An Overview of the Cybercriminal Market
Cybercriminals are in the business of making money at their victims’ expense. Unfortunately, this involves a great deal of money and countless victims. Criminals do this by stealing identities and credit card numbers, encrypting user data (and offering to restore it for a fee), and employing many other methods.
In the cybercrime underground, a criminal’s hosting service and infrastructure serve as the backbone of every aspect of their business model. It hosts the command-and-control (C&C) servers that threat actors use to run their victims’ machines, the forums and chat services used for interacting with fellow criminals, the anonymizing services for covering their tracks, and many more. At every level of these criminal enterprises, a reliable infrastructure is critical.
How do criminals host such content on the internet without a takedown or an arrest, and what makes them difficult to track down? The answer is that they use what the InfoSec community call underground hosting, or underground infrastructure.
Hosting services are the foundation of many, if not all, major cybercriminal operations. These hosting providers sell cybercriminals the means to host their C&C infrastructure, discussion forums, marketplaces, various malicious content, and other tools that enable them to be efficient and extremely difficult to disrupt.
This research paper details how criminal forums have evolved to adapt to the demands of the underground market and ways they have enabled easier access to underground hosting. We delve deep into this thriving cybercriminal market and reveal the full range of products and services it offers to threat actors, and the methods used to promote and sell them.