Introduction: what are underground markets?

Underground markets offer all kinds of compromised data: credit and debit card details, access to user accounts, RDP and SSH access to computers, passport details and other personal information belonging to citizens of various countries, access to servers and website administrator panels, and much more.

These underground markets are grounds for unreported economic activity or nefarious crimes orchestrated by cybercriminals or threat groups as it allows them to interact, exchange knowledge, and trade in products and services. Cybercriminals often use underground forums and marketplaces to buy and sell stolen data, exploit kits, and other tools that can be used in cyberattacks.

These forums typically require users to have some level of technical knowledge to access and participate in discussions, and they may use encryption or other security measures to maintain anonymity and protect their members.

How do cybercriminals access the underground market?

Many cybercriminal operations today run like businesses, with sophisticated organizational structures, strategic planning, and motivated with a keen focus on maximizing profits. The underground forums and marketplaces act as a breeding ground for criminal activities and are estimated to generate hundreds of billions of dollars in revenue each year.

These marketplaces can be difficult to access and may require membership fees or other forms of verification to ensure that only trusted members are allowed to participate. Those who access these marketplaces for illegal activities are very efficient in covering the tracks of their operations. As a result, law enforcement agencies and cybersecurity professionals face significant challenges in detecting and disrupting cybercrimes.

Some of the sophisticated techniques that cybercriminals use to keep their operations unhindered are:

  • Anonymity: cybercriminals often use aliases and fake identities to conceal their true selves, which makes it difficult for cybersecurity agencies to track them down. They may also use virtual private networks (VPNs) and other tools to hide their IP addresses and location.
  • Encryption: encryption is often used by cybercriminals to protect communications and data from being intercepted or compromised.
  • Restricted access: many underground forums and marketplaces require users to have some level of technical knowledge and/or to pay membership fees or provide referrals to gain access. This helps to keep out law enforcement and other prying parties and ensures that only trusted members are allowed to participate.
  • Disposable links: also known as one-time links or single-use links, cybercriminals are increasingly using disposable links to avoid leaving a digital footprint that can be traced back to their activities. These links can be difficult to track and monitor, as they are often used in combination with other techniques to conceal the identity and location of the cybercriminals.

Underground market crime trends: Group-IB’s Hi-Tech Crime Trend Report 2022-2023

  • Lately, more and more corporate and individual access has been put up for sale on the dark web and underground forums, giving the attackers a window of opportunity to penetrate a target’s (organization’s) network better, by finding victims more quickly and skipping the first stages of an attack. Underground markets contain a lot of credentials for the internal authentication systems of large companies. Group-IB’s Threat Intelligence monitors for such data and informs customers if the data emerges in underground stores. For example, during the reporting period (H1-2021 – H2 2022), our threat intelligence team discovered that 1,988 corporate accounts for the domain on elogin.com were put up for sale.
  • Dark web forums: access brokers put up ads for illicit access to web panels (CMS, cloud solutions, etc.), web shells on compromised servers, access with administrator rights, access to corporate emails belonging to top management, FTP servers, and web access to RMM.
  • The most popular underground markets that sell such information are MagBo, Russian Market, Genesis, Orvx, Odin, and others.
  • Bank card data and stealer logs are the most sought-after information, but various types of access such as web shells, cPanel, and RDP are also in high demand.

Let’s discuss what these are, in detail: 

Stealer logs: are data that threat actors collect from computers infected with stealer malware. Stealers can gather any personal data, including credentials from browser metadata.

ll data collected by stealers could be of interest to threat actors. The most valuable types are:

  • Cookies
  • Credentials
  • Browsing fingerprints
  • Local files in messengers that make it possible to sign into an account without entering the login and password
  • Cryptocurrency wallets
  • Various files from the victim’s computer

Web shells: Web shells are malicious scripts that cybercriminals inject to maintain persistent access on compromised web servers. They are used as the second step after a system or network is compromised by exploiting vulnerabilities. As a result, threat actors can use the web shell as a persistent backdoor on the targeted web server and all connected systems.

The main supplier of web shells on the dark web is a market called MagBo. Between July 1, 2021, and June 30, 2022, more than 284,000 web shells were detected on this market.

RDP: RDP, or Remote Desktop Protocol, is a protocol for using a computer remotely. Most threat actors buy RDP access to hide traces of their activities from security systems. At the same time, RDP can also be the first step of a full-fledged attack on a company if the computer that was accessed is connected to one or more corporate networks.

In H2 2021 – H1 2022 Group-IB systems detected more than 65,000 instances of RDP access put up for sale on underground markets.

cPanel: cPanel is one of the most popular web hosting control panels. After gaining access to it, threat actors are able to control the web resource completely. Access to cPanel is therefore in high demand on underground markets.

In H2 2021 – H1 2022, Group-IB detected more than 25,000 instances of cPanel access put up for sale on underground markets. The most popular markets are Odin, Orvx, and Xleet.

Infiltrating the underground markets to stop cybercrime in its tracks

Underground forums are a complex network of groups that use various self-managed platforms to share information and TTP. These platforms are selected based on their ability to ensure anonymity and avoid detection.

Unfortunately, these forums are also used for criminal activities, such as selling malware and providing compromised data services.

Cybersecurity service providers attempt to infiltrate these groups to gain valuable information despite the risks involved. Monitoring these forums can help uncover emerging cybercrime trends, identify new cyber threats, and detect new variations of existing malware.

Some of the key areas of focus in this research include:

  • exploring underground forums to find crucial insights into emerging threats, such as new malware strains, exploitation methods, and social engineering tactics. Cybersecurity teams can use it to evaluate the risks to their organization and develop strategies for mitigating those risks.
  • underground forums can be a rich source of malware samples for researchers to analyze. By studying the behavior and code of these samples, cybersecurity professionals can gain a deeper understanding of how they operate and develop effective defenses against them.
  • underground marketplaces are frequently used by cybercriminals to coordinate their activities and communicate with each other. This makes them a valuable source of evidence for law enforcement agencies investigating cybercrime. By examining these forums, investigators can learn more about the motivation, targets, and techniques used by cybercriminals, and use this information to build cases against them.
  • social engineering is a common tactic used by cybercriminals to deceive individuals and obtain sensitive information. By analyzing the language and techniques used in underground forums, cybersecurity professionals can gain a better understanding of social engineering and develop effective strategies to counter it.

Group-IB Threat Intelligence: Monitor the underground market to stay ahead of cybercrime

To effectively respond to the constantly evolving landscape of cyberattacks, organizations must have a strong understanding of cyber threats. This knowledge allows them to detect early signs of an attack and gain visibility into the TTPs used by adversaries. Studying the underground marketplaces can offer businesses some edge-building insights and protect themselves against the trading of stolen digital credentials.

Group-IB Threat Intelligence monitors for such data and informs organizations if their data emerges in underground stores in real time.GroupIB’s attribution-based intelligence system makes it possible to monitor all posts on underground forums and identify the sources of data leaks. This allows organizations to quickly respond to potential threats and take steps to protect their sensitive information.