Inside dark web marketplaces: Amateur cybercriminals

We are excited to bring Transform 2022 back in-person July 19 and virtually July 20 – 28. Join AI and data leaders for insightful talks and exciting networking opportunities. Register today!


One listing for a remote access trojan (RAT) setup and mentoring service promised

“Make money. Fast. Simple. Easy.” 

For $449, amateur cybercriminals were provided with functionalities including a full desktop clone and control with hidden browser capability, built-in keylogger and XMR miner, and hidden file manager. 

“From cryptocurrency mining to data extraction, there’s [sic] many ways that you can earn money using my RAT setup service,” the seller promised, dubbing its listing a “NOOB [newbie] FRIENDLY MENTORING SERVICE!!” 

Rise of ‘plug and play’

This is just one example of countless in the flourishing cybercrime economy, as uncovered by HP Wolf Security. The endpoint security service from HP. today released the findings of a three-month-long investigation in the report “The Evolution of Cybercrime: Why the Dark Web Is Supercharging the Threat Landscape and How to Fight Back.” 

The report’s starkest takeaway: Cybercriminals are operating on a near-professional footing with easy-to-launch, plug-and-play malware and ransomware attacks being offered on a software-as-a-service basis. This enables those with even the most rudimentary skills to launch cyberattacks. 

“Unfortunately, it’s never been easier to be a cybercriminal,” said the report’s author, Alex Holland, a senior malware analyst with HP. “Now the technology and training is available for the price of a gallon of gas.” 

Taking a walk on the dark side

The HP Wolf Security threat intelligence team led the research, in collaboration with dark web investigators Forensic Pathways and numerous experts from cybersecurity and academia. Such cybersecurity luminaries included ex-Black Hat Michael “MafiaBoy” Calce (who hacked the FBI while still in high school) and criminologist and dark web expert Mike McGuire, Ph.D., of the University of Surrey. 

The investigation involved analysis of more than 35 million cybercriminal marketplace and forum posts, including 33,000 active dark web websites, 5,502 forums and 6,529 marketplaces. It also researched leaked communications of the Conti ransomware group. 

Most notably, findings reveal an explosion in cheap and readily available “plug and play” malware kits. Vendors bundle malware with malware-as-a-service, tutorials, and mentoring services – 76% of malware and 91% of such exploits retail for less than $10. As a result, just 2 to 3% of today’s cybercriminals are high coders. 

Popular software is also providing simple entry for cybercriminals. Vulnerabilities in Windows OS, Microsoft Office, and other web content management systems were of frequent discussion. 

“It’s striking how cheap and plentiful unauthorized access is,” said Holland. “You don’t have to be a capable threat attacker, you don’t have to have many skills and resources available to you. With bundling, you can get a foot in the door of the cybercrime world.” 

The investigation also found the following: 

  • 77% of cybercriminal marketplaces require a vendor bond – or a license to sell – that can cost up to $3,000.
  • 85% of marketplaces use escrow payments, 92% have third-party dispute resolution services, and all provide some sort of review service. 

Also, because the average lifespan of a darknet Tor website is only 55 days, cybercriminals have established mechanisms to transfer reputation between sites. One such example provided a cybercriminal’s username, principle role, when they were last active, positive and negative feedback and star ratings. 

As Holland noted, this reveals an “honor among thieves” mentality, with cybercriminals looking to ensure “fair dealings” because they have no other legal recourse. Ransomware has created a “new cybercriminal ecosystem” that rewards smaller players, ultimately creating a “cybercrime factory line,” Holland said. 

Increasingly sophisticated cybercriminals

The cybercrime landscape has evolved to today’s commoditization of DIY cybercrime and malware kits since hobbyists began congregating in internet chat rooms and collaborating via internet relay chat (IRC) in the early 1990s. 

Today, cybercrime is estimated to cost the world trillions of dollars annually – and the FBI estimates that in 2021 alone, cybercrime in the U.S. ran roughly $6.9 billion. 

The future will bring more sophisticated attacks but also cybercrime that is increasingly efficient, procedural, reproducible and “more boring, more mundane,” Holland said. He anticipates more damaging destructive data-denial attacks and increased professionalization that will drive far more targeted attacks. Attackers will also focus on driving efficiencies to increase ROI, and emerging technologies such as Web3 will be “both weapon and shield.” Similarly, IoT will become a bigger target. 

“Cybercriminals have been increasingly adopting procedures of nation-state attacks,” Holland said, pointing out that many have moved away from “smash and grab” methods. Instead, they perform more reconnaissance on a target before intruding into their network – allowing for more time ultimately spent within a compromised environment. 

Mastering the basics 

There’s no doubt that cybercriminals are often outpacing organizations. Cyberattacks are increasing and tools and techniques are evolving. 

“You have to accept that with unauthorized access so cheap, you can’t have the mentality that it’s never going to happen to you,” Holland said. 

Still, there is hope – and great opportunity for organizations to prepare and defend themselves, he emphasized. Key attack vectors have remained relatively unchanged, which presents defenders with “the chance to challenge whole classes of threat and enhance resilience.” 

Businesses should prepare for destructive data-denial attacks, increasingly targeted cyber campaigns, and cybercriminals that are employing emerging technologies, including artificial intelligence, that ultimately challenge data integrity. 

This comes down to “mastering the basics,” as Holland put it: 

  • Adopt best practices such as multifactor authentication and patch management. 
  • Reduce attack surface from top attack vectors like email, web browsing and file downloads by developing response plans. 
  • Prioritize self-healing hardware to boost resilience.
  • Limit risk posed by people and partners by putting processes in place to vet supplier security and educate workforces on social engineering.
  • Plan for worst-case scenarios by rehearsing to identify problems, make improvements and be better prepared.

“Think of it as a fire drill – you have to really practice, practice, practice,” Holland said.

Cybersecurity as a team sport

Organizations should also be willing to collaborate. There is an opportunity for “more real-time threat intelligence sharing” among peers, he said. 

For instance, organizations can use threat intelligence and be proactive in horizon scanning by monitoring open discussions on underground forums. They can also work with third-party security services to uncover weak spots and critical risks that need addressing.

As most attacks start “with the click of a mouse,” it is critical that everyone become more “cyber aware” on an individual level, said Ian Pratt, Ph.D., global head of security for personal systems at HP Inc.

On the enterprise level, he emphasized the importance of building resiliency and shutting off as many common attack routes as possible. For instance, cybercriminals study patches upon release to reverse-engineer vulnerabilities and rapidly create exploits before other organizations need patching. Thus, speeding up patch management is essential, he said. 

Meanwhile, many of the most common categories of threat – such as those delivered via email and the web – can be fully neutralized through techniques such as threat containment and isolation. This can greatly reduce an organization’s attack surface regardless of whether vulnerabilities are patched.

As Pratt put it, “we all need to do more to fight the growing cybercrime machine.” 

Holland agreed, saying: “Cybercrime is a team sport. Cybersecurity must be too.”

VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Learn more about membership.