BLOG

New Underground Market Comes Online Just inTime for the Holidays

12 minute read

Threat actors have opened a new underground market known as OLVX Marketplace (olvx[.]cc) that is gaining notoriety just in time for the holidays. This new marketplace claims to sell all the tools necessary to commit online fraud, manipulate the very savviest of online shoppers, and make this time of year much less merry and bright. OLVX follows a trend ZeroFox Intelligence has observed relating to multiple underground marketplaces now operating on the clear web, whereas in the past, most would only operate on the deep or dark web (DDW).

On or about July 1, 2023, OLVX came online with legitimate and well-respected threat actors advertising tools such as phish kits, remote desktop connections, cPanel credentials/access, webshells, SPAM sending systems, stolen data, webmail access, and leads/combo lists. Underground marketplaces, even those hosted on the clear web, sell a myriad of products and services to assist cybercriminals in their day-to-day operations. While some marketplaces specialize in illegal/illicit products such as drugs, counterfeit products, and hacked gift cards, OLVX focuses less on end-user products and more on tools and services to aid cybercriminals in their activities to obtain data, many of which can be deployed by threat actors looking to capitalize on the busy 2023 holiday retail season.

Discovery

In the fall of 2023, ZeroFox researchers noted an increase in activity on the OLVX marketplace, including items sold and purchasers flocking to the newly created store.  Research of the platform and its code indicates OLVX stems from a fork based on leakage of code from a different store, OLUX, in early 2020/late 2021.  While the code from the original OLUX marketplace is dated by today’s standards, multiple stores have appeared post-leak utilizing improved variants of the initial store code. OLVX utilizes Cloudflare to masquerade its actual web hosting location and enhance accessibility.

Figure 1. OLVX homepage
Source: ZeroFox Intelligence

Rather than being hosted on the darkweb, the OLVX marketplace is on the open web. Based on an investigation of website coding, the administrators of the OLVX marketplace have implemented multiple methodologies of search engine optimization (SEO) to gain new customers.

Figure 2. OLVX homepage SEO
Source: ZeroFox Intelligence

This type of SEO and other methodologies to advertise the marketplace via various forums, Telegram, and word of mouth has gained OLVX additional customers in recent months.

Figure 3. OLVX Telegram group welcome message
Source: ZeroFox Intelligence

Payments and Support

As with many marketplaces, OLVX has implemented numerous tactics to ensure customer service is a priority while serving its illicit customers. OLVX operates a general Telegram channel promoting its new features and the ability to direct-message

operators with any problems. While there are many choices in the illicit marketplace sector, marketplaces that focus on maintaining their customer relationships tend to have a stronger reputation and maintain greater profits.

While the OLVX marketplace offers thousands of individual products across numerous categories, its site administrators maintain relationships with various cybercriminals who create custom toolkits and can obtain specialized files, thereby furthering OLVX’s ability to maintain and attract customers to the platform.

Figure 4. OLVX custom request page
Source: ZeroFox Intelligence

While numerous underground marketplaces offer an escrow service to enhance the privacy and security of transactions, OLVX has opted to offer a direct payment service via cryptocurrency instead.

Figure 5. OLVX payment methods
Source: ZeroFox Intelligence

OLVX has implemented a common method of payment via cryptocurrency, but—rather than allow customers to pay directly for each transaction separately—the marketplace requires customers to transfer funds to the platform and maintain a balance. This is often seen in other illicit marketplaces, as it increases sales/profitability. When a customer no longer has sufficient funds to process a transaction, they are instructed to “top-off” their account via a time-limited anonymized crypto address.

Items Sold on OLVX Marketplace

Shells

When a malicious actor compromises a legitimate website, it is part of general tactics, techniques, and procedures (TTPs) to establish persistence on the web server. One mechanism of establishing persistence is the uploading of a webshell, which provides the malicious actor with a backdoor to maintain access to website content. While some webshells allow the user to upload the site to one of their choosing, OLVX provides access to existing hacked shells via various hosting providers worldwide.  Price points are very low, with some under USD 5 among the hundreds of shells listed for sale. The marketplace has the functionality to verify authenticity and connection to shells prior to the customer making the purchase.

Figure 6. OLVX Shells for sale
Source: ZeroFox Intelligence

cPanels

As of November 2023, OLVX has over 6,000 cPanels listed for sale.  The marketplace does not sell cPanel interfaces directly; rather, it provides access to an active cPanel (presumably hacked), allowing the malicious actor to manipulate it to their liking. Upon investigation of products sold within the marketplace, ZeroFox noted that sellers compromise a website and sell access to it individually (via shell, cPanel, etc.) rather than as a bulk purchase, allowing them greater profitability from a single compromised website. To enhance customer service, the OLVX buyers have the ability to view information such as country, top-level domain, hosting provider, and rankings—in addition to verification that the cPanel access is still active—prior to purchase. Pricing is relatively low (generally under $10 USD).

Figure 7. OLVX cPanels for sale
Source: ZeroFox Intelligence

Remote Desktop Protocol (RDP) and Secure Shell (SSH) Access

Anonymity during attacks is paramount and a common threat actor TTP. By purchasing RDP or SSH access from potentially compromised legitimate servers, threat actors can further mask their attack source by performing exploits from a server belonging to someone else. RDP and SSH accesses are commonly sold on multiple marketplaces.

