Black Markets: how they are organised and what data they hold

August 6, 2021 · frtg · 2 min read

Cybercriminal activity is frequently discussed in terms of malware, ransomware, and extortion schemes, yet one aspect of particular analytical interest concerns the infrastructure sustaining the entire criminal enterprise: black markets and underground forums.

This article presents operational details observed on a known black market apparently associated with threat actors from Eastern Europe and Russia. Attribution to these regions, however, should not be considered definitively reliable.

The image on the left displays the market menu subdivided into the following sections:

CVV / DUMPS
- payment card data and related information;
RDP
- remote access via RDP protocol to compromised servers;
Stealer Logs
- access to compromised workstations and all contained data (passwords, cookies, files);
PayPal
- user/password credentials for PayPal accounts;

Various tools.

The login interface:

Stealer Logs

One of the most operationally significant sections concerns the trading area for compromised systems. The listing represents systems—typically workstations—infected with malware. Prospective buyers gain access to exfiltrated data from individual machines, user-stored credentials, and session cookies. The dropdown menu displays malware variants used for compromise. System listings are organized by country and associated with metadata including registered website credentials (session cookies and passwords) and pricing.

Average pricing approximates USD 10 per workstation. Purchase grants not only access to previously exfiltrated data but also remote system access enabling targeted attack execution.

RDP

Within the unauthorized access segment, the RDP section contains listings of compromised perimeter systems for which threat actors resell access credentials (username and password pairs for RDP protocol).

Pricing varies according to system classification and hardware specifications of the target machine.

DUMPS and CVV

Within these black market sections, payment card information and CVV codes are available for purchase. Threat actors obtain this data through Cyber Threat Intelligence collection via:

workstation compromise (yielding stealer logs);
web application and e-commerce platform compromise.

Cookie	Duration	Description
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt.innertube::nextId	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.

Stealer Logs

RDP

DUMPS and CVV

Cookie & Privacy