In Q3 the Dark Web is characterized by vulnerabilities, stolen credentials, and the evolution of marketplaces.
McAfee’s Q3 analysis reveals that after Hansa and AlphaBay were shut down on the Dark Web, Dream Markets and Wall Street Market became the largest marketplaces in the criminal underground. Meanwhile, vulnerabilities and stolen credentials continue to dominate the discussion among cybercriminals.
Illicit marketplaces for the sale of narcotics, hacking tools, hired hackers, and data records continue to thrive despite law enforcement efforts. According to threat research published this month by McAfee, the disruption of Hansa and AlphaBay caused a ripple effect during the quarter, driving cybercriminals to smaller, competing markets such as Dream Market, Wall Street Market, and Olympus Market.
However, “Olympus Market, which was well on its way to becoming one of the top markets, suddenly disappeared in Q3,” according to the report. “There are rumors that the disappearance was the result of an exit strategy devised by the market’s administrators to steal money from their vendors and customers.”
McAfee stated that several individual sellers have moved away from large markets and established their niche markets.
According to the report, “They hope to fly under the radar of law enforcement and build a trustworthy relationship with their customers without fear of a quick exit by the market owners.” This change has spawned a new industry: website designers who offer to create hidden marketplaces for aspiring vendors.
McAfee noted that stolen digital data, which generates the majority of profits, will continue to be a driving force in both large markets and niche underground hacker forums. Less accessible to the general public and focusing on cybercrime-related topics, the forums thrive primarily on leaked user credentials.
The report stated, “Credential abuse is one of the most popular topics on the underground scene, and the large data breaches we read about contribute to this popularity.” The use of valid accounts makes it easy for cybercriminals to gain access to an individual’s private life and assume control over it.
The research revealed that cybercriminals frequently target email accounts because they are frequently used to restore login credentials for other online services. Reusing passwords, failing to enable two-factor authentication, and failing to regularly change passwords are the primary reasons why these attacks are so effective.
Recent CVEs are a hot topic in discussions of browser exploit kits (RIG, Grandsoft, and Fallout) and ransomware (GandCrab in particular), as determined by the research.
“In the English-speaking, less technical underground forums, we observed numerous discussions of old CVE implementations in well-known tools like Trillium MultiSploit,” McAfee explained. These threads demonstrate that cybercriminals are eager to weaponize both new and existing vulnerabilities. The prevalence of these topics in underground forums should serve as a warning to organizations to prioritize vulnerability management in their cyber resilience plans.”