Cybercrime-as-a-Service on the Internet
The Internet truly drives globalisation forward – all of a sudden, a small local shop selling handmade soap can conduct commerce with people on the other side of the planet. The Internet’s reach doesn’t just help small local shops, though – drug dealers, for example, can also sell their products on the Internet. Not through the same channels, of course. Law enforcement agencies and local laws make sure these sorts of actions cannot happen in broad daylight. Criminals must also avoid using traditional payment methods, since those can be traced. And it isn’t just drugs and other tangible goods that are being sold on the Internet – people sell cybercriminal services ranging from building custom malware to launching targeted Distributed Denial of Service (DDoS) attacks. These services are frequently referred to as ‘cybercrime-as-a-service’ – one of the focus areas of the EU-funded CC-DRIVER research and innovation project which investigates the human and technical drivers of new forms of cybercriminality.
Surface, Deep & Dark Web
In order to understand where these things can be found, let’s start by defining the concepts of Surface Web, Deep Web and Dark Web.
Surface Web is where most of the users of the Internet are active. It consists of websites and services like YouTube, Wikipedia, Google, and any content you can access without the requirement to sign in. An informal definition of the Surface Web is anything that you can view as a result of a Google search.
The content located on the world-wide-web that can only be accessed via a sign-in is known as the Deep Web. Many people argue that places like Facebook and LinkedIn should be considered parts of the Deep Web, since they require user credentials for full access.
And then there is the Dark Web. The Dark Web is part of the Internet, on sections known as darknets. To access Dark Web websites, one has to use special software, such as the Tor Browser (using the Tor Browser, you are only able to access the Tor part of the Dark Web). Tor (The Onion Router) is a piece of software which enables anonymous communication over the Internet via three layers of encryption. An address located in the Dark Web usually looks like a string of random characters with an ‘.onion’ suffix. To find new Dark Web sites, one may use special lists of links that can be found on the Internet. Note: Be careful while browsing these sites – you never know what’s on the other side of the link, and the contents may be highly disturbing.
Because the use of the Dark Web is made fairly anonymous and the sites there aren’t easily controlled or regulated, in particular some of the most popular sites for selling illegal products and services (such as drugs, guns, and malware) are located there.
Readers may have seen the iceberg metaphor, which is as old as time itself, used to describe websites on the Surface Web versus the Deep & Dark Web. In fact, according to research published by Recorded Future, this analogy is inaccurate. With the help of some web crawlers, researchers found out that only about 15% of the 55,000 onion sites queried were actually up and running.
Contrast this to the estimated number of surface level websites, and the Dark Web portion comes down to just 0.005% of that number. The whole iceberg metaphor is completely wrong, a fact which becomes fairly apparent if you browse the Dark Web for a little longer.
Dangers of Dark Web Marketplaces
How safe is it to use Dark Web marketplaces? To start with – ordering anything illegal is, well, highly illegal. Dark Web sites have been known to be under police control in the past, with law enforcement collecting buyer information and building cases against users of illegal marketplaces. Additionally, you can never be sure that the site you are visiting is the actual Dark Web marketplace you want to visit. Since addresses are often just a bunch of random characters, typosquatting has been an effective method of scamming potential customers out of their precious Bitcoins. To combat typosquatting, a lot of marketplaces provide authentication mechanisms, so that you can verify you’re visiting the correct site.
Paying for products and services on Dark Web marketplaces is usually handled via cryptocurrencies. Orders, however, often have to include your home address – a fact which should be a serious deterrent to anyone who isn’t a fan of the prison lifestyle.
Dark Web Marketplaces – a Closer Look
We will now take a closer look at Dark Web marketplaces and Deep Web hacker forums. What do people actually sell on the Dark Web, and in particular, what sort of services?
Dark Web marketplaces are mostly quite primitive. They are divided into different sections, but none of them really offer any services. Many marketplaces sell a wide variety of products – for instance you can find both drugs and malicious software for sale in the same place. However, we found that most sites selling malware had a very poor selection to choose from – in many cases just a single version of some ransomware or Remote Access Trojan. Malware as a sellable profitable product isn’t very popular on these marketplaces. Services like DDoS attacks or targeted hacking contracts can’t be found on these sites at all.
Dark Web marketplaces are surprisingly crowded. In January 2021, German investigators shut down a huge darknet marketplace, DarkMarket. According to the officials, the website had over 500,000 users and carried out over 320,000 of transactions worth around USD 170 million. As usual, the site was home to drugs, forged money, stolen and forged credit cards, and malware.
Deep Web Forums
Hacker forums located on the Deep Web do not offer products and services like Dark Web marketplaces. Those forums are places to hang out and learn about, well, mostly hacking.
Sometimes hacking services are on the table (see Fig. 1). This ranges from people looking for a botnet to spread a malicious file to someone selling targeted DDoS attacks. People also sell and provide guidance on carding, hacking, and fraud.
