After a tumultuous few months at the start of the year in which each week seemed to bring a major development in the cybercrime scene, we’ve been enjoying a period of relative stability in the dark web. We have just about recovered from the closure of the English-language forum giant RaidForums, the bombshell leak of the Conti ransomware group’s internal chat logs, and Russian law enforcement’s assault on carding platforms. This recent slower pace has allowed us to spend more time reflecting on the state of the dark web community and longer-term issues. You might have seen our blogs examining prison slang on Russian-language forums or musing on the first anniversary of the Colonial Pipeline attack and Wannacry’s continuing impact.
In a similar vein, we’ve been keeping a watching brief on Amunet, a relatively new English-language cybercriminal platform launched at the beginning of 2022. There’s nothing particularly remarkable about this forum. It covers the typical mix of hacking tools, data leaks, and credentials, and looks set to be another candidate in the group of English-language forums jostling to achieve prominence and market share. However, one element that did catch our eye was a roadmap outlining the site’s strategy and project plan for 2022 (see Figure 1).
The roadmap marks the launch of the forum in January 2022, followed by the introduction of a “Leaks Circle” for the “visualization of leaked sources” (although we couldn’t find any indication on Amunet that the administrator(s) had instituted this feature on schedule). This visualization project is an intriguing element of the roadmap, but with few details on the site to provide more context about this development, we can only guess what this may look like once implemented. However, anything that makes it easier for threat actors to share and identify leaked data sets will significantly impact the threat landscape. As we outlined in our recent research report on account takeover, stolen credentials facilitate a considerable proportion of recorded malicious activity. Visualizing leaked sources may cause this proportion to increase.
Next, Amunet planned to establish its own original cryptocurrency that would integrate with forum functionalities in May 2022. Again, we found scant evidence that this functionality is working on the site at the time of writing, although one forum thread from early May 2022 (see Figure 2) explained that users who shared leaked databases would earn forum credits that they could later exchange for the cryptocurrency. Many cybercriminal forums operate a form of internal currency or forum credits. Some even let users purchase forum credits instead of just earning them via forum activity. However, if–as the roadmap suggests–members of this site could withdraw forum credits as a real-life cryptocurrency that they could exchange into more versatile coins like Bitcoin or Monero, this would be a distinguishing feature for Amunet. The ability to essentially earn cash via forum activities like logging into the platform, sharing leaked data sets, or replying to other users’ posts could seem like an easy way for threat actors to earn funds, which may give this new platform a good chance of gaining an advantage over its competitors.
According to the roadmap, July 2022 should see the creation of a “Leaks Detector”, which will allow forum users to check for “emails and corporate domains” in leaked data sets. We frequently see threat actors advertising tools that parse logs or data sets for particular types of information, but a forum feature that could identify corporate emails and domains may prove a boon to users interested in targeting enterprises and carrying out attacks such as business email compromise. Compromising the accounts of corporate employees rather than the (wo)man on the street can be an extremely lucrative attack vector: Many businesses handle much larger sums than most private individuals, meaning a successful campaign could result in a more significant payout.
The final proposed addition on the roadmap is advertised as a “Time-Back-Machine”, which will see “A couple of hacking forums […] returned as snapshots for public observation”. Other English- and Russian-language cybercriminal platforms have previously hosted archives of defunct forums, presented as discrete sections of that platform that share the hosting platform’s appearance. If this new “Time-Back-Machine” feature were to visualize archived material with its original layout and presentation, and provide a true snapshot of how these deceased sites looked and functioned, this would be another original feature that could help Amunet gain new members. We certainly haven’t seen this capability on other dark web platforms. In a highly unstable world where cybercriminal sites disappear with little warning, workable archives could help mitigate the disastrous effects of site closures and ensure continuing access to useful resources.
