications), organizations must pay close attention to patch management and endpoint security controls. Although these controls alone will not stop all attacks, they will significantly decrease the attack surface and reduce the overall likelihood of compromise.”

The increased demand of exploiting kits observed in recent months demonstrates a market very active and prolific for the commercialization of 0-day vulnerabilities, in many cases dedicated exploit kits are sold directly in the underground market, once again the Russian underground is the most active in this sense.

As revealed in the report, a large number of exploit kits focus on client-side exploitation (targeting browsers, desktop and end-user applications). For this reason alone, companies, organizations, and individual users, should pay close attention to keeping their security patches and antivirus software up to date.

Who is behind these exploits?

The authors of the malicious kits are usually groups of skilled professionals that are able to equip their creation with code able to exploit the principal vulnerabilities, in some cases an intense work of research and development is conducted to find zero–day vulnerabilities and maximize the efficiency of the exploit, in these case typically state sponsored hackers are funded by governments typically for cyber espionage campaign or large scale attacks.

Lets’ complete this short tour in the underground reporting the results of the investigation on the cybercrime tool known as The Phoenix Exploit Kit and available in the underground for a price between $2,000 and $2,500. The security expert Brian Krebs revealed on is blog that the author of Phoenix is a Russian individual that used the nickname AlexUdakov on various forums.


Krebs wrote that the criminal is also a member of a forum called Darkode, what is interesting is that an attack to the website occurred a few weeks ago exposed full profiles of its members and AlexUdakov was using the email address “[email protected]”.

Further investigation on the above email led the authorities to find a correspondence with a Russian guy Andrey Anatolevich Alexandrov, a 23-year-old male, born in 1889  May 20th that used the address to register his profile on the Russian social media site ‘Vkontakte’. Krebs also added localized Alexandrov that currently is living in a 365-square foot apartment with his family in Yoshkar-Ola.

The Russian guy is a member of many other forums on various topics such as weapons and other hacker websites used to sell Phoenix Exploit Kit for many months until July 2012.

The hacker behind the nickname of AlexUdakov remained silently for various moths, the hacker wrote in his last post the he was arrested by the Federal Security Service (FSB), the Russian agency for distributing malware and the illegal possession of firearms

“On _th of May FSB operative performed a controlled purchase, the money was transferred through WebMoney.

1_ th of July FSB operatives arrested me and conducted searches at the residence, registered address, in the cars that I was using. All computers and storage devices were taken except for… a Wi-Fi router.

Is Andrey Anatolevich Alexandrov really the author of Phoenix exploiting Kit? At the moment the investigation still ongoing … anyway the events reported in this post demonstrated the great importance of the analysis of underground forums in the fight of cybercrime … only knowing your enemy you can fight it.

Pierluigi Paganini

(Security Affairs – Cybercrime)

you might also like

leave a comment