Apr 17, 2017

Deep Web and Black Market


The deep web, invisible web, or hidden web are parts of the World Wide Web whose contents are not indexed by standard search engines for any reason. The opposite term to the deep web is the surface web.
What is inside the deep web? Let's take a look at the figure below.

Deep web concept is quite simple. You can think about search engines. Search engines such as Google, Yahoo and Microsoft's Bing give you results about constantly indexed pages. They do that by following the links between sites, crawling the Web's threads like a spider. But that only lets them gather static pages, like the one you're on right now. When the web crawler arrives at some other sources such as database, it typically cannot follow links into the deeper content behind the search box. Google and other search engines also don't capture pages behind private networks or standalone pages that connect to nothing at all. These are all part of the Deep Web.

The internet we use in our daily life is only 4% of the whole web. This part of web is called Surface Web. The part which is called deep web is 90% of the whole web. This part of web full of nan-harmful and legal things just not indexed for search engines. The deepest part of web which is called DarkWeb is 9% of whole web. There are many illegal activities in here. The types of activities done in black markets are explained below. Black Markets and selling products of this type of markets are our interests for this article.


A black market, underground economy, or shadow economy is a secret market or transaction which has some aspect of illegality or is characterized by some form of noncompliant behavior with an institutional set of rules. (Source wikipedia) Almost all things that are illegal to sell are sold in these markets. Drugs, hacked account credentials, credit card informations are just a few of the best known ones. There are so many different types of products sold in these markets, but we only focus on user credentials which are obtained as a result of a hacker event.

More than 3 Billion user accounts were hijacked only in 2016. Leaked data include credit cards, e-mails, passwords, health credential, bank account details and some other valuable personal information. Black markets are selling place for this type of data, such data appeared within days on black-market sites. Other examples of attacks are as follows;
  • Recent increases in the use of watering-hole attacks (where users visit popular, legitimate, but compromised websites) based on well-known exploit kits available for sale on the black market
  • online advertisements that, when clicked, infect a victim’s computer, and call back to an exploit kit to launch additional malware; data is then stolen and sold on black markets
  • Distributed Denial of Service (DDoS) attacks implemented by rented botnets available on the black market.
  • Anyone can rent a botnet for the purpose of getting more click count for their websites or videos.
  • Paid premium accounts sold at very low prices in the black markets

In the literature, definition of this type of markets is divided into two categories; the first one is black market, and the second one is gray market. Black markets are organized and run for the purpose of cybercrime; they deal in exploit kits, botnets, Distributed Denial of Service (DDoS) attack services, and the fruits of crime (e.g., stolen credit card numbers, compromised hosts) etc. Gray markets are limited to the exchange of vulnerabilities and exploits, the discovery and development of which are not illegal. Legitimate companies often pay for information about vulnerabilities in their own products.

As we told you before, we focus only black markets in this article to understand the perspective of hacker events backgrounds and how hackers earn money through black  markets.
In the continuation of this section, characteristics and the general structures of black markets, the types of products that can be stolen in these markets, and the costs of these products are explained.

Characteristics of the Black Market

Black markets are growing in size and complexity.  The hacker market has emerged as a playground of  financially driven, highly organized, and sophisticated groups.

Understanding what these markets are is complicated. The reason of that it is geographically spread out, diverse, segmented, and usually hidden under the cloak of darkwebs, anonymization, and cryptographic features. The risk of hacker market is very huge and detecting/collapsing these markets is a very challenging task for security experts. Black market is an increasing threat to businesses, governments, and individuals operating in the digital world.

As increasing specialization characterizes black markets, the types of goods and services which being sold in black markets are increasing too. As with any other market, black market products and vendors tend to be reliable. Methods for communication have gotten more innovative and secure: there is greater use of encryption and privacy mechanisms, such as off-the-record messaging and cryptocurrencies.
In black markets, all money transactions are done using bitcoin. Bitcoin can be used to buy things electronically. In that sense, it’s like conventional dollars, euros, or yen, which are also traded digitally. However, bitcoin’s most important characteristic, and the thing that makes it different to conventional money, is that it is decentralized. No single institution controls the bitcoin network. This puts some people at ease, because it means that a large bank can’t control its own money. So this money is untraceable, this is what is needed in black markets.
Botnets have been one of the largest enablers of cyber-crime until today. Not surprisingly, their presence and offerings are significant on the black market. Initially, botnets were used for spamming in the years of 2003 and 2004. In the course of time, botnets have evolved in a way that low-skilled users can use it. As low-skilled users can use services that botnets provide such as DDoS attack or sending spam mails, they can build their own botnets.
How to access DarkWeb?
Technically, this is not a difficult process. You simply need to install and use Tor. Tor is a free software for enabling anonymous communication and directs internet traffic through a free, worldwide, volunteer network consisting of more than seven thousand relays. So that, user's location and the usage are hidden from anyone conducting network surveillance or traffic analysis. Using Tor makes it more difficult for Internet activity to be traced back to the user: this includes "visits to Web sites, online posts, instant messages, and other communication forms". (Reference)
If you want to access DarkWeb, go to Tor Website and download the Tor Browser Bundle, which contains all the required tools. Run the downloaded file, choose an extraction location, then open the folder and click Start Tor Browser. That's it. The Control Panel will automatically handle the randomised network setup and, when Tor is ready, the browser will open; just close it again to disconnect from the network. Some IPS’s may block Tor connection. In such cases, all you need is install a VPN, and try again. (Reference)
Hacker markets have evolved over time and now come in many forms. In the early of  mid-2000s, they focused on goods and information related to credit card credentials. Then, they expanded to broker credentials for eCommerce accounts, social media, and beyond.
Criminals have multiple skill levels, therefore they can participate in the black market. Almost any computer-literate person can enter the market according to her/his skill levels. Like traditional economies, the underground market comprises sellers (supply), buyers (demand), and intermediaries.
With the increase of as-a-service models and do-it-yourself kits (with easy-to-use administration panels), anyone can create and use variants of similar malware. One can buy credentials, credit cards, and personally identifiable information without needing to be highly technical.
Organization of groups and forums are highly structured. Specialization of roles and responsibilities are defined very well. Most of the vendors guarantee that their products will live until promised lifespan.  