These four unusual functionalities, if successfully implemented, would provide Amunet with a set of attractive features that could lure threat actors away from competitor sites and help the forum establish itself as the leading platform within the English-language cybercriminal scene. Remember that, at their hearts, cybercriminal forums all offer their users the same basic capabilities: creating public threads that forum members can reply to. Most forums will also allow users to send private messages to the rest of the user base. Adding in supplementary features is one of the few ways that a forum can differentiate itself from the mass of other sites that all offer the basic messaging components. Other options include providing a highly specialized offering to turn your site into the natural destination for threat actors interested in a particular type of malicious activity; restricting membership to try and ensure high-quality conversation and commerce; or, conversely, adopting a lax attitude to user admittance and rules to try and attract beginners and script kiddies to boost numbers.
The new features in Amunet’s roadmap got us thinking about other sites that have used this approach in a likely attempt to make a splash in the crowded cybercriminal forum scene. Let’s take a look at four such functionalities: custom Jabber servers, file upload services, temporary notes services, and VPN services.
Despite the introduction of newer platforms like Telegram, Discord, and Tox, many threat actors prefer to use the more old-fashioned messaging service Jabber, especially in the Russian-language cybercriminal scene. These newer platforms might offer slicker interfaces and additional features, but many threat actors have concerns about their security, and prefer the tried-and-tested methods.
There are hundreds of Jabber servers out there. The servers have varying levels of reliability, trustworthiness, and reputation within the underground community. Some cybercriminal forums have Jabber server blacklists, and will only allow new members to register using certain Jabber servers, for instance. Despite the huge number of Jabber servers in existence, some top-level cybercriminal forums have found it beneficial to invest in establishing and maintaining a dedicated server of their own. Usually these servers are accessible for anyone, and are not for the exclusive use of that forums’ members. The servers’ association with a reputable site has multiple advantages:
- A link with a trusted cybercriminal forum increases threat actors’ perceptions that the server is secure and reliable. The cybercriminal forum will be tying its own reputation to the success of the Jabber server, so it’s in the forum’s interest to ensure that the service works well.
- Forums that operate a Jabber server will usually have a dedicated thread or section on the site that is devoted to providing information about the server. This gives threat actors a wealth of information about how to register on and use the server, and also means that downtime or outages can be communicated easily.
- The tie back to forums gives users of the Jabber server a clear point of contact if they experience any issues while using the server. Problems like forgotten passwords or unwanted spam can be reported and resolved easily.
One of the more prominent Russian-language forums we follow established its own Jabber server back in January 2019. The thread advertising the server (see Figure 3) emphasizes the server’s “reliability and safety” and highlights the server’s features and advantages, which include hashed password storage, disabled IP and chat logs, anti-spam capabilities, and a ban on Jabber IDs using Cyrillic characters. The forum has an entire section devoted to providing server updates, such as a purge of old accounts, changes to the anti-spam feature, registration instructions, and downtime notifications. There is also a dedicated Jabber support account on the forum, ensuring the servers’ users receive top-level customer service and fast responses. This forum, like multiple others, has likely found that offering a trusted Jabber server might initially attract threat actors to the forum who will then go on to enjoy the other features of and content on the site.
File upload services
A rival Russian-language cybercriminal forum established a file upload service in April 2021. The dedicated thread advertising this new feature (see Figure 4) joyfully announced the project, which is built on an abandoned Mozilla open-source project available on GitHub. The advertising post noted that the service had been deployed on the forum’s servers and did not use any third-party services, meaning that all files would be encrypted and stored on encrypted disks. The forum has a whole section that exclusively contains material relating to the file exchange service, including a thread for pointing out bugs or errors, a thread for users to make suggestions for new features, and a thread offering users the opportunity to buy advertising space on the file service (priced at USD 500 per month).
