How do cybercriminals operate in the world’s underground markets? Each country has its own distinct markets and own flavor, according to Ryan R. Flores, senior threat research manager at Trend Micro. In his session at RSA Conference APJ 2016 in Singapore, Flores discussed the ways the world’s largest underground markets function, revealing the ways hackers make money off of the data they steal.
“A lot of these underground markets are different, and they’re different in a way that’s affected by their culture … and by the cybercrime that’s going on in that country,” Flores said.
Crimeware is abundant in the world’s underground markets. Criminals can also buy stolen data and fake IDs. “The stolen data can be used and is being used for social engineering attacks, for doxing certain companies. If you go in the deep web there are a lot of fake IDs that are being made available,” Flores said. “And in the dark web there are a lot of drugs and weapons and other real life services that are criminal in nature.”
Criminals also seek out infrastructure hosts that are “immune to takedown” and who do not “play well with law enforcement.”
Where are the world’s biggest underground markets?
“Mother Russia is probably the oldest and most mature underground market that there is, bar none,” Flores said.
He said it’s existed since at least 2004, but may be older, and the primary products are crimeware kits. They’ve also introduced malware as a service, a subset of which is ransomware as a service.
Credit card forums, with strict quality controls and administrators, that require cybercriminals to pay a $50 membership fee, can themselves rake in millions. Malware services come with guarantees that the malware won’t be detected by antivirus products, he said. And if they are, the service providers supply new malware.
“Recently we’ve been seeing a lot of home routers that are being offered for rent or for sale. These home routers are affected by some malware or some scripts that can be used, for example, for DDOS. Some of the major botnets around are running on compromised phone routers,” Flores said.
Money laundering is also rampant on the Russian market. “How to cash in your earnings? That’s a pain point for cybercriminals,” he said. “The Russian services being offered realize this and they are offering money laundering services. “
The Chinese market, the second largest, is “not very visible to the rest of the world,” Flores said.
As in much of the commercial Internet, China has its own versions of cybercrime forums that operate differently than other underground markets. They communicate through QQ groups, and two markets sell data: SHEYUN and CNSEU. SMS spam is also a problem. Online game credentials were very popular in China, and more recently they’re moving on to more webmail and corporate accounts.
“What we’re seeing in terms of culture is that in china, the master and apprentice model for cybercriminal is common,” Flores said. “Here there are ads for teaching how to hack, teaching how to hack a backdoor, and there are also ads looking for someone to teach them how to hack, or how to create malware. This kind of culture difference is what we’re seeing in China.”
Hackers are also using giant modems with several connected SIM cards that can be used to send SMS spam or conduct phone scams.
“Before I was very adamant about this operation – what can they do? But it has come to my attention that there are a lot of people being scammed and victimized in countries like Singapore or in places like Honk Kong whose population is Chinese speaking,” Flores said. “A lot of criminals operating are using these kinds of devices.”
The third largest market is the English-speaking market, which includes the U.S., U.K. and Canada. These aren’t as mature as the Russian markets, and use the “dark web” instead of the “deep web” heavily. They’re easy to access and buy from, and traffic in stolen IDs and credit cards.
Flores said it isn’t as malware-centric as the Russian underground, and English speakers don’t care about anonymity in the same way that criminals do in other markets.
“These people are millennials. These people are young. They want to market themselves and become popular,” he said.
Brazil, meanwhile, is a hotspot for banking fraud. The Brazilian underworld is not a very mature market, but it’s existed for a long time and is very focused on regional targets. Online banking has been popular in Brazil since the early 2000s, so financial crime is common.
“Brazil is not very progressive but they have a lot of students, a lot of young people, a lot of knowledgeable people who will turn to business enterprises that are cybercriminal in nature,” he said.
The Japanese market is heavy into click fraud and porno ransomware, and drugs are readily sold. Like the Brazilian and Chinese markets, it’s very regionalized and cybercriminals use slang, making it hard for outsiders to decipher their meaning. Early ransomware targeted Japanese pornography.
But unlike the U.S. or Brazilian markets, the Japanese underworld is more secretive.
“It’s very hard to determine the identity of the actors behind these,” Flores said. “The Japanese underground forums are invite only – and sometimes they advertise them in print.”
Also, one of the difficult things that we encounter is that there is a lot of slang.
The German market is the most established in Europe, outside of Russia, and also focuses on German accounts. Often its cybercrime trails lead back to Russia.
“There’s a lot of fake ID, fake passport, fake credentials being sold in the German underground,” Flores said. “We’ve seen a spike of these services when Germany opened its gates for refugees. What we’re thinking is that there is a big market for this because a lot of the refugees would want their own IDs… It’s a real life event driving demand in the underground.”
Flores finished his session with a brief overview of the Deep Web. More than 60 percent of the deep web is in English, and there are a lot of services on offer including fake passports, fake IDs and drugs. There are also murder-for-hire services that charge based on the intended victim’s level of fame and likelihood of having bodyguards.