In the wake of Hansa and AlphaBay being dismantled on the Dark Web, Dream Markets and Wall Street Market have become the largest marketplaces in the criminal underground, according to Q3 analysis from McAfee. Meanwhile, vulnerabilities and stolen credentials continue to dominate the cybercriminal discussion.
Illicit playgrounds for selling narcotics, hacking tools, hackers for hire and data records, these markets continue to thrive even in the wake of law enforcement action. According to threat research out this month from the McAfee, the disruption of Hansa and AlphaBay created a ripple effect during the quarter, driving cybercriminals to competing, smaller markets, including Dream Market, Wall Street Market and Olympus Market.
However, “Olympus Market, which was well on its way to being one of the top markets, suddenly disappeared in Q3,” the report noted. “There is speculation that the disappearance was an exit scheme initiated by the market’s administrators to steal money from their own vendors and customers.”
At the same time, several individual sellers have moved away from large markets and have opened their own specific marketplaces, McAfee said.
“They hope to fly under the radar of law enforcement and build a trusted relationship with their customers without the fear of a quick exit by the market owners,” according to the report. “This shift has sparked a new line of business: Defiant website designers who offer to build hidden marketplaces for aspiring vendors.”
Stolen digital data, which drives much of the profits, will continue to be a key motivator both in large markets and more niche underground hacker forums, McAfee noted. The forums, which are less accessible to the public and focus on cybercrime-related topics, thrive mainly on leaked user credentials.
“Credential abuse is one of the most popular topics on the underground scene, and the large data breaches we read about help maintain this popularity,” the report noted. “The use of valid accounts makes it child’s play for cybercriminals to access and take over an individual’s personal life.”
Cybercriminals often show an interest in email accounts because these are regularly used to restore login credentials for other online services, the research found. “Password reuse, not enabling two-factor authentication, and failing to change passwords on a regular basis are the main factors that make these attacks so effective.”
CVE discussions are popular too, the research found, with recently published vulnerabilities becoming hot topics in discussions of browser exploit kits—RIG, Grandsoft and Fallout—and of ransomware, especially GandCrab.
“In the English-speaking, less technical underground forums we observed several discussions of old CVE implementations in familiar tools such as Trillium MultiSploit,” McAfee said. “These threads show that cybercriminals are eager to weaponize both new and old vulnerabilities. The popularity of these topics in underground forums should warn organizations to make vulnerability management a priority in their cyber-resilience plans.”