Movies and other popular media have always cultivated the image of one huge, homogenous global crime syndicate that controls everything behind the scenes—a dark underbelly of the law-abiding world that peddles everything from the blatantly illegal to the lawfully murky. But through our own in-depth forays into the cybercriminal underground, we found that the real underground scene is nothing like the popular Hollywood scenario.
The Chinese underground is at the forefront of cybercriminal technology, where leaps and bounds in the latest crimeware are not only made, but also tested.
In the six times that we’ve snuck into enemy territory, we found six completely different cybercriminal economies. Of course, they’re not that wildly disparate—they still share the same vital trait of being a den of cyberthieves, peddling their wares to one another as well as to those looking to start out. But their differences are distinct enough to highlight—not only to distinguish them but perhaps also help the industry identify where future cybercriminal attacks can start from.
That said, how do they differ?
First off: Identity. Each cybercriminal underground we’ve investigated has its own unique characteristics. The Russian underground, for example, has a very standoffish feel to it, where each participant in a “transaction” is fully aware that whoever they’re dealing with may be lacking in scruples (since they ARE cybercriminals, after all) and thus take precautions—like using escrows—from being double-crossed.
The North American cybercriminal underground displays everything out in the open; product menus and price lists can be seen on the Surface Web, and even their how-to guides can be easily found on mainstream online media sites.
Second: Product/Service lineup. It’s easy enough to assume that each cybercriminal underground will offer the same kinds of products and services, and any differences would lie in the language they use. The truth is that each cybercriminal underground has its own set of "exclusive" offerings. Japan, for example, is the only cybercriminal underground that offers child pornography as a purchasable product. The North American cybercriminal underground, on the other hand, offers not only illegal drugs to customers, but also murder-for-hire services. The Chinese underground offers hardware designed to facilitate cybercriminal activities, like card skimmers that automatically send stolen information from skimmed cards through Short Message Service (SMS).
Third: Accessibility to newcomers. Just like getting inducted into the world of organized crime, getting into cybercrime is easier in some places and harder in others. In Japan, cybercriminal forums and pages are closed off to outsiders through passwords that involve specific cybercriminal jargon and obscure terminologies in their native tongue (Nihongo). This not only keeps foreigners out but also those in law enforcement. In contrast, the North American cybercriminal underground lays everything out in the open; product menus and price lists can be seen on the Surface Web, and even their how-to guides can be easily found on mainstream online media sites. It’s so open that anyone can go to YouTube right now and watch a tutorial on how to use a remote access tool (RAT).
Like a well-functioning assembly line, automation has become the name of the game in the Russian underground; each player strives to go to market first.
As the leader in cybercrime innovation, the Chinese underground can be considered a prototype hub, selling not just the latest in software and services but also hardware.
The Japanese underground veers away from tradition (creating and distributing malware) and instead caters to those on the lookout for the taboo.
The German market is a niche, boasting of wares (treuhand services and stolen Packstation accounts) that are uniquely German.
Like a glass tank, the North American underground is not a locked vault accessible only to the tech-savviest of hackers, but rather open and visible to both cybercriminals and law enforcement.
An ironic confluence of ideology and cybercrime characterizes the region, where a “spirit of sharing” and sense of brotherhood support crimeware distribution.
MIDDLE EAST & NORTH AFRICA
The days when the region was just known as the cradle of so-called 419 scams has past. It now has a budding underground market that's ruled by two major types of cybercriminals—so-called “Yahoo boys” and “next-level cybercriminals.”
As the fastest route to cybercrime superstardom, any aspirant can gain overnight notoriety in the Brazilian underground with just a little bit of moxie and the right tools and training.
The French underground is not only well-hidden in the Dark Web, its players also operate with extreme caution.
Some more interesting highlights from each cybercriminal underground:
Users in the Japanese underground are fond of using a secure communication service called "SAFe-mail."
Despite the fact that people found in possession of materials related to child pornography can be fined up to US$8,351 and imprisoned in Japan since 2014, the country's underground remains rife with the illicit content.
Brazilian cybercriminals’ brazenness is manifested with their use of publicly accessible platforms such as Facebook, Twitter, and YouTube for malicious activities.
Bank fraud remains a surefire way for Brazilian cybercriminals to make money. Ransomware, KAISER malware, that can bypass tokenization systems; keyloggers such as Proxy and Remota; and Domain Name System (DNS) changers remain underground mainstays.
Most of the products and services offered—“secret” weapons; suicide/euthanasia kits; mailbox master keys; fake bills, receipts, car registrations, and checks; bank-account-opening services; and driver’s license points—answer a need in the real world.
The French underground is not only well-hidden in the Dark Web, its players also operate under a shroud of extreme caution.
French underground market players are not only wary of law enforcement agencies that implement stringent cybercrime laws, but even of players (forum/marketplace/autoshop administrators/members) who may be working with the former.