Tags: crimeware, Darknet, hacking
Just like legitimate web commerce, the dark side of the web has become a place where you can find nearly anything, no matter how much of a niche. Thieves are taking entrepreneurial pursuits to new levels by offering cybercrime-as-a-service. Damballa’s Threat Discovery Center selected a few posts from forums we monitor that are interesting and even disturbing. They show an underground economy that is thriving and diversifying.
Want to legitimize your malware? There’s a service for that and it’s called ‘certs4you.’ Fraudsters provide certificates they claim are from legitimate authorities like Comodo, Thawte, DigiCert, and others. The certificates are for processes like Code Signing, Cross-signing, EV Code Signing, Code Signing WFR, Multi signing and others.
What are the risks? Criminals can use stolen certificates to sign their malware to avoid detection by making malware files appear to be legitimate. Stuxnet for instance has used stolen certificates from well-known authorities to bypass security systems and measures. More recently, Duqu 2.0 was reported to have used stolen certificates to sign some of its components. With stolen certification services, criminals’ malware has a veneer of legitimacy enabling them to remain persistent inside victim networks for long periods of time.
Criminals are buying account information from well-known businesses so they can obtain personal identifiable information (PII) including email addresses, Credit Card numbers linked to the account. Obtaining such information may help the attackers to perform social engineering attacks on personnel working for the target company and ultimately access to internal systems. Once they have access, they can conduct an array of criminal activity, like asking accounts payable to approve a fraudulent wire transfer, reading emails for insider information, or cyber espionage.
Herken is looking for iTunes, Google Play, Target, GameStop, Xbox, and PSN accounts and buying them in bulk to harvest personal identifiable information:
Stacks M is however looking for DesJardins and TD bank accounts (Canadian financial institutions):
Accounts from these email companies are sold between $4 to $10 each. A minimum purchase of $100 is required:
1000 Rubles = Around $14
Mail.ru = $56
Yandex.ru = $84
Rambler.ru = $84
Gmail[.]com = $112
International Phone Flood Service
An oldie but goodie, international phone flood service essentially jams phone lines -like Distributed Denial of Service (DDoS) does to web sites. It’s typically used used against business competitors, especially if they rely heavily on phone communications, like Call Centers for example.
Here’s how it would play out. Company A is unhappy with Company B and hire cybercriminals to flood Company B’s phones for an extended period of time. This can prevent the victim company from processing orders, talking to customers, responding to the press – you name it. This type of attack can also be applied to mobile phones.
Contact information for this IPF service are:
Jabber: [email protected][.]at
The ICQ 3333336 led us to an email address [email protected][.]ru and a person named Artur kudukhov on Facebook:
But based on the registration details of the website ostv[.]ru, his name could be Oleg S Kudukhov. At this point, it is difficult to be certain of his real identity.
Cybercriminals appear to be upping their game with a personal concierge service that recently appeared but is still under construction. The website looks very similar to Quintessentially, a personal concierge company founded in the UK in 2000. These criminals provide luxury services such as travel bookings and more. It’s unclear if this service is intended for high-profile criminals who can afford it or if it’s intended to be used in a malicious campaign.
Stolen accounts found on the Darknet
Forbidmarket[.]com was an online marketplace that got closed down before it could take off. The darknet version of this marketplace kh75fq57ccqwbbyz[.]onion has experienced the same fate. While you could find drugs, a user advertized Netflix accounts for sell:
In today’s digital economy, nearly everything can be bought as-a-service. So too with cybercrime. The Darknet and criminal forums have become a thriving marketplace where you can find any service no matter how unique the niche or high the price. The cybercrime economy is a place that needs to sustain itself like any other economy to survive, where new and diversified offerings are created to satisfy a growing global demand.
— Loucif Kharouni
Senior Threat Researcher, Damballa