The Dark Web and Underground Markets - February 2020 Update

“Life in the SOC” is a Blog Series that shares experiences of the BlueVoyant SOC defending against the current and prevalent attacks encountered by our clients. The blogs discuss successful detection, response and mitigation actions that can improve your defensive capabilities.

In the month of November, BlueVoyant’s tracking of the dark web and underground markets showed some interesting findings. PayPal dropped down to third on the list of most popular topics of discussion in financially related posts. A large bump in posts related to buying and selling BIN information became apparent, with CVVs not far behind. Cryptocurrency and Carding remain high on the list as well. There was also a rise in the direct targeting of JP Morgan Chase.

Trending of top financially motivated forum topics from August to November shows both the sharp climb of BIN and CVV posts, but also the steady decline of PayPal. Cryptocurrency also shows a decline of nearly 50 percent from September after a steady rise from July to October.

While dark web special access forums still account for the biggest share of these discussions, dark web markets and underground forums increased from October to November in the overall share of these topics by 12%, 33% and 26% respectively.

Dark Web Special Access Forums typically require some sort of clout in the criminal industry or a sponsor to access. These forums typically require special permissions to interact.

The top special access forums hosting topics of interest to the financial sector in November was Club2CRD. Club2CRD is a Russian- and English-speaking forum, primarily focused on financial fraud. It is not uncommon to see vendors posting credit card numbers, checks, and even bank statements within the forum. The site currently has over 135k members, and over a quarter of a million posts.

Underground Forums do not necessarily require any special permissions and can typically be accessed by anyone. Some forum sections may be unavailable to general users. For the most part, anyone can post, reply, purchase and sell on these forums.

Nulled Forum was the top underground forum in the month of November. The forum is primarily English speaking and averages around 2k new registrants daily. The Nulled Forum site is filled with cracked software, various malware exploits, and data dumps. The forum is divided into multiple sections: regular, VIP, Aqua, and Nova. Each section is accessible based on member privilege.

Dark web marketplaces exist for cyber criminals to sell compromised credentials and access. These sites often sell various payment account details and credit card information along with any other data deemed valuable. Some are automated while others are heavily moderated.

Joker’s Stash and Slilpp Market shared the top spot in dark web marketplaces for the month of November. Joker’s Stash is a notorious marketplace, primarily English speaking, which initially focused on carding activities. The site has since beefed up operations and infrastructure to support its increasing number of supporting members and products available. The site now offers a variety of Personally Identifiable Information (PII) including social security numbers and other data that could be used in a multitude of attack vectors. Investigation into the infrastructure of Joker’s Stash revealed the team behind the site is currently operating on over 500 domains and over 50 servers. Researchers believe this infrastructure is spun up and down to handle surges in activity when large data dumps become available, which typically coincide with major breaches.

Slilpp Market is a Russian- and English-speaking forum. The market is full of compromised credentials for various financial organizations and credit cards from a multitude of vendors. The market operates two sites, one on the surface web and one on the dark web.