OLVX provides access to numerous potentially active servers with compromised RDP credentials.  Pricing is under $10 USD; to further enhance sales, OLVX provides the customer with the ability to verify if credentials are still valid prior to purchase.  Pricing is set based on access level and system specifications.

Figure 8. RDP access for sale
Source: ZeroFox Intelligence

SMTP Accounts and Mailers

Depending on the campaign goals, it is commonplace for threat actors to send attacks, such as phishing emails to as many victims as possible. As threat actors may get flagged using services such as Gmail or Outlook, they will utilize pre-existing hacked servers to “piggyback” on legitimate SMTP connections to run email campaigns.  Mailers (scripts) are also sold to enable the threat actor to run said email campaigns directly from the server.  Based on hosting provider and country, mailers and compromised SMTP accounts were less than $10 USD on the OLVX marketplace, which contains over 1,000 listings.

Figure 9. SMTP access for sale
Source: ZeroFox Intelligence

Webmail Accounts

While many marketplaces, in addition to OLVX, sell combo lists containing compromised email credentials, OLVX provides a more specific service targeting threat actors seeking to perform social engineering attacks. When purchasing a large list/database of thousands of compromised credentials, the threat actor may not have confirmation of the domains captured within the dataset. OLVX offers over 8,000 compromised credentials and provides the threat actor with the ability to search for a specific domain they may need for a social engineering campaign. Based on the nature of selling single-access credentials per transaction, this significantly lowers the cost to just a few dollars.

Figure 10. Webmail access for sale
Source: ZeroFox Intelligence

Leads & Combo Lists

As threat actors build out their attack campaign to target as many victims as possible, one vector of gaining source information is via “leads.” These lead files contain a multitude of email addresses and are often sold in bulk, targeting a specific provider.  Combo lists contain a plethora of compromised credentials, oftentimes numbering in the millions.  Additionally, ZeroFox observed an 18 percent increase in accounts containing retail/finance compromised credentials, which prior intelligence has revealed is often used by threat actors during the holidays to scam online shoppers. These lists are often used for automated brute force-type attacks. Items available on the OLVX marketplace range in price from $1-200 USD, depending on database size, target, and country.

Figure 11. Combo lists for sale
Source: ZeroFox Intelligence

Accounts

In addition to selling combo lists with compromised credentials, OLVX offers a specialized sales area focusing on credentials from specific domains/services.  With over 400 active targets for sale ranging from general user accounts to administrator access, there are numerous high-level accounts for threat actors to utilize. Upon investigating items for sale, ZeroFox noted it was commonplace for adult websites to be present, providing a possible social engineering angle for vulnerable individuals. Pricing varied depending on account access and often provided personally identifiable information (PII) in addition to general credentials. To further incentivize purchasing, proof is provided outlining the compromised credential data.

Figure 12. Accounts for sale
Source: ZeroFox Intelligence

Phish Kits (Scampages)

As phishing continues to be one of the most profitable methods cybercriminals use to compromise victims, marketplaces such as OLVX often sell pre-developed phish kits.  While marketplaces and the DDW economy will refer to phish kits as Scampages, security-minded researchers are aware this naming convention is only used to minimize keyword searches for legal reasons. Phish kits are sold in ZIP format and often contain secondary applications incorporating anti-cloaking technologies, two-factor authentication (2FA) bypass capabilities, and, at times, the ability to instantly send compromised credentials to a Telegram bot.  Over the past two months, OLVX listings of phish kits targeting the retail and finance sector have grown by more than 25 percent, indicating the preparation of a multitude of campaigns being ramped up for the holiday season. Based on an investigation of additional available items, ZeroFox Intelligence observed that more feature-rich kits (2FA bypass, anti-cloaking, etc.) were priced as high as $150 USD for a single page, while general pages were priced below $20 USD.  To further incentivize sales, proof via screenshot is provided to showcase the quality of the phishing landing page.  Available OLVX phish kits for sale target retail, finance, and shipping, in addition to a myriad of other sectors.

Figure 13. Phish kits for sale
Source: ZeroFox Intelligence

Hosting

OLVX is currently utilizing Cloudflare to masquerade its actual hosting location and Simple Carrier LLC (known to host questionable content) to advertise its distributed denial of service (DDoS) protection services.

Conclusion

Marketplaces such as OLVX continue to be popular sources from which cybercriminals purchase the tools they need to conduct targeting campaigns.  As the November and December holiday shopping season is the busiest for retailers and consumers, the OLVX marketplace has, accordingly, also been ramping up its supply of items available to cybercriminals. While consumers shop online patronizing legitimate businesses, cybercriminals are busy on OLVX purchasing the supplies they need to target the innocent during the “most wonderful time of the year.”

Recommendations

  • Remain alert when shopping online around the holiday season; only make purchases from known, trusted retailers, and avoid clicking any shopping links on social media pages or within unexpected emails.
  • Implement secure password policies, with phishing- resistant MFA, complex passwords, and unique credentials. Regularly change credentials and avoid repetition of passwords across various accounts.
  • Employ a dark web monitoring strategy, such as having ZeroFox continually monitor for leaked information.

Get the Full Report

For a copy of the full report, click here. Want more reports like this, including best practices, the latest research, and breaking news, delivered straight to your inbox? Sign up for the Daily Intelligence Brief!

See ZeroFox in action