Profiling the offer in criminal underground

Periodic analysis of the evolution of the offer in the underground criminal thanks to the efforts of experts such as Dancho Danchev.

The offer of cyber criminals in the underground is very dynamic and articulated and its observation is a privileged point of view for better understand how evolve cyber threats.

Recently we have spoken of new serviced that adopted curious monetization models for botnet renting such as the “pay per execution” and we have seen how the underground has reacted to the shutdown of the Liberty Reserve currency scheme.

Today I will introduce a couple of discoveries made by researcher Dancho Danchev on the offer in the criminal underground. Once cyber criminals have obtained the control of huge botnet they mainly try to capitalize them in two ways:

Renting the compromised machine to other criminals
Selling the stolen information from victims to other criminals to arrange frauds.

One of the sectors most targeted is the gaming market due its millionaire profits, cyber criminals in this case mine the botnet for accounting credentials for a gaming platform ad for activation key of the most popular game.

Danchev found a new e-commerce website that is specialized in the sale of stolen accounting credentials gaming platforms (e.g. Origin and Uplay) and for a variety of online services( Hulu Plus, Spotify, Skype, Twitter, Instagram, Tumblr and Freelancer).

Following a screenshot of the actual advertisement, the prices of the compromised gaming accounts are very cheap:

still more cheaply if we consider the prices for the compromised accounts:

The security experts analyze new services for profiling the activity usually consider various factors such as references to geographic area, methods of payments accepted and of course aging of the services.

This information could give an idea to the researchers of the level of organization behind the services, typically cyber criminals operate for short period and gangs of individuals operate together for the time necessary for specific campaigns.

Analyzing the feedbacks of the e-shop Danchev discovered that it is not a one-time inventory of compromised assets, but it appears like “a long-term operation fueled by an ongoing botnet operation relying on commercially/publicly obtainable DIY (do-it-yourself) malware generating tools, in combination with malware crypting services.”

The service discovered accept various payment methods including popular Bitcoin, Webmoney and PayPal, the shutdown of Liberty Reserve is increasing the popularity of Bitcoin in the underground despite some exchange such as MT.Gox announced more checks on the identity of the service subscribers.

The number of the E – shop that is selling access to hacked machines worldwide that accepting Bitcoin as the primary method of payment is increasing.

The newly launched services accept Bitcoin and guarantees up to 20,000 hacked PCs every day, has proposed in the following image the cost for 1K hosts is $30, 10K hosts go for $250, and 20K hosts go for $400.

The machines are located worldwide, this means that services doesn’t segment the offer ‘targeting’ any kind of machine to increment the portfolio.

The last interesting news from underground forums is related to Pharmaceutical scammers that impersonate Facebook’s Notification System, entice users into purchasing counterfeit drugs.

Danchev wrote in his post

“Opportunistic pharmaceutical scammers are currently spamvertising tens of thousands of bogus emails impersonating Facebook’s Notification System in an attempt to trick users into clicking on the links, supposedly coming from a trusted source. Once users click on the links found in the fake emails, they’re exposed to counterfeit pharmaceutical items available for purchase without a prescription.”

The figure behind the business are impressive, despite the products are counterfeit drugs the US accounting for 72% of pharmaceutical orders.

If you are interested in the evolution of underground offer … stay tuned!

Pierluigi Paganini

(Security Affairs – Underground, Cybercrime)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.