The Underground Economist: Volume 1, Issue 8

5 minute read

Welcome back to The Underground Economist, Issue 8, an intelligence focused blog series illuminating Dark Web findings in digestible tidbits from our ZeroFox Dark Ops intelligence team. The Dark Ops team scours the Dark Web, extending visibility and engagement into places traditional security teams can’t reach to share meaningful and insightful intelligence on the trends and tactics threat actors are leveraging across the Dark Web and criminal underground. Here’s the latest for the week of January 24, 2022.

New Shop Selling Stolen Credentials From Other Deep Web Marketplaces

New and untested threat actor “AccountzClub” announced the first official Deep Web shop brokering in compromised login credentials for other Deep Web marketplaces, on the English language Deep Web marketplace “KickAss”. The new shop, dubbed “Accountz Club”, features heavily discounted accounts for various Deep Web stores, including: 

  • Cc2btc[.]com
  • Cvv2finder[.]hk
  • Fullzinfo[.]com
  • Genesis[.]market

Due to the criminal nature of these Deep Web stores, many do not require multi-factor authentication, making it easier for threat actors to compromise user accounts. Most of these stores do not allow users to withdraw funds from their accounts, allowing a threat actor with compromised login credentials to spend the remaining balances on various illicit items and services.

Original post from threat actor “AccountzClub” announcing new Deep Web shop

The actor’s announcement comes approximately one month after ZeroFox researchers observed logs containing similar account credentials for other Deep Web stores being sold on the botnet logs marketplace amigos[.]to, which subsequently halted operations permanently in December 2021. 

Former Doxbin Owner Leaks Plaintext Passwords Of Users

In early January 2022, threat actor and former Doxbin owner “White” leaked a database containing the plaintext passwords of approximately 2,500 threat actors who use the website to post the personal information of their victims (AKA doxes). The leak will likely lead to new doxes being published across various Deep and Dark Web sources, as Doxbin has locked the accounts of all users who logged into the platform between November 9, 2021 and January 4, 2022.

Original post from threat actors “brenton” and “kt” detailing the Doxbin ordeal

During this stretch of time, “White” broke Doxbin by altering the source code, got doxed, and eventually sold the website back to the two original owners. In response to “White” leaking the database, current Doxbin owners and administrators “brenton” and “kt” revealed the identity of the threat actor as a 16-year-old living in the U.K. The two also promised to upload the full dox containing information about “White” to Doxbin, as they continue their work to repair the damage caused by the actor.

Actor Shares List Of 450,000 WordPress Websites

Well-regarded threat actor “joseph_salazar” recently shared a list containing the IP addresses of 450,000 hosts running WordPress sites, on the Russian language Deep Web forum xss[.]is. This could signal an increase in cyberattacks against WordPress websites. The actor claimed they used Shodan to detect the vulnerable WordPress websites in more than a dozen countries, including:

  • Canada
  • China
  • United States
  • Australia
  • India

Within a week of sharing the list, new and untested threat actor “Zerrious” advertised a tool to compromise WordPress websites on XSS. The tool leverages  lists containing compromised account credentials compiled from different data breaches (AKA combo lists) to perform credential stuffing attacks, with successful attempts granting threat actors access to the admin panels of valid WordPress sites. The actor charged approximately $30 USD per month for the tool. 

Post from threat actor “Zerrious” advertising their tool to compromise WordPress accounts, less than one-week after the original threat actor, “joseph_salazar”, shared their list of IP addresses for WordPress sites

New Shop Emerges Selling Stolen Payment Card Data

New and untested threat actor “A L C A P O N E” advertised their new automated marketplace, which brokers in stolen payment card data, on the Russian language Deep Web carding forum club2crd[.]su. It should be noted that there has not been a large, high-quality vendor of payment card data since “Joker’s Stash” shut down in February 2021. However, with viable replacement shops like amigos[.]to already failing to fill the void, ZeroFox researchers assess that there is a chance for this new shop, dubbed “Cartel”, to step in.   

The actor claimed the shop features:

  • Firsthand skimmed cards with very high approval ratings
  • Cards from various countries
  • No resellers
  • Products that are updated daily

About the Writers of The Underground Economist: The ZeroFox Dark Ops Team

ZeroFox’s Dark Ops team operates amongst the criminal underground community. Our global threat hunting and Dark Web intelligence team extends the reach of your security resources by engaging with the underground community, bolstering your capabilities in an effort to give you an advantage over emerging threats and stop active or future attacks before damage can be done. Embedded into hundreds of Dark Web communities where few possess the cultural or language expertise to infiltrate, we combine open-source and human intelligence to fight back, engage with adversaries, triage threats and curate intelligence specific to your threat intelligence requirements. Engage directly with the team here.

See ZeroFox in action