Past and Present of Underground Network Industry

Past and Present of Underground Network Industry

outubro 19, 2017 | Adeline Zhang

The underground network industry has a long history and extensive coverage. What happened throughout its history?

This document presents the definition, category, means, and examples of the underground network industry, as well as protection measures.


What is Underground Industry?

Underground industry is a general name for a wide variety of behaviors which, using the Web as the media and aided by viruses, trojans, and other malicious tools, exploit vulnerabilities or other malicious means to control others’ computers, steal or illegitimately use user privileges and identities to obtain monetary benefits.

In the early phase, the underground industry only involved malicious behaviors of a small gang of people who had a wide range of knowledge.

Now, the underground industry becomes much more sophisticated, as shown in the following figure. My God!!

How Dark Is the Entire Underground Industry Chain?

Underground Industry Around Us

The underground industry is not simply the web underground industry, but the entire vast and sophisticated chain of interests. Vulnerabilities and interests respectively serve as the media and fuels to keep the massive “black machine” to run.

Misuse of Internet Resources and Services

Theft of Other Assets

Theft of Virtual Assets

Technique and Training




(A price list for launching DDoS attacks)

Hidden Links

Hidden links, as the name indicates, are a type of links added to other websites through improper means, i.e. by obtaining the webshell of the website through the exploitation of a website program vulnerability or a server vulnerability. Most of those websites are of governments and enterprises, which have a higher PageRank and weight, but are carelessly managed. Actually, hidden links are added with texts of the same color as the website background or through a hidden layer. Doing so means to be unnoticeable, but this comes under the suspicion of fooling search engines, making a cheating behavior. Why are hidden links so popular? A great number of hidden links in various forms are used by the Black Hat Search Engine Optimization (SEO) service. Such links are usually sold at an affordable price to webmasters. Industries using black links are mostly hot sectors (such as SF and healthcare industries), which are profiteering.

(A price list of hidden links)

Information Market

(Multiple personal directories are sold on the Internet.)


Information obtained via the exploitation of certain vulnerabilities is of great value.

(Bank information obtained by exploiting vulnerability)

Attempting Login with Stolen User Data

Account Scanner

(Accounts and passwords obtained by scanners.)

Phishing Attacks

(A phishing site warning)

0-day Deals

Analysis of Techniques Employed by the Underground Industry

Typical method 1: login with stolen user data + account scanning

Techniques: SQL injection/upload, authentication bypass, and restriction function missing

Scenario: large- and medium-sized e-commerce websites with the voucher function

Exploitation difficulty: ★

Loss caused: ★★★★

Exploitation procedure:

In early years, for a good user experience, most e-commerce websites neither asked users to type the authentication code for the initial login, nor detected or restricted massive login attempts from individual IP addresses.

With fake consignees, hackers can use vouchers or reward points. From a medium-sized e-commerce website with about 500,000 registered users, attackers may steal around 2000 accounts with a voucher, making a profit of approximately CNY 100,000. Such attack events can make direct reputation damage and economic loss to e-commerce websites.

Typical method 2: order hijacking

Technique: direct object reference

Scenario: change of delivery addresses on e-commerce websites

Exploitation difficulty: ★

Loss caused: ★★★★

Exploitation procedure:

Allowing to change delivery addresses is kind of ridiculous function …

(Addresses can be modified in Address Management function.)

Typical method 3: cross-site scripting (XSS) with redirections

Technique: XSS

Scenario: certain e-commerce websites

Exploitation difficulty: ★★★★

Loss caused: ★★★

Exploitation procedure:

Please think twice before you click short domain names, such as

Otherwise, a 302 error will occur, directing you to the following link:

The preceding link references the QQ nickname of the shop owner and contains the web page code without filtering. The following figure shows the QQ nickname of the shop owner.

Clicking the link contained in the nickname displays the source code as follows:

A redirection of the short domain name displays the most malicious code as follows:

Via DOM-based cross-site scripting, the attacker embeds an iframe tag in the paipai web page. Due to the JavaScript’s same-origin policy, the code will manipulate paipai cookies and send them to After collecting such cookies, the attacker can directly access in the context of a victim.

Since some websites rely on JavaScript for cookie operations and web page access analysis, the HttpOnly property cookies is left unconfigured.

Typical method 4: phishing

Technique: ingenious ideas

Scenario: anywhere

Exploitation difficulty:

Loss caused: ★★★

Exploitation procedure:

For phishing, what really matters is how to take advantage of human weaknesses, while the choice of attack techniques is irrelevant.

Generally, such attacks have complete functions, such as a backend management system.

Sometimes, attackers fight with each other, somewhat like big fish swallowing little fish.

Typical method 5: open-source getshell

Technique: unknown

Exploitation scenario: all websites that are developed rapidly based on source code

Exploitation difficulty: ★★★★★

Loss caused: ★★★★★

Exploitation procedure:

The price paid for rapid development is devoting more time into vulnerability remediation.

(A vulnerability database, showing that lots of vulnerabilities exist in rapidly developed systems)

Protection Measures