Products And Their Prices on Black Market

There has been a steady increase in the availability of goods and services offered in the black markets. Greater availability of as-a-service models, point-and-click tools, and easy-to-find online tutorials makes it easier for technical novices to use what these markets have to offer. Despite these markets being generally illicit, they follow the same economic laws and practices as other markets: Participants communicate through various channels, place their orders, and get products. Black-market evolution mirrors the normal evolution of a free market, with both innovation and growth.
Prices for credit cards, for example, are falling because the market is flooded with records, and botnets and DDoS capabilities are cheaper because so many more options are available.
For example, Yahoo announced hacking incident from its September disclosure that 500 million user accounts had been hacked in 2014, but company has faced another attack, disclosed Wednesday that a different attack in 2013 compromised more than 1 billion accounts. The stolen data include names, email addresses, telephone numbers, birthdays, hashed passwords, and some "encrypted or unencrypted security questions and answers. Yahoo says that they believes no payment card or bank account information was stolen. The interesting thing is, announcement is published in September 2016.  The New York Times reports that a billion-user database was sold on the Black Market last August (2016) for $300,000.
It is possible to hack an account by paying a price between $16 - $325 which depends on the type of target account. Average cost to companies per compromised record is estimated $194 considering in form of lost customers, damaged reputation and diminished goodwill. (Source of information : link)
The reference of all the price information in the table below are gathered from the report of Rand Corporation which is published in 2014. If you want to learn more detailed information, we recommend you to read that report. The table below consists of many black market products and their corresponding value in the market. (all prices for US unless specified)
Zero-Day vulnerabilities are also one of the popular products on the black markets. Zero-day vulnerabilities (“zero-day exploits”, or just “zero-days”) are exploitable vulnerabilities that a software vendor is not aware of and for which no patch has been created. It is difficult to find zero-days and also difficult to develop an exploit for them. For these reasons, prices of zero-days are higher than the price of other products on black markets.
Zero-days are mostly thought to be used for corporate espionage, or for specific targets whose only entry is through a zero-day. Zero-Day vulnerability prices are given below.
Some companies have set up their own bug bounty program to avoid selling their zero-day vulnerability in black markets. Some bug bounty programs are given below.

  • Apple Bug Bounty Program  –  Language: Any, Bounty: $25.000 USD – up to $200.000 USD
  • BattkeHack 2015 – Languages: C++, JavaScript (as Node.js), Bounty: $100,000 USD (1st Prize), Xbox One (2nd Prize), Adafruit ARDX (3rd Prize)
  • Facebook Whitehat Program– Languages: C++, PHP, D, Java, Python (Server-side); JavaScript (Client-side), Bounty: $500 USD (Minimum), No Pre-Determined Maximum
  • Google Vulnerability Reaward Program (VRP) – Languages: C/C++, Java, Python, Go (Server-side); JavaScript, Flash (Client-side) – Bounty: $100 USD (Minimum), $20,000 (Maximum)
  • Yahoo Bug Bounty Program – Languages: JavaScript, PHP (Server-side); JavaScript (Client-side) – Bounty: $100 USD (Minimum), $20,000 (Maximum)
  • Mozilla Bug Bounty – Languages: C++, JavaScript, C, CSS, XUL, XBL – Bounty: $500 USD (Minimum), $3,000 (Maximum).
  • WordPress Security Bug Bounty Program – Languages: PHP, MySQL – Bounty: $100 USD (Minimum), $1,000 (Maximum)
  • The Chromiun Project – Languages: C++ – Bounty: $500 USD (Minimum), $15,000 (Maximum)
  • Samsung Smart TV Security Bounty Program – Languages: Tizen, Android – Bounty: $500 USD (Minimum), $3000 USD (Maximum)
  • Avast Bug Bounty Program – Language: C++ – Bounty: $400 USD (Minimum) – $10,000 or More (Maximum)
  • Microsoft – Online Services Bug Bounty Program – Languages: ASP.NET – Bounty: $500 USD (Minimum), Maximum Not Pre-Determined
  • Github Security Bug Bounty – Languages: Ruby – Bounty: $100 USD (Minimum), $5,000 USD (Maximum)