Do you have a hacked site? While contemporary threat actors primarily coordinate and conduct business through Telegram channels, compromised services and accounts are effectively a commodity, and access to them has become fundamental to the operation of many illicit online activities. As a result, “shops” offering these commodities have proliferated. Many of the shops in question make no effort to hide their purpose or discourage indexing by search engines and as such are technically on the “clearnet”. Many shops even use legitimate CDN and CAPTCHA providers.

From remote desktop instances providing cheap anonymity for attackers, to web shells used to proliferate SEO spam, to full access to webmail accounts used for social engineering and identity theft, these shops offer crucial tools for cybercriminals. As such, it’s equally important for defenders to have an overview of the capabilities available to even the most rudimentary adversaries, as well as some basic data about the economics involved. This is why, in today’s post, we’re publishing a white paper investigating six of these shops and providing an overview of their functionality, pricing, and the core goods and services they offer.