The Hackers' Bazaar


Apr 11, 2014

hands on a computer keyboard in a dark room

In today's ever expanding online landscape, new cyber threats are emerging with startling frequency. The latest is called Heartbleed, and it compromises the security infrastructure of tens of thousands of servers and puts at risk the data of millions of users. Heartbleed provides a ripe playground for cybercriminals to exploit unassuming users and unpatched websites. How damaging could this latest bug be? The answer may lie within the secret, dark recesses of the Internet where so-called black hat hackers buy, sell and trade the tools and services they use to exploit critical vulnerabilities like Heartbleed to steal the precious data of businesses, governments and individuals.

Cyber insecurity comes in many forms. Heartbleed comes hot on the heels of the December 2013 hack of retail giant Target, in which 40 million credit cards and 70 million user accounts were hijacked. Within days, the stolen data appeared on black markets that specialize in hacking tools, hacking services and the fruits of malicious hacking. The Target event was no anomaly, nor was it even the largest such breach on record — that honor goes to the 2009 data breach of Heartland Payment Systems, which reached roughly 130 million stolen records — yet it is a timely reminder that cybercrime is prevalent and increasingly and inextricably tied to a growing and maturing underground economy.

In the last 10-15 years, these black markets for cybercrime tools and stolen data have grown and matured by leaps and bounds, in terms of the size of markets, the number of participants and the amount of goods available. In 2006, for instance, only one new exploit kit — a software tool that can help create, distribute and manage attacks on systems — came onto the market; in 2013, 33 new ones emerged, according to researchers who closely monitor the development of exploit kits. The goals have changed too: In the early 2000s, the hackers that were creating viruses and worms mainly wanted the approval of their peers — they tended to be after notoriety, not cash. Only a few were carrying out identity and credit card theft. Skill levels were rudimentary, and most hackers knew each other. This was the age of small ad-hoc networks of “lone wolves.”

That age ended about 10 years ago. Since then, access to computing technology has become more prevalent as the global Internet population has nearly quintupled in size. Criminal enterprises have recognized a golden opportunity to exploit users and systems with less risk than traditional crime avenues. Malicious hackers and carders can buy and sell everything from stolen personal information to credit card numbers and account credentials. CarderPlanet and ShadowCrew are two examples of early web sites set up to serve this market. But while these pioneering sites reached only a few thousand users, today's black market sites reach tens of thousands., for example, had as many as 80,000 members.

Today's cyber black markets have evolved into playgrounds of financially driven, highly organized and sophisticated groups, often connected with traditional crime organizations. For certain levels of criminals, these black markets can be more profitable and less risky than the illegal drug trade; the links to end-users are more direct, and because worldwide distribution is accomplished electronically, the requirements are negligible. In many countries, malicious hacker activity is condoned — in fact, there are even reports of Eastern European hackers with government ties.

These markets are also geographically spread out, diverse and segmented. Some are specialists offering a single product line like exploit kits, financial data or bullet-proof web hosting services. Others are one-stop shops that offer products or services for the full lifecycle of an attack: everything from deploying exploit kits to setting up infrastructure to performing cryptanalytic services like password cracking. The markets are constantly changing and innovating, and are usually hidden under the cloak of darknets — anonymizing private networks that use encryption and proxies to obfuscate who is communicating.

In this shadowy world, digital and crypto-currencies like Bitcoin are increasingly the only acceptable form of payment. And because the markets facilitate crime, extra pains are taken to evade law enforcement and to counter security tools like the anti-virus software on your computer. As law enforcement gets better at infiltrating the markets and performing takedowns, the black markets respond with measures aimed at better protecting their illegal enterprises.

But cybercriminals always seem to be one step ahead. Their methods for communicating and conducting business transactions have gotten stealthier and more secure, with greater use of VPNs, private Twitter accounts and temporary chat channels, and anonymization networks like Tor, I2P and Freenet — all perfectly legal when used for legitimate purposes.

Though illicit, these markets follow the same economic laws and practices as legal ones. Participants communicate through various channels, place their orders and get products. Forums and groups are often highly structured, with specialized roles: from the tech experts who create exploit kits to the hosting providers who can facilitate a Distributed Denial of Service attack with botnets to the administrators who ensure that participants provide the goods or services they advertise to the money mules who turn the stolen goods into cash.

The barrier to enter and participate in many of these markets today is negligible; almost any computer-literate person can join and play, especially as a buyer. What's for sale? Maybe it's your credit card number, or access to your PayPal or eBay account or your personal usernames and passwords to other accounts. Tools like exploit kits are available for do-it-yourself hackers and hacking-for-hire services are there for those who would rather leave the dirty work to others.

The rise of the “Internet of Things” is giving hackers even more opportunities to make mischief. By 2020, the number of connected devices will outnumber the number of connected people by a ratio of six-to-one. This expands the threat landscape from the computer at your home or office to the one in your pocket. Maybe even the one controlling your implanted pacemaker or insulin pump. Perhaps just as scary, when a hacker accesses your mobile device, there's a good chance he or she will know where you are and can take virtual crime into the actual realm.

Some promising countermeasures have been emerging, including next-generation encryption methods, technologies that promote safer storage of stronger passwords, and other enhanced security protocols. Law enforcement authorities might want to fight the hackers on their own turf, infiltrating black markets and hacking back at the digital underworld. As the online world continues to evolve, policymakers, businesses and individuals must evolve as well by adapt new defenses to combat this bold new threat.

Lillian Ablon is an information systems analyst at the RAND Corporation.

This commentary originally appeared on on April 10, 2014.

More About This Commentary

Commentary gives RAND researchers a platform to convey insights based on their professional expertise and often on their peer-reviewed research and analysis.