Malware, mobile and murder for hire: A top-level look at the cyber criminal underworld

Last month at CloudSec 2016, Robert McArdle - EMEA manager for forward looking threat research at Trend Micro – held a talk about the differences between the various underground marketplaces around the world. 

Undergrounds tend to be separated by language rather than geographical location and "the big three," as McArdle called them, are the Russian, Chinese and English speaking marketplaces.

“You need to be able to know your enemy in order to be able to defend against them,” McArdle said, so understanding the differences between these secretive hangouts could be the difference between staying secure or being the next victim of a cyber attack.


The Russian world of cyber criminals is “by far the oldest and most mature of the criminal undergrounds out there. The Russians are generally seen as the pioneers when it comes to cybercrime, No-where else will you find as many criminal offerings."

Russia is credited with first introducing malware-as-a-service, where anyone can buy services without really having to understand how they work, and the range of offerings now for sale surpasses anywhere else in the world. “Absolutely everything is available on these forums,” McArdle warned. “The less mature ones have less services, but if you go to some of the Russian forums you will find everything.” So that includes phishing kits, malware, ransomware, in fact, pretty much “anything you associate with cyber crime” is available for the right price and usually they aren’t even that expensive.

McArdle identified two main trends in the Russian internet underworld. Firstly, “the prices for most goods are actually falling," not due to a lack of demand, but because of increasing competition. Secondly, researchers are seeing "the rise in everything related to mobile," thanks to the ever-growing number of people who now access the internet through mobile devices such as smartphones or tablets.

But as well as the marketplace being mature, the organisations behind the services are also more professional than ever. Many of them have sales departments, 24 hour support lines and operate much the same way as a normal business. They offer pre-compromised sites that can be narrowed down to select countries or industries, services such as spam emails that can be targeted to a specific product and even Ebay or Amazon-like marketplaces for criminals to sell things such as stolen credit card details.

And it’s not standing still. The Russian underground “evolves pretty much every single year” making it harder than ever for businesses to stay ahead, or even catch up.


On to the Chinese underground where "as you would expect, everything's different." Mostly, this is because China’s internet is more strictly guarded and regulated compared to other parts of the world, having its own versions of social media sites – Weibo in place of Twitter, for example - and websites such as Facebook and Google are blocked entirely.

However, despite the famed ‘Great Firewall of China’ ruling supreme, "the vast majority of the Chinese underground is actually quite easy to access," living in the “clear web” rather than on sites such as ToR.

But the main barrier Chinese-speaking cyber criminals have between them and the rest of the world is, of course, the language. “Chinese markets don’t tend to rely on malware from other regions,” said McArdle, “and it tends to come down to language,” with Chinese-language malware being the preferred option for cyber criminals.

In terms of trends, China’s underground maketplace has a heavy mobile focus through practices such as SMS spam and SMS phishing. Devices such as ATM skimmers, pocket skimmers and Point of sale devices are also extremely prevalent, with the majority of such devices found around the world being manufactured in the country.


Finally, we come on to the English-speaking playground for cyber criminals, where there is "a lot more focus on physical goods," as well as plenty of malware and recreational drugs.

“The other big thing is denial of service attacks,” explained McArdle. These attacks actually started with kids in gaming rooms where teams would try to knock each other offline to win a game and people soon started to realise that the same methods can also be used to take down business. So, “if you get hit by a DDoS attack in business, it most likely came from an English speaking person.” 

Identity theft is also rife, especially in the US where getting hold of someone’s social security number essentially enables cyber criminals to “impersonate someone very easily. In Europe most of our details are not available online, but in the US you can find out an incredible amount about people just through public resources.”

McArdle continued: "The other thing we see almost exclusively in the English-speaking underground - and probably the most worrying - is essentially murder for hire." Although his team hasn’t been able to verify the websites that these services are advertised on (for obvious reasons), what they have realised is that “by the number of these sites that are out there, there's a clear demand for these services."

Best of the rest

So that’s the so-called “big three” but there are some other prevalent locations out there. Brazil’s marketplace, for example, was described as "more beautique and definitely less mature, but very up and coming." Brazil is famed for having extremely detailed and sophisticated tutorials – McArdle compared them to the standard of a University masters course – and is also known for being a leader in banking attacks.

Japan, on the other hand, gets the honour of being described as "by far the most wacky" and is also "the least mature of all the markets." There is more of a focus on taboo subjects such as pornography, a "heavy focus on anonymity" through various code words and languages and any malware tends to focus on attempting to gain compromising images or videos from webcams to be used for blackmail.

Finally, it’s worth touching on Germany, which "of the European countries is by far the most mature" and only slightly behind Russia. The two countries regularly trade platforms and services between each other, with one of the main credit card website actually sharing the same database as the Russian version. 

"Whatever business you are in, understanding these marketplaces and understanding which one to focus on is really important,” concluded McArdle. In fact, it could end up saving you a lot of time, stress and money.

Image source: Shutterstock/Sergey Nivens