DarkNet. vs Internet Sales Sites (or How I Learned to Buy Anything Anywhere)

Attackers, hackers, and account crackers are continuously looking for new markets to leverage for showcasing their services or products. In the past we have talked a lot about the DarkNet and how it is used as a marketplace for illegal activities, commodities and services.  These individuals asctually use sites such as eBay, Craigslist, and other well-known virtual marketplaces. Not all obvious and overt illegal transactions need the DarkNet to flourish.

These relatively old shopping stops on the Web provide a simplified approach to connecting with customers, and thus they have attracted a wide range new sellers. The marketplace created by these sites include credit cards and other illegal items, and even allow you to customize your purchase preferences, such as sorting and purchasing credit cards by US ZIP codes. However, as you can see from the sample marketplace home screen below, this day’s search resulted in more stolen accounts than stolen credit cards.


As you dive deeper into the details, you can see there are plenty of hacked accounts from different service providers. I ran a quick analysis of the accounts, and some of them were demo accounts or free 30 day trials. However, it also appeared that there were legitimate accounts on this site.


The thing that struck me as (somewhat) funny was the sales event feedback aspect of the site. As with most marketplaces, seller reputation is critical for driving continued business. The customer base is heavily influenced by the feedback provided by prior customers, having a high impact on the decision process to initiate a transaction. The site I chose for this example is relatively small compared to other marketplaces, but I could readily find active sellers on the site.

When I see large numbers of user accounts for sale, there is a high probability that the majority of a target source website may have been compromised during an attack. Perhaps their entire username or password database was stolen.

What I have started to see is something we all know is relatively common…many users rely on the same username and password for multiple websites. Thus, it stands to reason that malware, phishing, or some other attack resulting in account compromise provides an attacker (or buyer) infer usernames and passwords for multiple sites.


A word of warning to the purchaser: as I pointed out earlier, many websites that offer services or products have a free 30-day trial, and many attackers create a large quantity of free trial accounts to sell them. Caveat emptor and all that. Plus (and of course) … it is illegal to sell and use stolen credentials. Forgot that part.

We will no doubt see more activity on an expanding set of marketplaces, and there is the added pressure of the fast-approaching holiday season. Attackers are always on the lookout for new venues to peddle their wares, and would-be buyers are always there to reward them for finding a new venue in which to do it.

Happy holidays?