What is the underground ecosystem?

The term underground ecosystem is usually used to refer a collection of forums, websites and chat rooms that are designed with the specific intent to advantage, streamline and industrialize criminal activities. The underground ecosystem represents a portion of cyberspace that is considered vital for criminal communities, where criminals can acquire and sell tools, services and data for various kinds of illegal activities. Recently a team of experts from Dell SecureWorks released a report on black hat markets, titled “Underground Hacker Markets“, which reported a number of noteworthy trends, the most interesting of which is the growing interest in personal data. Criminal crews are offering any kind of documentation that could be used in sophisticated frauds. Passports, driver’s licenses, Social Security numbers and even utility bills are commonly exploited by hackers as a second form of authentication by service providers. For this reason they are purchased by criminals in the underground. “The markets are booming with counterfeit documents to further enable fraud, including new identity kits, passports, utility bills, social security cards and driver’s licenses … It is apparent that the underground hackers are monetizing every piece of data they can steal or buy and are continually adding services so other scammers can successfully carry out online and in-person fraud,” states the report published by Dell SecureWorks. For criminals who desire to acquire a new identity for illegal activities, the underground market offers identity packages that include passports, drivers licenses and social security cards, practically anything necessary to commit identity theft. One of the most important concepts facing cyber criminal communities is the cashout, a term used to indicate the methods used by bad actors to monetize their efforts, as identity theft “crimes” are made up of two major phases:

The access to victim’s credentials The “cashout,” to turn stolen sensitive data into money.

Sensitive information could be obtained in different ways, including malware-based attack, phishing campaigns, and by hacking into online merchants’ databases. Sensitive data could be also obtained through real-world activities like credit card skimming. In this article, I’ll focus the analysis on the personal information exchanged by criminal crews in the Deep Web, and in particular through hidden services in the Tor Network. The personal information that I’m searching for are:

Credit cards Bank logins and PayPal accounts “Fullz” Online account credentials Personal Data and Documents Gaming credentials

The value of personal information

Credit cards

Credit card data are considered by security experts to be the most commonly traded commodities in the underground economy. When searching for stolen credit card data, it is possible to find two types of offers for this kind of good, “dumps” and “CVVs.” The term CVV is an abbreviation for card verification value. In the criminal ecosystem it refers to a credit card record that includes the cardholder’s data such as the name, the address, the card number, expiration date and the CVV2. A dump is the raw information on the magnetic strip that is collected through real-world skimming. Typically it is used to clone the legitimate card by copying the data onto a fake credit card. While stolen card data can only be used with online merchants, dumps can only be used in a physical store to purchase any kind of product. The price for both dumps and CVVs depends on numerous factors, such as the type of card, the expiration, the country of the cardholder, the seller and many others. Usually dumps have a higher price with respect to the CVVs because the payoff is bigger; a cyber criminal can buy expensive goods to rapidly cash out them. Typically CVVs cost less than $10, while dumps can go as high as several dozens of dollars. No doubt, when searching for stolen card data it is quite easy to find online the name Rescator, one of the most important players in the underground community that provides any kind of goods related to the card. By accessing to the popular online marketplace operated by Rescator, users can easily buy dumps using its friendly interface. Just select a country, the dump type (VISA, MasterCard, AMEX, etc.) and the type of card to retrieve a list of results ready for your bulk order. As shown in the image below, users can also buy dumps by filtering by expiry date and banks; this information is very useful to a buyer to acquire data for sale or to use the stolen data to target users in a specific geographic area. As expected, the prices are variable. Most expensive dumps are related to US cards, where prices range from just over $5 up to several tens of dollars. Prepaid debit card dumps are very cheap, and dumps having a close expiration date are sold for a few dollars.

Figure 1 – Rescator Website – Searching for CANADIAN DUMPS When searching for CVVs in the Tor network, it is possible to find several websites that offer this precious commodity. On crimenetwork.biz (http://crimenc5wxi63f4r.onion/), for example, there are offers proposed by several operators who sell this kind of goods. Typically, these sellers also operate on other carding forums. By analyzing different black markets, it is possible to track a profile for the most popular operators and retrieve significant information about their reputation through the feedback related to their activities. The following list is an example of goods and prices proposed by one of the operators specializing in the sale of stolen card data: ===> Prices for fresh Credit Card (CC, CCV, CVV2) – US (Visa/Master) = $6 per 1 – US (Amex, Dis) = $7 per 1 – US Bin = $15, US Dob = $15 – US fullz info = $25 per 1 ——————— – UK (Visa/Master) = $14 per 1 – UK (Amex, Dis) = $22 per 1 – UK Bin = $25, UK Dob = $25 – UK fullz info = $35 per 1 ——————— – CA (Visa/Master) = $15 per 1 – CA (Amex) = $20 per 1 – CA Bin = $20, CA Dob = $20 – CA fullz info = $35 per 1 ——————— – AU (Visa/Master) = $18 – AU (Amex, Dis) = $20 per 1 – AU Bin = $20, AU Dob = $25 – AU fullz info = $30 per 1 ——————— – EU (Visa, Master) = $25 per 1 – EU (Amex, Dis) = $30 per 1 – EU Bin = $30, AU Dob = $35 – EU fullz info = $45 per 1 – Italy = $20 per 1 (fullz info = $35) – Spain = $20 per 1 (fullz info = $35) – Denmark = $25 per 1 (fullz info = $35) – Sweden = $20 per 1 (fullz info = $35) – France = $20 per 1 (fullz info = $35) – Germany = $20 per 1 (fullz info = $35) – Ireland = $20 per 1 (fullz info = $35) – Mexico = $15 per 1 (fullz info = $30) – Asia = $15 per 1 (fullz info = $30)

