In recent months, the Chinese and Russian underground cyber criminal marketplaces have become big news. Everything from mobile malware to ransomware samples can be found and purchased here, as long as one has the skill and know-how to participate in these secretive environments.
As Trend Micro's Christopher Budd noted in a recent blog, undergrounds outside of the U.S. typically leverage a speakeasy-type model, where only those "in the know" have access. This comes in stark comparison with the North American Underground.
"One of the most important differences is that the North American Underground is characterized by a high degree of openness," Budd wrote. "[T]he North American Underground is open to all. In fact, as our researchers note, the North American Underground is characterized by continuous improvement not just in the goods and services offered but in ease of use for access and use by buyers and sellers."
So what exactly is being sold within the North American Underground? And how does this environment of continuous improvement impact the subsequent attacks? Let's take a look:
Breaking down illegal wares: Three main groups
Trend Micro's white paper, "North American Underground: The Glass Tank," noted that nearly every good and service sold in this environment can fit into one of three categories. These include:
Crimeware: This is an umbrella term for a range of different malicious software. The one thing that every crimeware sample has in common, though, is the ability to aid in illegal online activity.
Fake documents and stolen data dumps: In recent months, data dumps have become increasingly common – consider the fallout from the Ashley Madison hack. While stolen payment card information, enterprise documents and other intellectual property has always been bought and sold by hackers, this portion of the North American Underground will likely only grow as data dumps occur more frequently.
Drugs and weapons: Even items like illicit drugs and dangerous weapons are bought and sold in this marketplace. As these types of sales involve the physical sending and receiving of goods, as opposed to malware sales, that usually take place completely in the virtual world, buyers and sellers will take extra steps to ensure their anonymity.
Digging deeper: Tangible examples
As Trend Micro researchers dug deeper into the North American Underground, they discovered the individual items that fall into each category.
Crimeware: For instance, crimeware can refer to a whole host of items. However, researchers found entire forums solely dedicated to the sale of hacking tools like keyloggers, spam and remote access tools and botnets.
Crimeware items can be sold under different pricing as well. The research paper noted that some sellers offer packages that can include the malware license alongside support and assistance. In other instances, goods and services are sold piecemeal – for instance, a single keylogger program will sell for $1-$4, a botnet can be sold for $5-$200 and a ransomware can be bought for $10 flat.
Other crimeware items and services being sold include crypting, VPNs, proxies, DDoS or Web-stressing attacks and even access to compromised websites.
Data dumps and documents: One of the most common items being bought and sold in the North American Underground is credit card credentials – not only are actual card details available, but clones, or copies of stolen cards, are in abundance as well.
"Selling credit card clones is quite common in the North American underground though we weren't able to find posts that detailed how these were used," Trend Micro white paper authors Kyle Wilhoit and Stephen Hilt wrote. "Buyers, however, showed a preference for credit card credentials than clones since the latter brought risks of actually getting caught red-handed."
The prices for these items can widely vary, depending upon the country in which the card was issued, the attached credit limit and the anonymity of the user. For example, a set of 100 credentials for classic, U.S.-issued credit cards can run anywhere from $19 to $22, whereas a single, physical, fake U.S.-issued card can cost as much as $874.
Credit card details aren't the only items being bought and sold here. Credentials for online accounts like Netflix and Spotify, as well as fake passports and other documents are also available.
Drugs and weapons: The North American Underground also sees sales of a range of illegal drugs and weapons. Oftentimes, in order to protect the anonymity of buyers and sellers, Bitcoin is used for purchase and items are sent to non-descript P.O. boxes.
While the market for illicit drugs is large, there has been growing interest in prescription drugs and fake labels as well.
"Apart from selling actual drugs, forged prescription labels for use in the U.S. are also gaining traction," Wilhoit and Hilt noted in the white paper. "We saw posts selling fake prescription labels for establishments like Walgreens, CVS and Walmart. These labels can help addicts evade arrest if they are caught in possession of prescription drugs."
Weapons are not uncommon in the North American Underground. Researchers found posts for everything from pepper spray and brass knuckles to handguns and assault rifles. A stun gun, for example, typically costs around $30, a Beretta handgun will set a buyer back $550 and AK-47 guns are available for $800.
While these sales are no doubt troubling, there is an even more concerning service for sale: murder.
"Perhaps more disturbing than drugs and weapons is the ubiquity that murder-for-hire services are enjoying in the North American underground," Wilhoit and Hilt wrote. " The more popular or important the victim and the greater the damage inflicted it seemed, the more expensive the service was."
Overall, it's clear that the North American Underground is a robust and growing environment offering a full menu of illicit goods and services. Unlike other underground marketplaces, that of North America is more open to anyone willing to sell or buy, making the transfer of malware, credit card credentials, drugs and weapons easier than ever.
In such a bleak threat environment, it can be difficult to maintain protection. However, staying up to date on the most current dangers can help. Check out Trend Micro's Security Intelligence for information on the newest and emerging dangers, as well as best practices for online safety.