Some sites talk about these services very openly, while others try to hide cybercriminal material behind user actions (‘like’ this post to reveal the content) or paywalls (pay X amount of money to get full access to the forums). There are even places which give access only after completing some hacking challenges.
Transactions themselves are never carried out on-site. People use other platforms such as Telegram or XMPP (originally named Jabber) to hash out the details. This is done in order to protect users’ anonymity and to prevent potentially criminal discussions happening on the forums themselves. XMPP is a popular Instant Messaging communications protocol, which is based on an open standard and has no central authority. This essentially means that anyone can set up their own XMPP server with open source or even custom-made server software to facilitate communications for the underground community. Obviously, this has risks as well – if you neither host the communication server nor use additional security measures, you won’t know if someone is listening in on your conversation.
It seems that XMPP is especially popular in Eastern European underground communities. Our investigations show that the biggest share (roughly 35%) of publicly available and identifiable XMPP servers are hosted in Russia. According to research by Flashpoint back in 2017, XMPP was considered the golden standard for communication in underground communities and was the most popular communication tool among Russian-speaking cybercriminals. Looking today at the preferred communication methods of cybercriminals in Deep Web forums and at the number of hosted servers in Russia, it is clear that the popularity of XMPP hasn’t gone down since the Flashpoint study.
Dark Web Hacking Forums
It is easy to find freely available malicious software on the Dark Web if you know where to look for it. While the marketplaces do not provide that many options, those are not our only resource. We can search in Dark Web hacking forums, which – compared with Deep Web ones – host discussions of a different caliber. We still see no talk of zero-day vulnerabilities and exploits, however – those are way too valuable to be sold under the uncertain conditions these sites provide. If you happen to be in possession of a zero-day, your best option is probably to sell it directly to the vendor of the vulnerable software, since bug bounty programs these days can be very generous.
One of the findings of F-Secure’s research on Dark Web forums as part of the CC-DRIVER project was that multiple ‘suppliers’ were giving out numerous variants of trojans and ransomware – all for free. This is most likely the reason for the lack of malware being sold on Dark Web marketplaces. There’s no point in paying for something if you can get it for free.
While some of the malware in Fig. 4 is ancient and not necessarily common these days, other offerings are widely used. For instance, in the beginning of January 2021, the WannaCry family was still one of the most frequently detected, according to the F-Secure’s internal data.
An interesting example of malware offered in Dark Web hacking forums is Agent Tesla – a spyware, information stealer and a keylogger Trojan seen in numerous cyberattacks ranging from opportunistic to more advanced targeted attacks.
In the past, Agent Tesla was available via the SaaS (Software-as-a-Service) model, with the price determined by the features a buyer selected. In addition to the software itself, the author provided customers with 24/7 technical support. The website for Agent Tesla “as a service” has been recently closed but multiple versions of the malware continue to be easily available and regularly updated, contributing to its prevalence. Essentially anyone today can acquire a copy of Agent Tesla in the Dark Web, either by downloading a free version or paying for a richer feature set and integrate it into their own cyberattack.
According to our data, Agent Tesla came in first in the number of detections between June and September 2020. Ever since then it has been steadily declining, scoring ~200 daily detections in mid-January 2021, down from ~550 detections per day a month earlier. However, in November 2020 there was a huge spike – we observed up to ~2000 Agent Tesla detections per day during early-to-mid November. The countries most targeted by this malware were Germany and Japan, followed by Estonia and the United States. The November spike was apparently caused by a large-scale campaign targeting Germany and the United States, with ~1400 daily detections in Germany and ~600 in the United States.
The most popular distribution method for Agent Tesla is e-mail. During the Covid-19-related wave of phishing campaigns, it was especially prominent. In March and April of 2020, for example, tailored campaigns targeted organisations in the energy sector with credibly looking phishing e-mails with the purpose of infecting the recipients with the malware. In January 2021, Agent Tesla was in the top 15 of email threats, seen mostly in phishing emails themed around purchase orders and invoices.
Wrapping it up
In our research we found that certain Dark Web forums provide much richer malware collections and hacking services than can be found in Deep Web forums and Dark and Deep Web marketplaces. They also offer far more compromised devices on sale and other cybercrime-related material.
It is therefore clear that Dark Web hacker forums are of utmost interest to law enforcement and cybersecurity researchers. CC-DRIVER’s investigation of cybercrime-as-a-service operations and processes will inform the development of cybercrime awareness and investigation tools for law enforcement agencies to facilitate following the threat landscape and disrupting criminal operations. Cybercrime awareness tools will provide up-to-date intelligence on trends and attacker tactics in cybercrime, while incident investigation tools will improve analysis automation and data mining capabilities.
Contact us for more information on the project and further updates, sign up to our newsletter to receive updates about CC-DRIVER research results and updates on the development of our tools and follow us on Twitter and LinkedIn.