The xDedic market has resurfaced, this time on a Tor network domain and with the inclusion of a new $50 USD enrollment fee.
XDedic’s original domain (xdedic[.]biz) disappeared shortly after a June 16 Kaspersky Lab report describing how xDedic provided a platform for the sale of compromised RDP servers. At the time of the report, there were 70,000 hacked servers for sale for as little as $6, and the website was doing brisk business.
Researchers at Digital Shadows reported today that a June 24 post to the Russian-language forum, exploit[.]in, included a link to the .onion site now hosting xDedic.
“The new xDedic site was found to be identical in design to the previous site and although discussion in the exploit[.]in thread indicated that accounts on the previous site had not been transferred to the new site, accounts could be freely registered,” Digital Shadows wrote in an incident report shared with Threatpost. “However, following registration, accounts had to be credited with $50 USD in order to activate them.”
CTO and cofounder James Chappell said domain had also been shared on a French-language dark web site.
“They’re upping their operational security a bit, but they’re obviously in a tricky place,” Chappell told Threatpost. “They’ve got to advertise it. You can’t find it by browsing; they have to publish the link to point users to it. There is an interesting tension here, they have to promote their services, but don’t want to slip up and reveal their identity. It’s a tricky balance marketing their services and hoping work of mouth will do the work for them.”
Kaspersky Lab researchers worked with a European ISP to gather data used to analyze xDedic. Kaspersky Lab said the market began in 2014 and quickly grew to the 70,000 hacked servers from 173 countries it was advertising this spring.
Buyers were able to peruse a list of available servers, each entry providing specific details on system information, whether admin privileges are available, antivirus running on the machine, browsers, uptime information, download and upload speeds, and the price and location. xDedic marketed itself as a medium for bringing affiliates together, taking a percentage of the money involved as its cut.
“We are aware of reports of the return of xDedic and are monitoring the situation,” Kaspersky Lab said in a statement. “We have a policy to share the findings of cybercriminal research with the relevant law enforcement agencies, and we have already done so in the case of xDedic.”
Given the popularity of the site and the number of participants (416 unique sellers were operating on xDedic, Kaspersky Lab said), it was a matter of time before xDedic popped back up, Chappell said, adding that it’s unknown whether the same volume of hacked servers is still available on the new xDedic.
“I would imagine they have some of the previous offerings available,” Chappell said. “Many of those servers are still compromised. The would still have stock in the stockroom.”
The list of hacked servers on the original xDedic at the time of its shutdown spanned industries such as banking, dating and gambling websites, online shopping sites and ad networks. Buyers sometimes searched for particular software running on a server, with particular interest shown in mass emailing software for spam campaigns, point-of-sale installations, as well as accounting or tax preparation software. The possibilities for theft and fraud are endless via this forum.
xDedic was unique and provided a valued service to its clients, most of which are a criminal element which, by trading on xDedic, saves them the investment in learning how to compromise webservers with exploits for WordPress or Flash vulnerabilities.
“It’s time-consuming to have to acquire servers. Why not use a middle man for that?” Chappell said. “It’s a good example of criminal networks specializing into roles. To have market dedicated to this scale is slightly more unusual. It’s a significant commodity; there’s a market for it and obviously people are willing to pay for it. It’s a functioning economy.”