The Dark Web and Underground Markets - December Update 2019

“Life in the SOC” is a Blog Series that shares experiences of the BlueVoyant SOC defending against the current and prevalent attacks encountered by our clients. The blogs discuss successful detection, response and mitigation actions that can improve your defensive capabilities.

During the month of October, BlueVoyant noted a slight decline in the targeting of PayPal on the dark web and in underground markets. Notwithstanding, PayPal remained the top target of discussion in financial interest for the month. Crypto currency is on the rise again and carding data and bank transfers also remain high. Cryptocurrency and Card Verification Codes (CVVs) saw considerable increases from September. The trending of top targets of discussion from July to October shows some of the fluctuation. BlueVoyant uses this data to keep up with rising threat trends and to alert BlueVoyant clients accordingly. When looking specifically at where these conversations are taking place, the BlueVoyant Threat Fusion Cell separates the data to gain greater granularity. This gives them better insight into the types of forums in which financially motivated criminals are discussing these topics. The lion’s share of these discussions take place on dark web special access forums. Dark Web Special Access Forums typically require some clout within the criminal industry, or a sponsor to access. Special permissions are typically required in order to interact in these forums. The top special access forum hosting topics of interest to the financial sector in the month of October was Hack This Site Forum. The forum is primarily English speaking, and currently has over 87 thousand users and over 93 thousand posts. The site has discussion areas from programming and malware to social engineering. The site includes a disclaimer that the operators do not support illegal activities; however, it does not appear that anything is done to stop it. Underground Forums do not necessarily require any special permissions and can typically be accessed by anyone. Some forum sections may be unavailable to general users; however, for the most part, anyone can post, reply, purchase, and sell on these forums. Hack Forums is the top underground forum for the month of October. This forum is closing in on a million users, primarily English speaking. This site also proclaims not to promote illegal activities; however, they make no effort to stop it. The forum does not vet any applications, verify its vendors, or offer an escrow service. It is essentially a free-for-all. The site offers educational tutorials, “crypting” services, gaming hacks, phishing schemes, exploits, and more. Dark web marketplaces exist for cyber criminals to sell compromised credentials and access. These sites often sell various payment account details and credit card information along with any other data deemed valuable. Some are automated while others are heavily moderated. Joker’s Stash takes the top spot in dark web marketplaces for the month of October. Joker’s Stash is a notorious marketplace, primarily English speaking, which initially focused on carding activities. The site has since beefed up operations and infrastructure to support its increasing number of supporting members and products available. The site now offers a variety of Personally Identifiable Information (PII) including social security numbers and other data that could be used in a multitude of attack vectors. Investigation into the infrastructure of Joker’s Stash revealed the team behind the site is currently operating on over 500 domains and over 50 servers. Researchers believe this infrastructure is spun up and down to handle surges in activity when large data dumps become available, which typically coincide with major breaches.