Figure 2 – Stolen card data offered on Tor forum

Bank logins and PayPal accounts

Bank logins are another very popular commodity in the criminal underground. Compromised bank account information could be collected by infecting computers of victims with specific malware or through phishing campaigns. The price for compromised bank account information in the underground market depends on various factors, such as the account balance (wherein many instances the price is a percentage of the balance), the bank, and any insurance on their validity. It is easy to find bank logins in black markets such as the Nucleus Market (http://nucleuspf3izq7o6.onion). In the following image a seller is offering a Wells Fargo bank account with a balance ranging from $200-1000 for $15 USD. . Figure 3 – Wells Fargo bank account Another very popular item in the criminal underground is compromised PayPal accounts. PayPal accounts are very useful for criminal crews because they are usually used for the cashout process. Also in this case we can find the prices to be very different depending on the amount of money available in the account, its age and the country of the owner. The prices could vary from a few dollars for a hacked US PayPal account, up to a few dozen dollars for a verified account with either a credit card or bank account linked. A Business PayPal account with zero Balance could be sold for nearly $10 USD.

Figure 4 – PayPal account offer

Figure 5 – Hacked PayPal account for cashout

“Fullz”

The term “Fullz” is used to indicate another type of financial credential traded in the underground markets. It is a hacker terminology for the full information on a victim, which includes the name, the address, the social security number, the credit card data, the date of birth, the mother’s maiden name, driver’s license number and more. This information is used by criminals to impersonate victims in more complex scams. Information included in a Fullz could be used for example in a takeover of the victim’s online accounts, as usually the information allows hackers to reply to the answers used in password recovery procedures implemented by many online services. As a rule of thumb, the more information you have on your victim, the more money you can make out of the credential. Due to the importance of such kind of goods, Fullz are usually sold for higher prices than the standard credit card dumps. “This type of credential can be cashed out in a number of ways, such as using a bank’s telephone service while posing as the victim, doing a ‘change of billing’ and ordering credit cards, applying for loans and more. Even ‘Dead Fullz,’ which are ‘Fullz’ credentials that are no longer valid, can be used for things like opening a ‘mule account’ on behalf of the victim and without his or her knowledge,” wrote Omri Toppol in a blog post published on Security Affairs. Prices for Fullz vary on a number of factors. UK and US citizen data could be acquired in lots with a cost that ranges from $5-10 USD up to $40 USD for very specific profiles.

Figure 6 – Fullz available in the Nucleus marketplace

Online account credentials

Online account credentials are another type of information sold in almost every underground market and hacking forum. Online accounts are basically used for two main purposes:

Cashout processes Sophisticated scam schemes.

When searching for these products in several underground black markets, it is possible to find different prices. Account credentials could be sold for a price that ranges from $5 USD up to $80-100 USD. The most expensive account credentials I have found are Facebook credentials; in some cases they are sold for $50 USD for a single account. Stolen email account credentials are very popular in the hacking forum, typically the seller proposes them in lots of 100, 1000 and 10000 units that are sold for a price that goes from $50 up to $500 USD. Sometimes the sellers guarantee the validity of the email address, which has been probably hacked through malware based attacks or phishing campaigns.

Personal data and documents

We have seen that in the underground marketplace, it is possible to acquire a working Social Security card, name, and address for $250. In some cases, it is possible to pay an extra fee of a few dozen dollars to buy a utility bill to use in identity verification processes. Among most popular goods in the underground, there are counterfeit documents, including non-US passports, which are available for a cost between $200 to $1000. Usually it is very hard to find US passports because US law enforcement is believed to infiltrate the hacking community, making their commercialization risky. Fake US driver’s licenses run for $100-$150, meanwhile counterfeit Social Security cards run between $250 and $400 on average. In both cases, these documents could be used to improve efficiency of fraud schemes.

Figure 9 – Fake documents (Passports and ID)

Figure 10 – Professional Certificate to work in the EU

Gaming credentials

Other goods that are becoming popular in the criminal underground are gaming credentials, as they are used as a cashout mechanism. Once purchased, the account the criminals sell virtual gaming goods and features to monetize their efforts. Criminals convert virtual gold and unique virtual goods obtained by the victim’s character for real-world money. The most popular online platform for gaming is Steam; for this reason Steam accounts are becoming a precious commodity in the underground market. Recently security experts have also discovered extortion attempts to the owners of the stolen credentials.

Figure 11 – Minecraft account

Conclusion

In this brief tour of black markets and hacking forums hosted in the Deep Web, we found that the offer for personal information and online service accounts is very articulate. The principal communities of online criminals are offering a growing number of services and goods that advantage illegal activities. Monitoring the criminal ecosystem is crucial for investigators and security experts who gather valuable information for their investigations. Periodically, we will evaluate developments in the markets analyzed in this report in order to study the trends in criminal communities.

Sources

Personal data criminal underground Underground hacking markets Brazilian underground cyber market Evolution black market Evolution Russian underground