Whether it is to Phish, to infect, or to sell credentials, cybercriminals have always required an infrastructure to commit their crimes – servers, PHP scripts, vulnerabilities and more. Many of the trends in recent years, such as the explosion of botnets and credit card stores, have led to the rapid expansion of this infrastructure.
If in the past illicit vendors sold their credentials in closed communities such as DarkMarket, they now prefer to open shop on their own servers, using either “off-the-shelf” or custom-made scripts to operate their stores. However, while the move out of the gated underground communities has its advantages, it also comes with a lot of issues that up until now they didn’t need to deal with. Information security, for one. After all, cybercriminals need to protect their assets just as any legitimate organization would. And, considering fraudsters don’t play nice with each other, they are even at a higher risk of being attacked by a third party.
Whenever there’s an opportunity – there’s a shrewd member of the cybercrime community eager to take advantage of the situation and offer a new service. We’ve recently discovered a new underground service by a Russian fraudster in which he offers to audit the PHP code of credit card stores and other scripts – making sure the vendors’ stores are secure from any hacking attempts. The service looks for various potential vulnerabilities, such as SQL Injection, code execution, Cross-Site-Scripting and more. Each identified vulnerability has a different rate, ranging from $20 for “XSS Passive” to $150 for code execution in small scripts. Rates for credit card stores are higher. If the vendor isn’t able to find a vulnerability in the code the customer doesn’t have to pay a thing.
While offering such a service is not a crime, it is offered with the intent of perpetuating cybercrime. The vendor does advertise this service in the underground while specifically mentioning in his rates credit card stores. The fact that the service is offered in the underground is no surprise, considering that fraudsters focusing on malware have been hardening their infrastructure on an on-going basis for quite a while.
The question is, considering the untrusting nature of the underground economy, isn’t it surprising fraudsters would be willing to trust a stranger to go over their sites’ code deliberately looking for vulnerabilities?