The Wordfence Threat Intelligence team has recently concluded an investigation of online marketplaces, colloquially known as “shops” by threat actors, selling access to compromised services. While contemporary threat actors primarily coordinate and conduct business through Telegram channels, compromised services and accounts are effectively a commodity, and access to them has become fundamental to the operation of many illicit online activities. As a result, “shops” offering these commodities have proliferated. Many of the shops in question make no effort to hide their purpose or discourage indexing by search engines and as such are technically on the “clearnet”. Many shops even use legitimate CDN and CAPTCHA providers.

From remote desktop instances providing cheap anonymity for attackers, to webshells used to proliferate SEO spam, to full access to webmail accounts used for social engineering and identity theft, these shops offer crucial tools for cybercriminals. As such, it’s equally important for defenders to have an overview of the capabilities available to even the most rudimentary adversaries, as well as some basic data about the economics involved. This is why, in today’s post, we’re publishing a white paper investigating six of these shops and providing an overview of their functionality, pricing, and the core goods and services they offer.

You can download the white paper here.