Cyble Research and Intelligence Labs have observed several Threat Actors (TAs) using e-commerce platforms such as Shoppy, Selly, Sellix, Satoshibox, Rocketr, and even WordPress to further their criminal activities.
This has been the natural progression and scaling of the TA’s activities – from single-party sales through a middleman or escrow to automating the payment and delivery process (auto-buy), thereby allowing the buyer instant access to the product once the cryptocurrency payment is confirmed.
While the platforms mentioned above are all otherwise reputable, their misuse by cybercriminals is not new. SatoshiBox has previously been used in extortion scams and continues to be used to sell malware and data (see Figure 1).
Part of the appeal of these low-contact platforms is that they enable TAs to bypass communication with buyers, as well as the fees required by traditional safeguards of the cybercrime forums, such as middlemen (a role which the administrator takes on typically to oversee transactions) or escrow (a system whereby the payment remains in the forum’s wallet until both the buyer and seller confirm release). Moreover, these platforms, such as forums, offer payment options in various cryptocurrencies.
It’s been observed that the TAs who are actively selling databases on popular cybercrime forums share the same databases on their online stores.
While these shops allow both buyer and seller to trade instantaneously, significantly reducing their deal closure timeframe, there does remain a risk of buyers not getting what was advertised by the seller. Further, the platform offers no grievance management, which generally forum middlemen do. However, such platforms are observed to be utilized by reputed TAs to move their dealings outside the forums.
Unlike cybercrime forums, Sellix offers a free plan for those looking to start their own shop, similar to Shoppy. These shops are becoming lucrative day-by-day among cybercriminals due to no entry restrictions, ease of furthering their activities without detection and economizing their operations.
The goods sold on these storefronts vary from databases and cracked accounts to hacking services. Some TAs also offer “leads” – databases of users with personally identifying information, such as addresses and phone numbers, sorted by industry and country to cater to buyers’ demands.
Other types of data include both corporate and individual email-password combinations (AKA combo lists), commonly used for credential-stuffing attacks.
These platforms also provide the option to list the availability of their data or tools including their numbers to highlight their sales projections.
Take the example of KelvinSecurity, a prominent TA group featured in the Ukraine-Russia cyberwar. They have attempted to open three online shops in the past and continue to run a popular marketplace group on Telegram. Recently, KelvinSecurity made its fourth attempt at running a WordPress-based e-commerce site, shown below:
Another common type of store identified by Cyble researchers is the account reseller, which peddles accounts of popular online services, including food delivery, at a fraction of the original price for these services. These accounts are obtained using logs from stealer malware (stealer logs/compromised endpoints) or other illegitimate means.
Traditional fraud, like carding, in which illicitly obtained credit card details of various bank users are sold by fraudsters, has also found a home on e-commerce platforms.
The adoption of e-commerce stores for cybercrime activities is likely to grow further. These stores are however far from replacing the cybercrime forums because these online stores are fragmented without any centralized directory.
Instead, these will continue to supplement TAs’ existing activity on existing cybercrime venues. Some crime niches such as account resellers, combolist peddlers, malware vendors, and carders may thrive on these e-commerce stores. Still, large database sellers may rely on forums to build a reputation before pursuing their own ventures.
