Categories: SecurityWorkspace

Black Markets Broaden Access To Cutting-Edge Malware Tools

Online black markets for cyber-crime tools and stolen data have become more sophisticated, allowing even the least technical would-be cyber-criminals to gain access to complex software and sell their illicit gains, according to two reports on the underground economy.

In a report published on 25 March, three researchers from RAND, a nonprofit research organisation, surveyed the current state of black markets finding that the sale of increasingly sophisticated attack tools will make it harder for defenders to keep up with attackers. In addition, the markets’ exodus to the “dark web”, described as anonymised locations on the Internet, will make it harder for law enforcement agencies to take down the cyber-crime sites.

Empowering cyber-criminals

“These markets are empowering cyber-crime and cyber-criminals,” Lillian Ablon, lead author of the study and an information systems analyst at RAND, told eWEEK. “It is super easy to find where to buy these exploit kits or credit cards, and these markets are incredibly resilient to takedown by law enforcement.”

Law enforcement have successfully shut down several credit-card – or carder – markets as well as the Silk Road marketplace, which – along with drugs – sold stolen credit and debit card numbers, exploit kits, attack tools and fake identification. In many cases, cyber-criminals have just relaunched the sites, or similar sites, and moved them to the dark web, where the exact locations of the servers on which sites are hosted are hidden by anonymising proxy servers and networks, such as the Tor network.

With the arrest of the author of the popular Blackhole exploit kit in Russia, the market has opened up to a large variety of other software programs for facilitating the infection and control of computers. Exploit kits such as Whitehole, Eleonore, and Cool sell anywhere from hundreds of dollars for the software to $10,000 (£6,300) per month for an exploit service, according to the report.

While the tools are sophisticated they do not use extremely advanced techniques. Instead they harness small advancements and obfuscation to bypass security measures, Charles Renert, vice president of security research for Websense, which will be releasing its own report on online black markets later this week.

Cutting-edge techniques

“The market has responded to the need of the vast majority of criminals to attack, not with zero-days, but with techniques that are just slightly better than the defences out there today,” he said.

In fact, zero-day attacks, which use previously unknown vulnerabilities to break through defenses, are not necessary in the vast majority of cases, said RAND’s Ablon.

Black markets for cyber-crime tools and criminal services follow the same economic laws as other markets, according to the RAND report. While large operations – like the digital fleecing of retail giant Target – garner headlines, they are less of a boon for the market, Ablon said.

“Big attacks, things like Target happen rarely, because when there is an influx of goods, it impacts price, and to keep the prices high, they need scarcity,” she said.

Are you a security pro? Try our quiz!

Originally published on eWeek.

Robert Lemos

Robert Lemos covers cyber security for TechWeekEurope and eWeek

Recent Posts

Apple Security Flaw Being Actively Exploited

Update now. Vulnerability impacts a number of Apple iPhone, iPad and Mac models, and the…

12 hours ago

Yale University Names Firms Still Operating In Russia

Data from Yale University shows a number of big name tech companies continue to trade…

13 hours ago

Police Arrest Four Over BT Cable Theft In North Yorkshire

Police make arrests after Openreach confirms to Silicon UK that a cable theft left 200…

1 day ago

UK Staff Resisting ‘Big Return’ To The Office, Says infinitSpace

Remote working to stay? Majority of business leaders are struggling to get staff to return…

1 day ago

Apple Axes 100 Recruiters, Amid Hiring Slowdown – Report

Hiring slowdown at Apple? Tech giant reportedly lets go 100 contract-based recruiters in the past…

1 day ago