Following KELA’s publication this past May regarding Remote Access Markets operating in the cybercrime underground, specifically diving into MagBo, our intelligence team kept a close eye on any changes made by the market’s owners. Like several security media outlets, MagBo’s admin – operating in the Russian community AntiChat under the handle melniser – also picked up on the initial coverage and, following several days of work, released a statement addressing it.
In the statement, melniser addresses new security measures designed to decrease visibility into the market by unwanted parties – such as security researchers and threat intelligence practitioners. The actor also put some effort into downplaying the market’s involvement in malicious activities.
Announcement (in Russian) by MagBo’s admins on changes that will occur on the market going forward, following recent media attention.
New Access Control Policies
The MagBo registration process for a new user is comprised of two parts: first the user needs to get their hands on an invite code in order to register to the market. A newly-invited user then needs to top up their new accounts with USD 15 in order to gain access to the remote access section of the market. As a first step, MagBo’s one-time access fee has been raised to USD 50 in an attempt to deter possible scrapers. This precaution is very common in cybercrime marketplaces and is widely used to try and prevent web crawlers from easily accessing data.
Moreover, the market now also enforces “security levels” – ratings given to buyers based on their engagement and activity in the market – that control the goods a user can view. When a seller on the market uploads a new Remote Access for sale, they can assign the listing a security level, from 0 to 4; only users with the same (or higher) security level can see the item in the market. A user’s security rating is determined by a combination of the user’s current spend in the market and their activity – the amount of in-market transactions performed in the past 30 days.
Translation of the relevant part in melniser’s announcement, detailing the volume of deals and activity levels needed to reach different security levels
Like the higher payment threshold needed to access the market, these ratings are a mechanism very common to automated cybercrime shops. Most notably perhaps is the stolen credit card superstore Joker’s Stash, who imposes a “partner’s rating” for its users – based on the amount of funds spent in the store in the past 90 days. Users with a low partner’s rating are prevented from using several market features and, most importantly, from seeing the newest – and therefore probably the most relevant and easy to monetize – data posted to the market.
Joker’s Stash partner’s rating as explained in the market as shown for a new user without permissions
Visibility Or Not to Be?
In our last post about MagBo, we named the visibility inherent to the market as a major differentiator; even with the latest security additions, we still assume this to be true. Increased visibility into goods is a theme for many successful cybercrime markets, but with their adversaries – i.e. law enforcement and threat intelligence researchers – lurking about, this visibility might be a double-edged sword, as it might help them triangulate data and attribute attacks. Keeping this sensitive balance – both keeping clients happy and adversaries unhappy – is tough, since both groups have the same interests; cumbersome security measures may hinder the market’s killer features and put a limit on its scale and growth.
This is where another comparison to Joker’s Stash might come in handy. Unlike many other actors in the cybercrime financial ecosystem, the admins behind the successful credit cards shop pride themselves on not banning anyone, ever – not even crawlers and scrapers. While we couldn’t trace an explicit reasoning for this as offered by the actors themselves, KELA’s hypothesis is that the actors understand that web scrapers are used not only by threat intelligence firms – but also by their legitimate clients. Big fraud actors, for example, might employ scrapers to gain real-time access to Joker’s Stash and search for relevant cards in an automated manner.
A post by the Joker’s Stash forum persona, stating that the shop never bans any user accounts
Despite the multiple exposés Joker’s Stash received in the media in the past several years, the actors didn’t change the policy and crawlers are still welcome in the market. However, in their threat model, the admins decided to disallow one feature commonly “abused” by intelligence professionals: searching for credit cards by their expiry date.
The ever-disabled ‘expiration date’ filter in Joker’s Stash
Unlike Joker’s Stash, MagBo does ban users for a variety of reasons – from having a week without any account activity, to harassing the market’s administration with, in words of the admins, “stupid questions”. It’s clear that melniser chooses a different path than Joker’s Stash – not limiting the actual visibility of the products, but hindering access to some of the data based on user levels. In that vein, only time will tell if – and how – the new security measures imposed by MagBo will damage its growth or client base. So far, however, we didn’t detect any negative opinions about the new measures. KELA’s assessment is that MagBo will stay fairly accessible, as this is what its active daily users want and need.
Sherxan, a prolific seller on MagBo, expresses a positive opinion about the new measures (top); MagBo’s ban policy, providing much room for discretion for the site’s administration (bottom).
Wasn’t Me: How Bad MagBo Really Is
The second part of mesiner’s post focuses on the actor trying to downplay the market’s importance in the cybercrime ecosystem – claiming that MagBo doesn’t sell anything special or targeted, and that no government websites are being sold on the platform.
The last part of melsiner’s post
First and foremost, let’s address the obvious issue: MagBo does sell access to government websites. In fact, examining KELA’s data for government-related TLDs mentioned in the market, over 70 compromised websites are found. This post will not include any direct mentions since we don’t wish to expose any targeted entities to any further attention.
That being said, a part of the sentiment expressed by melniser is true – most of these websites are not the crown jewels of government assets. They probably don’t include, on their own, immediate access to sensitive data or a direct connection to a government network; when threat actors gain access to this kind of assets, they tend to monetize them manually in forums – and for much higher prices than the MagBo average. The same is true for any non-governmental compromised accesses sold on MagBo: most of them won’t include main websites belonging to Fortune 500 companies, but SMB-SME entities or even small local businesses. Most of the use cases employed by the actors buying accesses from the market are probably not highly targeted, sophisticated network intrusions – they most probably are credit card skimming, hosting commodity malware panels or C2s, or even semi-benign black hat SEO.
However, this is not a valid excuse for downplaying the market’s importance. First of all, SMB-SME businesses – which melniser offhandedly mentions as “nothing extraordinary” – can be publicly traded companies, and damaging them can be devastating to their employees and shareholders. On top of that and in a more general sense, all major breaches start with something small – a simple yet effective social engineering attempt or a good drive-by download. Putting this in the relevant context, MagBo’s wares are perfect for attackers: a small and somewhat-unimportant breached government website would serve a great starting point for reliable spear-phishing, and a small local business’ website can be the perfect jumping board for a watering hole attack. To refer back to one of the most seminal breaches in the last decade, the 2013 Target breach started with seemingly-unimportant and untargeted access to a third party; defenders can never downplay the importance of these accesses readily available, by the dozens of thousands, in the cybercrime underground ecosystem.
Anatomy of the Target breach, which all started with a small provider being compromised
To generalize a bit, attackers – even sophisticated and well-funded ones, such as organized crime groups or nation-state backed actors – are opportunistic; MagBo provides them with a sleuth of opportunities to leverage. These opportunities can be exploited by any actor group – from low-level card skimmers, through ransomware actors trying to find initial access within a target organization, and to nation state actors seeking for anonymization or false-flag operations by using cybercriminal infrastructure.
What Does This Mean for Intelligence Providers and Security Defenders?
On an almost-philosophical level, this is a great example of Schrodinger’s Threat – where by shining a light on a threat in form of a publication, one might make the threat dislocate and harm collection methods.
On a more practical level (and without puns consisting of inaccurate depictions of scientific ideas), we assume that MagBo’s current exposure probably won’t have a lasting effect on neither attackers nor defenders. At the end of the day, melniser – as well as most, if not all, of MagBo’s users – is a financially-driven actor, and in order to maintain steady revenue and a growing user base, MagBo will need to continue leveraging its features. As long as the business is successful it needs to maintain visibility for its users, and as long as it does – KELA will maintain its foothold and provide our clients with the intelligence collected.