Vulnerability Management

Cyber criminals offer black market peers bug discovery service


Researchers have discovered that a new bug detection service is being offered in underground online communities where ill-gotten user credentials and malware are bought and sold.

The service entails finding buggy PHP, a programming code of choice among fraudsters, and a range of other vulnerabilities that could allow an attacker to wreak havoc on another hacker's infrastructure. A Russian fraudster began offering the service in the last couple of weeks, according to Idan Ahoroni, head of cyber intelligence at RSA.

In a Wednesday blog post, Ahoroni said that, “cyber criminals need to protect their assets just as any legitimate organizations would.”

"As fraudsters become more sophisticated, it's gotten to the point that they need a new type of service to make sure that their infrastructure is safe and nobody is taking advantage of [it]," he added in a Thursday interview with

Fees for discovering vulnerabilities ranged from $20 to $150, for more serious concerns, which could allow code execution in small scripts, Ahoroni said.

Over the years, miscreants have begun to take additional precautions to keep their activity on underground forums hidden, or at least anonymous. For instance, fraudsters looking to buy stolen credit card credentials now contact suppliers listed under a business name, as opposed to a personal moniker. 

“Now, they usually use the name of the store like an official customer support [service],” Ahoroni said. “Potential buyers are only exposed to the specific supplier.”

Many black market services, like buying credit card details, have become automated, so buyers and sellers never have to speak to one another unless there is a service issue, Ahoroni added. While it's not surprising that cyber criminals are seeking out options to secure their operations, especially since they are often vulnerable to being attacked by competitors or others in the black market – it is noteworthy that fraudsters are considering their peers for the job.

Deception to leverage power plays in the underground market has been ample, but in 2006, one of the more memorable cases occurred. Max Butler, the operator of the now defunct site CardersMarket, infamously hacked into the databases of competitor boards to consolidate members' information into one board that he managed. In 2010, Butler was sentenced to 13 years in federal prison for hacking financial institutions and selling the stolen data.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.