The Underground Economist: Volume 3, Issue 1

5 minute read

Welcome back to The Underground Economist: Volume 3, Issue 1, an intelligence focused blog series illuminating dark web findings in digestible tidbits from our ZeroFox Dark Ops intelligence team. The Dark Ops team scours the dark web, extending visibility and engagement into places traditional security teams can’t reach to share meaningful and insightful intelligence on the trends and tactics threat actors are leveraging across the dark web and criminal underground. Here’s the latest for the week of January 6, 2023.

Untested threat actor “hydrox” advertised 3 TB of sensitive data related to the U.K.-based aquaculture biotechnology company “Benchmark” on the predominantly Russian language Deep Web forum exploit[.]in. The actor said the data was stolen from the IT manager’s machine, including:

  • The personally identifiable information (PII) of employees
  • Meeting logs
  • Business plans
  • Invoices and other financial documents

The actor specified the company generates more than $190 million (approximately 158 million GBP) in revenue.

ZeroFox researchers assess the actor is likely an inexperienced middleman selling the data for an insider, or the insider themselves, because most established data brokers would not publicly announce the name of such a high-value target. 

Original post from threat actor “hydrox” advertising 3 TB of sensitive data related to the U.K.-based aquaculture biotechnology company “Benchmark”

Actor Looking For Vendors Who Will Let Them Compromise Stores With Payment Card Sniffer

Untested threat actor “rondacvv” announced they are looking for online merchants who would knowingly allow them to compromise their shops with a payment card sniffer on the Russian language Dark Web forum “RAMP.” The actor would install the sniffer on the vendors’ payment systems, allowing them to steal the payment card information of customers in real-time. 

In return, the actor said they would split a percentage of the profits made by cashing out the victims’ payment cards with the store owners. Additionally, the vendor would get access to a web panel, where the actor claims they would be able to view or download the stolen data that came from their shops. 

ZeroFox researchers assess that any cooperation from online merchants would likely lead to an increase in stolen payment cards for sale on the Deep and Dark Web, since the actor’s straightforward approach of asking the vendors for permission to install the sniffer would almost certainly reduce the time and effort it takes them to compromise a shop. 

Tax Season Gets Underway On The Criminal Underground

New and untested threat actor “FreeRadical” is auctioning the sensitive tax documents of U.S. citizens on the predominantly Russian language Deep Web forum exploit[.]in. This is likely the first of many similar offerings to come, as tax season gets underway for threat actors looking to facilitate fraud across the criminal underground.     

The actor claims to have more than 2,100 documents, including:

  • Individual income tax returns (1040) 
  • Wage and tax statements (W-2)
  • Income tax returns for an S corporation (1120-S)
  • Profit and loss statements

The starting bid for the complete set of documents was $3,000 USD, with a minimum bid of $500 USD and an instant purchase price of $5,000 USD.

Deal Involving Access To SS7 Gateway Recently Brokered On Darknet Marketplace

Moderately credible threat actor “gregorgram” recently sold access to an alleged Signaling System No. 7 (AKA SS7) gateway on the English language Dark Web marketplace “AlphaBay”. ZeroFox researchers assess the seller is likely legitimate because “AlphaBay” requires the use of an escrow service for all transactions, indicating the actor made a deposit before the deal was brokered. This is significant because most SS7 deals are often scams.      

SS7 is a set of signaling protocols used by most mobile networks to initiate phone calls, SMS messages, number translation, and prepaid billing services. A skilled threat actor can almost certainly exploit the access to this SS7 gateway to:

  • Eavesdrop on phone calls
  • Intercept SMS messages (including OTP codes sent by SMS)
  • Redirect phone calls or text messages
  • Track the location of a victim

The access to the SS7 gateway was still available to two individuals for $8,000 USD each.

Screenshot indicating the threat actor “gregorgram” recently sold access to an alleged Signaling System No. 7 (more commonly known as SS7) gateway

See ZeroFox in action