Just like the Jabber servers represent an integral element in the cybercriminal trade cycle by facilitating communication between threat actors, file upload or exchange services serve the vital function of allowing cybercriminals to share download links to illicit material. A forum can stake its name on providing a safe location for threat actors to store their files that may be trusted more than a third-party service with no vested interest in securing users’ anonymity. What’s more, many common third-party file storage sites suffer from reliability issues, with download links often expiring. We have observed multiple forum members using the file upload service that the Russian-language site offers, indicating that threat actors do appreciate the service on offer. The availability of this service might help to retain or attract a forum user base.
Temporary notes services
This same cybercriminal forum also offers its members a temporary notes service. This service allows users to share a link to a simple text display that will expire after a set time or if certain conditions are met, after which point the text is destroyed. Threat actors use such services to share sensitive information like download links or passwords. Like the file exchange service, this project was also based on an open-source project, although the forum team created its own code base and intended to further develop the project within its own infrastructure. A thread advertising the project (see Figure 5) explained that the service had been deployed on the forum’s own servers, that all disks were encrypted, that it used no third-party services, and that it encrypted all notes and stored them in RAM. Decryption would only be possible on the client side, and after reading, the service would destroy the note.
The launch of the service received a positive response from forum members, some of whom expressed their discomfort with using third-party services offering a temporary file functionality. Many forum members immediately began to engage with the project, sharing suggestions for further additions and improvements.
Another key part of the cybercriminal toolkit that a threat actor needs to carry out their malicious activity is a VPN service that can guarantee anonymity and security. One high-profile Russian-language carding-focused forum promotes a VPN service that is associated with and at least partially managed by the platform. While this blog has so far focused on the benefits of forums offering extra functionalities, an incident involving this forum’s VPN service highlights the dangers of forum administrators associating their site with extra features.
In January 2022, a forum user shared a screenshot of a law enforcement seizure notice on the homepage of the popular VPN service, adding “Has this service finally died?” (see Figure 6). Later that day, the forum administrator made a series of posts in quick succession to provide details about the evolving incident, explaining that the VPN domain “was redirected to a third-party server”, that the “DNSes have been changed”, and that the “main server that was responsible for the site has been blocked”. They added that it was not yet “clear” whether the incident was a “hack” or “if it really was blocked at the police’s request”. In a second post, they added, “All backups are there, so we can restore everything without problems. We’re investigating now”. A few minutes later, however, the administrator posted to warn users that the VPNLabs domain now hosted a phishing page, and advised users not to enter their username and password to avoid passing credentials to law enforcement. The following day, another forum user reported that “the cops are already boasting” that they blocked the VPN service.
The forum administrator later commented that “Judging by the news, it was ransomware that caused problems”, noting that the service had operated without problems for many years before ransomware groups began using the service. They directed users who had logged into their accounts after the domain was redirected to a phishing page to change their passwords. They also offered compensation to users who wished to claim money back on their subscriptions to the VPN service and offered the alternative of waiting until the administrators restored the service and gave everyone “a decent bonus”.
This incident goes to show that while creating separate infrastructure and services to promote on a forum in order to increase that forum’s attractiveness and gather new members can be a route to success, it is also fraught with difficulty. Forums are essentially gambling their good names on the prospects of these additional features. Additions like the VPN service, hosted on discrete domains, increase the forums’ overall attack surface, offering another potential target for law enforcement agencies to try and take down.
Here at Digital Shadows (now ReliaQuest), we think it’s important to monitor the introduction, development, and use of these additional forum features. A new, attractive feature with good chances of success could well serve to boost traffic to a particular forum, which in turn could increase the amount of malicious activity taking place on that site that could potentially impact our clients. To ensure we’re providing the best possible intelligence for our customers, we need to keep our finger on the pulse of developments within the cybercriminal landscape, and if we can predict new forum movers and shakers, all the better. We feed these observations into Digital Shadows (now ReliaQuest)’ SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) service, which features a constantly-updated threat intelligence library providing insight on this and other cybercriminal-related trends that might impact your organization and allow security teams to stay ahead of the game. If you’d like to access the library for yourself, you can sign up for a free seven-day test drive of SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) here.