For years, sellers of illegal goods and cybercriminal services have been thriving in underground markets and forums all over the globe. These marketplaces shift and evolve like legitimate spaces, adapting to buyer needs, supply issues, and new technology. Available commodities and prices respond quickly to issues in the public sphere. For example, the coronavirus pandemic has inspired many underground sellers to pivot to selling toilet paper and respirators. The market is also seeing a significant increase in goods or services for social engineering scams using the words “coronavirus” or “Covid-19.”
Trend Micro Research has been investigating these spaces for around a decade, and business in these markets mostly revolves around the selling of malware, compromised accounts, electronics, and huge databases of valuable information. In 2019, changes in the public sphere provoked changes in the underground markets as fake news and cyberpropaganda services proliferated. Avenues of communication changed, along with the way forums and marketplaces operate. Threat actors are also currently looking for new ways to monetize AI-based technology as tools improve.
This research paper traces the evolution of these marketplaces, giving detail and insight on how the current condition compares with the past. We also predict future trends to help users and enterprises stay ahead of the curve.
What does the underground have to offer?
The underground market comes with a handful of staples: stolen accounts, fake documents, credit card credentials, and useable malware. Currently, the top offerings are stolen accounts (banking, social media, streaming services and music services), gaming-related content, and credit cards.
The Current State of Underground Markets
Fake News and Cyber Propaganda Tools Gain Popularity
Fake news and cyberpropaganda services offered in these underground spaces involve the exploitation of social networks; typically used to advertise or push a certain message or agenda. In underground markets, large scale social media manipulations are readily available: fake comments, bogus social media likes, post boosting, and more. These services are sold at extremely low prices; for example, 1,000 Instagram likes can go for 15 cents.
Cybercriminals generally use autonomous bots, real people, or crowdsourcing programs to manipulate social media platforms. The Russian underground maintains the lowest-priced fake news services among the other forums, and prices have remained steady since 2017.
Aside from these services, user databases are also sold to those wanting to create cyberpropaganda campaigns. Outdated voter databases are often shared for free, while more current databases are put up for sale. Compromised voter databases combined with other user data can help malicious actors craft effective propaganda. For example, key data points can be used to create a target profile for a specific countries’ electorate.
Fig. 1: A dark web marketplace offering voting databases for US$9.99 each as of Nov 12, 2019, from a seller with 100% feedback
Access-as-a-Service Becomes Popular
“Access-as-a-service” is selling access to hacked devices or corporate networks. This service has been available in the underground for years, but sellers have multiplied within the last year. Across the forums, we found different levels of access being sold: executive-level credentials, remote desktop access, administrative panels, cloud storage, email accounts, and even full network access to companies. Typically, ransomware, credential stealing, malware, or botnets are used to compromise devices or enterprise systems.
Many of these offerings are found on the Russian forum Exploit[.]in. One malicious actor was selling access to a U.S. insurance company for US$1,999, and a European software company for US$2,999. Insider access to Fortune 500 companies can go for up to US$10,000.
Fig. 5: Network access to a U.K. company
Darkweb Marketplace Users Lose Trust
Law enforcement entities have been rapidly shutting down underground marketplaces, particularly in 2019. Usually, after a major marketplace shuts down, users simply migrate to another coexisting space. However, there is currently no dominant and stable marketplace.
Forum users are quickly losing faith in underground forums and marketplaces. Along with law enforcement issues, there are also fears that administrators are planning exit scams. Sites are also having trouble maintaining stable operations. Empire, one of the few remaining top markets, is consistently battling login problems and distributed denial-of-service (DDoS) attacks, and users regularly express frustration because of these issues.
Fig. 8: Torum post discussing why the Empire marketplace is frequently offline
Interest in Deepfake Scams Increase
Many online users have already heard or seen Deepfake images and videos. The AI-generated technology can create realistic images and sounds, credibly imitating a specific subject. And it has already been successfully used in criminal scams. In March 2019, an executive of an unnamed U.K.-based company was tricked into transferring €220,000 (US$243,000) to a scammer using Deepfake voice technology. The man conversed on the phone with someone he thought was his boss.
We’ve seen underground and forum posts selling services for still image and video fakes, but many users have expressed interest in finding different ways to monetize this technology. There are discussions on how Deepfakes can be used to bypass photo verification requirements on dating sites or for sextortion and eWhoring scams.
Fig. 12: Seller offering five users free Deepfake video services to start their business
Discord Used for Direct Messaging and Sales
Two years ago, the messaging application Telegram was the main avenue for communication between buyers and sellers. However, Discord, a popular communication app with more than 250 million users, has become a popular new platform for sellers to communicate. It is largely seen as secure, and it allows users to maintain anonymity.
Forums and marketplace administrators have created their own Discord servers and channels. And although these channels don’t see as much traffic as the forums, the same goods and services are being offered for the same prices.
Fig. 16: Discord group for e-commerce platform users
The Future of Underground Market Spaces
Our investigations into underground markets and forums allow us to provide insight into future trends and anticipate critical issues that may affect users and enterprises. There are several scenarios that we expect to see in the underground economy within the next three years.
- Deepfake ransomware will be the evolution of sextortion.
- More cybercrime will hit Africa in the next three to five years.
- Cybercriminals will find a scalable business model that takes advantage of the IoT’s wide attack surface.
- We will see smart contracts in escrow offered in underground forums.
- SIM card hijacking will increase and target high-level executives.
Read our full report for more on these predictions, as well as other shifts in the underground seller landscape.
*Discord has been notified of our findings on this subject, but at the time of publishing we have not received any response.