Blackhat Tool Shop is Open for Business
“Always available to serve you when we are in stock, get your tools whenever you need!”
Sounds like a great customer service slogan, especially for a fraudster in need, looking for a handyman to do the job. In this case, the handyman is blackhat programmers who decided to dedicate their skill and know-how working for the dark side.
In one of its recent findings, RSA FraudAction Research Labs have uncovered yet another new underground shop which was opened a few weeks ago, selling fraud commodities e-commerce style.
The new shop, “The Black Bay,” sells different blackhat-crafted fraud tools, offering access to compromised resources, compromised webmaster credentials, and custom PHP coding for their cybercrime clientele. Although vendors selling these commodities already exist, these tools have never before been made available via an e-commerce-type online interface (see Figure 1).
Figure 1
“Web Hacking Professionals”?
The shop’s operators appear to be a self-proclaimed “team of webhacking professionals who dedicated their skills and techniques to provide you fresh PHP Shells and Web Panels.”
Beyond “webhacking,” note that the operators of this shop also offer programming services made to measure per their customers’ needs. Through its array of fraud investigations and research, RSA has become increasingly aware of the high percentage of computer and IT professionals who are educated and employed by day, and work as blackhats by night.
At times, these professionals leave their legal daytime employment and dedicate their full attention to endeavors linked with cybercrime—ranging from selling tools all the way to committing the fraud themselves.
Needless to say, when skilled programmers, for example, leave the legitimate web in order to join the ranks of the underground, they bring along their work methods, their business know-how, motivation and valuable experience. Precisely this typecast is also the sort of operator who would team up with other professionals, set up an e-commerce interface to provide a service, advertise it and provide quality customer support.
Beyond the fact that fraudsters have been strongly adopting business models from the legitimate world, what we see here is a perfect example to the next level of this trend: Professionals in a particular skill or trade – ones who could have been hired for their talents by a legitimate business – turning to the dark side and contributing to the success and prosperity of the underground economy.
Shells and Web Panels
The two main “items” sold by this blackhat shop are web shells and web control panels. A web shell is web-based software that provides an easy-to-use interface for users to navigate, upload, download and edit files on a local or remote server. Used by cybercriminals, web shells are leveraged for the illegal access to remote servers.
Why would someone sell PHP shells? Malicious shells (exploits) are sold by blackhats to enable the buyer to exploit and hack a website they would normally have no access to.
Why would a fraudster buy a PHP shell? To force his way into websites he does not own, access all their content (complete file system) and be able to control the site (add/remove content). This also means the attacker would be able to use the site to host phishing, malware, scams and exploit kits.
What would a PHP shell cost? On this new shop, US-based PHP Shells (on American sites) cost $2.50. Non-US Shells cost $4.50.
“Web panels” are fraudster jargon for Web hosting control panel systems. These systems are designed for webmasters who have to manage multiple servers, providing them a scalable architecture to work with. Web hosting CP systems help manage a multitude of websites, FTP accounts, databases and other resources from a single location.
On the new shop’s inventory list: compromised login credentials belonging to legitimate webmasters who manage sites using webhosting CP systems. Once again here, this type of access can allow a fraudster to host malicious content through the websites and the compromised servers governed by that CP. The price tag is quite affordable: $3.00 per panel access. See the shop’s FAQ page in Figure 2.
Fraud Tools On Sale Today
Other services available at very low cost are offered to buyers through the shop, however, those must be ordered with the customer support team rather.
The blackhat toolbox offering lists:
|
Product |
Price (in USD) |
|
SSH Login for HTTP Tunneling (not root) |
$8.00 |
|
Hacked Roots* |
$15 to $30 (depending on the server’s specs) |
|
RDP Access** |
$20 (random country) |
|
Custom PHP coding*** (login checkers, scam pages, etc) |
Prices vary |
* Hacked Roots
In a computer file system that is organized in hierarchy, the root directory is the directory that includes all other directories. Hacked roots here refers to access to hacked servers, affording the buyer unauthorized access and control to that server. The result of a hacked root can prove to be more or less devastating depending on what the hacked server contains.
** RDP Access
Fraudsters have been selling “RDP Access” to compromised PCs which are infected by Trojans, mostly selling access per the buyer’s need (country, state, city). “TheBlackBay” can sell access to random PCs without giving its buyers the option to choose the country of the infected bot. RDP access will allow a fraudster to connect to the infected bot and have full control over it from a remote location.
*** Custom PHP coding
“TheBlackBay” coders are offering fraudsters to program customized malicious tools for them, such as “Login checkers,” often used in conjunction with phishing attacks where the login checker will test the newly compromised credentials against the genuine site and verify their validity. Another offer is “scam pages” which refer to phishing kits; these coders can create specific kits for their buyers according to the organization they plan to target.
More Fraud as a Service
In order to be able to see the inventory, one’s account must first be verified. Verifying the account requires depositing funds into it via the online currency exchange, Liberty Reserve.
The shop’s operators give helpful hints to their visitors, such as using the Firefox browser for better performance viewing the shop. They also reassure future and present customers explaining that they have a real-time checker to verify that all the “products” are online, hence they will never buy a “dead” product (one which was shut down/ password was changed etc).
Note that the shop provides “live support” for those who still need assistance or have questions.
The launch of this type of shop serves to reiterate the strong Fraud-as-a-Service (FaaS) trend in the underground and which is expected to continue growing this year. RSA has been observing the fraud supply chain, increasingly seeing the likes of malware writers, hackers and blackhat programmers offer their work and associated services to the less savvy, who require turnkey solutions, set-up, instructions and support.
Fraud-as-a-Service makes it easier for criminals to find, buy and pay for fraud commodities. RSA agents regularly uncover new offerings which automate the availability of fraud goods and services, embedding them into web-based interfaces and streamlining their purchase and use processes, precisely as it was implemented by this shop.
Fraudsters are also more concerned than ever about providing quality customer support and technical assistance to their buyers, which is another aspect of FaaS expected to see major growth in 2012. This shop offers live support over instant messaging interface and amply reassures buyers:
|
We do not scam, we won’t run with your money or balance like manual sellers… |
|
Always available to serve you when we are in stock, get your tools whenever you need |
|
Stop saving your tools on text file or browser bookmark, let us help you save it here and access it from anywhere |
|
If the above questions and answers are still confusing or did not help you, please contact our Live Support |
See a screen capture of this ReadMe page in Figure 3 below.
Figure 3
