The cybercrime underground is populated by specialized actors who collaborate to compromise systems and monetize stolen data.
Very smart people who reverse-engineer software. Develop and sell exploit packs and kits to other actors.
Develop software and control vast numbers of zombie machines. Rent out their botnet to spammers, phishers, and other actors.
Advertise links for other actors. Build, curate, buy, and sell email lists. Rent botnets to send bulk mail.
Setup scam sites to steal information. Work with spammers to spread phishing links to victims.
Run websites selling fake goods (pharma, Rolex, etc.). Must be able to clear credit cards and ship products.
Offer dedicated servers in lawless parts of the Internet. Expensive but essential for long-running operations.
Turn stolen bank accounts and credit cards into cash. Help launder money. Crucial link between theft and profit.
Create, verify, and manage fake accounts via crowd-sourcing platforms. Solve CAPTCHAs for a fee.
Bad actors form an interconnected ecosystem. Botnets are used for spam; spam facilitates phishing, counterfeit sales, and malware installation. Activities and infrastructures support each other.
Core infrastructure for spam, DDoS, mining
Drives traffic to phishing, counterfeit, malware
Steals credentials, bank logins, credit cards
Turn stolen accounts into cash
Exploit-as-a-Service monetization
Extortion using botnet power
Large volumes of illicit goods and services are advertised on underground forums. Many operate in plain sight - a Google search away.
Law enforcement often targets forums and IRC rooms. Some forums have been sting operations. New forums quickly fill the void when one is shut down.
Black market forums are hugely valuable for security professionals. Allow researchers to observe trends, detect unfolding attacks, and understand the underworld.
A website is compromised to embed malware in scripts. When a victim visits, the exploit kit installs malware. Blackhole, MPack, SpyEye, Zero Access, Rena FakeAV are examples.
Buy: Miscreant buys an exploit kit and deploys it
themselves.
Rent: Miscreant rents access to an exploit server
that hosts the kit.
Miscreants are responsible for acquiring traffic - directing victims to exploit kits via spam or phishing.
Traffic-PPI services bundle traffic acquisition and an exploit server. One service handles both: getting victims to the site and infecting them. Now the most popular way to distribute malware.
| Term | Definition |
|---|---|
| Doorway pages | Webpage listing many keywords to increase search ranking; scripts redirect to attacker's page |
| Crypters | Program that hides malicious code from anti-virus software |
| Blackhat SEO | Manipulates search engines to increase traffic to attacker's site |
| Trojan Download Manager | Software that lets attacker update or install malware on victim's computer |
Readily available to the public, searchable with standard search engines. ~4% of WWW content.
Not indexed by standard search engines. Part of the Internet hidden from view. ~96% of WWW content.
Web content on darknets - overlay networks accessed via specific software (e.g., Tor).
Infected machines have valuable resources: spare CPU cycles, unique IP addresses, bandwidth. Botnets aggregate and control them via Command & Control (C&C) infrastructure.
Spare cycles for mining, cracking, computational tasks
Distributed IPs evade spam filters; bandwidth for DDoS
Swaths of bots rented to other actors for various purposes
Botmaster sends commands via IRC (e.g.,
sndspam: <subject>). Efficient but easy to
locate and take down.
Botmaster inserts commands into DHT. Bots get commands from peers. More robust but no direct synchronized control.
C&C website mapped to different IPs every ~10 seconds. Defeats IP-based blocking. But: ISPs can blacklist the rendezvous domain.
Bots generate many random-looking domains each day (shared algorithm + seed). Botmaster registers only a few. Hard to detect - domains are new, short-lived.
1. Inappropriate or
irrelevant to the user.
2. Sent to a large
number of recipients.
Scammers set up websites (pharma, knockoffs, fake AV). Spammers sign up as affiliates, advertise the scams, and collect 30–50% commission on sales. Scammers deliver products and collect payments - many have customer service departments.
The percentage of spam messages that result in a final sale. Key to understanding spam economics. Measurement: infiltrate spam generation/monetization and instrument the pipeline.
Researchers infiltrated Storm and measured filter effectiveness. On average only 0.014% of spam got through - 1 in 7,142. Gmail, Yahoo, Hotmail, Barracuda varied by campaign.
28 purchases in 26 days, avg ~$100. Study controlled ~1.5% of workers.
40% cut for Storm operators via Glavmed affiliate program.
United States, Canada, Philippines - visitors who added items to cart from spam-directed traffic.
Scamming requires a whole ecosystem: network infrastructure, payment
processing, and bulletproof hosting. Example: setting up
canadianpharma.com.
| Component | Problem | Solution |
|---|---|---|
| Domain name | Legit registrars take down on complaints | Shady registrars - charge more |
| DNS servers | Obvious choke-point for law enforcement | Bulletproof DNS - expensive |
| Web servers | ISP/law enforcement can shut down | Bulletproof hosting - expensive |
| Payment processing | Most banks won't work with scammers | Banks in lawless countries |
Unhappy customers complain → processors shut down accounts → bank accounts seized. Scam sites almost always ship products to avoid chargebacks.
In 2012, GlavMed, SpamIt, RX-Promotion databases were breached and dumped. Researchers analyzed complete logs of sales, customers, affiliate relationships.
Exploit devs, botnet masters, spammers, phishers, counterfeiters, bulletproof hosting, carders, crowdturfers.
Decoupling: buy/rent kits, Traffic-PPI bundles traffic + exploit server.
IRC (simple), P2P (robust), Fast Flux, Random domain generation for C&C.
~0.014% get through filters. Storm: $3.5M/yr pharma, $1.7M to operators.
Domain, DNS, web, payment - all choke-points. Bulletproof services expensive.
Repeat customers, affiliate skew, payment processors as weak point.
The cybercrime underground is a specialized, interconnected economy. Exploit developers, botnet masters, spammers, and phishers collaborate through forums and black markets. Monetization and compromise are decoupled via Pay-per-Install and Exploits-as-a-Service. Disrupting payment processors or top affiliates has disproportionate impact.
An Empirical Analysis of Spam Marketing Conversion - botnet infiltration to measure delivery and conversion.
Understanding the Business of Online Pharmaceutical Affiliate Programs - GlavMed/SpamIt data analysis.
Characterizing Spam-advertised Revenue - where spam-directed visitors add to cart.