AT SLING, we’ve set out to create the most accurate cyber underwriting process and customize insurance premiums for each customer. Our technology continuously monitors the Darknet and examines many intel sources for each mention of our clients in the cybercrime space. Among these sources are illicit marketplaces and autoshops, hacking forums, instant messaging groups, information-sharing websites, and hacking repositories.
Autoshops, are internet forums which offer a variety of digital goods, including hacked email accounts, remote admin access to web servers (such as cPanels and webshells), premium accounts (for services like Amazon and Netflix) and stolen credit cards. These shops use digital currencies for the transactions to have the items delivered immediately.
Autoshops play an important role in the cybercrime digital landscape. Cyber-attacks against businesses and organizations are directly connected to products purchased on these sites. Access to business emails, for example, serves as an excellent starting point for social engineering, a common method used to breach, infect, and encrypt computer networks. Likewise, by getting admin access to a website, an attacker is able to carry out malicious actions such as denial of service (DoS), database leaks, or ransom attacks. The fact that most of the business accounts listed for sale belong to SMBs—the primary targets of ransomware groups—only adds to the appeal of these shops for those groups.
There are few large, infamous shops and plenty of smaller ones with a great deal of turnover. In fact, these shops constitute a central portion of the dark web, where access to personal and business assets is monetized and ends up in the hands of the person or group willing to purchase them for their own misuse.
In order to enrich the range of information sources (inputs) that make up the cyber risk assessment model for our customers, SLING applies its professional expertise and develops methods for exploring and monitoring such shops.
Secondary Monetization is one phenomenon we observed.
As part of our research, we delve into the activity in big cybercrime markets (such as Genesis, Russian Market, and similar ones). These are online platforms, mostly Onion sites, where different actors sell “logs”—data and browser-saved information harvested from machines (bots) all over the world which were embedded with information-stealing malware. In those cybercrime markets, all the compromised accounts obtained from a single machine are sold as a package known as “bot for sale”.
We found that retailers buy bots with multiple compromised accounts in the big, exclusive markets and then “unpack” the package to offer each item separately, under categorized sections in autoshops. The categories appeal to anyone cybercriminal who might be interested; some are direct-benefit-oriented to give access to accounts (like Amazon Prime, Netflix, Domino’s, Papa John’s, etc.), some advertising-oriented (such as mailers and mailing lists), while some that are designated for cyber-attacks such as access to business email and authentication data.
In fact, this is the cybercrime world’s version of wholesale and retail marketing. Similar to retail stores, which operate on a smaller scale and are customized to the private customer, autoshops too are customized for that level. Items are listed and sold individually. It’s easy to sign up and log in, and unlike some big Onion markets, there is no need to deposit money in order to register, nor do you need a referral from someone in the community. In fact, most of these sites are not even Onion sites, so you can access them through any browser without using Tor. Thus digital goods become more accessible with a more convenient experience for buyers in an automated process. The end product looks something like a vending machine of accounts.
However, those websites are not indexed by any search engine, making it difficult to find and scrape them.
When dealing with digital goods, confidentiality is vital. Take for example two cases: with knowledge authentication factors like passwords, knowledge equals ownership. With web accesses, on the other hand, sellers want to prevent potential site owners from finding out that their assets were breached and used by others. Therefore, they only disclose the information a buyer needs to know, often obscuring listing details such as censored or partial domain names.
This makes the challenge of detection much harder. After we discover autoshops online, gain access and scrape them, we must reveal what the seller tried not to share. SLING uses a variety of tools and has developed some unique techniques to overcome those obstacles and match a company’s asset to a listing with certainty. This allows companies to be aware of cybersecurity breaches before they become attacks by ransom groups and other threat actors.
Why This is Important for Cyber-Insurance:
This research of the autoshops scene, together with this understanding of the dark net as a multitude of intelligence sources, is an important component in dealing with information security risks. This helps us know how and where a business is exposed and makes it possible to assess the risk posed by each individual vulnerability. With this real-time information, we tailor insurance policies to each business’ specific cyber risks.
At SLING we offer a distinctive Cyber-Insurance solution for small and medium-sized businesses (SMB) by discovery and monitoring of digital assets and cyber risks for organizations.