When it comes to the Middle Eastern and North African underground, research from Trend Micro showed that the regional cybercrime marketplace has a few unique hallmarks, including a “spirit of sharing” mindset that hinges on a feeling of brotherhood and religious alliance that transcends the illicit transactions that occur.
“In other marketplaces, like in North America or Russia, their purveyors mostly focus on selling their wares and forum participants don’t band together to plan cyberattacks,” the firm said in its report, dubbed Digital Souks: A Glimpse into the Middle Eastern and North African Underground.
The report also found that prices for malware and hacking tools are generally a bit more expensive than in other regions. For example, a keylogger in the North American underground runs anywhere from $1 to $4, but in MENA pricing rises to $19. However, the willingness for members to share content for a mutual cause helps balance out the price differences. There’s even a prevalence of giving services and malware away for free.
“Still a propagating market, the region is not at par in terms of scale and scope when compared to other regions, but the products and services available remain common and sophisticated,” said Ihab Moawad, vice president, Trend Micro, Mediterranean, Middle East & Africa. “Other underground marketplaces provide support to members, but the extent and willingness in this region is unique.”
The research also uncovered that hacktivism, DDoS attacks and website defacements are a staple in this region. These tactics are often carried out by members who present ideological distrust toward Western countries, as well as local governments. Major primary product categories are malware (27%), fake documents (27%), stolen data (20%), crimeware (13%), weapons (10%) and narcotics (3%). Crimeware sold includes a variety of cryptors, malware and hacking tools.
Stolen identities meanwhile are sold in forums across the region, and the demand for personally identifiable documents is influenced by geopolitical tensions—their buyers wanting to flee active war zones, for instance, leveraging them to migrate to other countries as refugees. On the other hand, cyber-criminals can also purchase fake documents to perpetrate insurance fraud or prove resident status. A daunting real-world implication is a dangerous person buying these fake documents, and slipping through to other countries as refugees.
Trend Micro found that hosting providers in the region make significant profit by selling regionalized hosting spaces, which allows for local language and time settings in addition to faster connection speeds. A single IP connection and 50 GB of hard disk space, for instance, are sold for $50. Smaller plans exist, and start as low as $3.
Similar to the Russian underground, cashout services also abound here. These are platforms from which physical items, usually stolen, are converted into cash. These services are paid in bankcards, Bitcoins (BTC) or via direct cash transactions.
“A unique aspect of cash out services here is how they are used to bypass security mechanisms and legal requirements in the region, such as those in place for the purchase of cell phones and disposable SIM cards,” the report noted. “In the MENA underground, DDoS services can be purchased by hacktivists and threat actors to further their ideology.”
Furthermore, virtual private networks (VPNs) are a mainstay for cybercriminal activity and can be purchased due to the anonymity they provide. VPNs offered here are purportedly secure, don’t store logs, and have multiple hop points. Cyber-criminals will typically use these servers as either part of a botnet, or a jump-off platform for further attacks, Trend Micro said.