What is Underground Industry?<\/strong><\/h2>\nUnderground industry is a general name for a wide variety of behaviors which, using the Web as the media and aided by viruses, trojans, and other malicious tools, exploit vulnerabilities or other malicious means to control others’ computers, steal or illegitimately use user privileges and identities to obtain monetary benefits.<\/p>\n
![\"\"](\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2017\/10\/20171018143755.png\")
<\/a><\/p>\nIn the early phase, the underground industry only involved malicious behaviors of a small gang of people who had a wide range of knowledge.<\/p>\n
![\"\"](\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2017\/10\/20171018143756.png\")
<\/a><\/p>\nNow, the underground industry becomes much more sophisticated, as shown in the following figure. My God!!<\/p>\n
![\"\"](\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2017\/10\/20171018144500-1024x848.png\")
<\/a><\/p>\nHow Dark Is the Entire Underground Industry Chain?<\/strong><\/h2>\n![\"\"](\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2017\/10\/20171018144540.png\")
<\/a><\/p>\nUnderground Industry Around Us<\/strong><\/h2>\nThe underground industry is not simply the web underground industry, but the entire vast and sophisticated chain of interests. Vulnerabilities and interests respectively serve as the media and fuels to keep the massive “black machine” to run.<\/p>\n
![\"\"](\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2017\/10\/20171018144600.png\")
<\/a><\/p>\nMisuse of Internet Resources and Services<\/strong><\/h3>\n![\"\"](\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2017\/10\/20171018144622.png\")
<\/a><\/p>\nTheft of Other Assets<\/strong><\/h3>\n![\"\"](\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2017\/10\/20171018144700.png\")
<\/a><\/p>\nTheft of Virtual Assets<\/strong><\/h3>\n![\"\"](\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2017\/10\/20171018144714.png\")
<\/a>Technique and Training<\/strong><\/h3>\n![\"\"](\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2017\/10\/20171018144729.png\")
<\/a><\/p>\nBotnet<\/strong><\/h3>\n![\"\"](\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2017\/10\/20171018144730.png\")
<\/a><\/p>\nSpam<\/strong><\/h3>\n![\"\"](\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2017\/10\/20171018144731.png\")
<\/a><\/p>\nDDoS<\/strong><\/h3>\n![\"\"](\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2017\/10\/20171018144732.png\")
<\/a><\/p>\n(A price list for launching DDoS attacks)<\/p>\n
Hidden Links <\/strong><\/h3>\nHidden links, as the name indicates, are a type of links added to other websites through improper means, i.e. by obtaining the webshell of the website through the exploitation of a website program vulnerability or a server vulnerability. Most of those websites are of governments and enterprises, which have a higher PageRank and weight, but are carelessly managed. Actually, hidden links are added with texts of the same color as the website background or through a hidden layer. Doing so means to be unnoticeable, but this comes under the suspicion of fooling search engines, making a cheating behavior. Why are hidden links so popular? A great number of hidden links in various forms are used by the Black Hat Search Engine Optimization (SEO) service. Such links are usually sold at an affordable price to webmasters. Industries using black links are mostly hot sectors (such as SF and healthcare industries), which are profiteering.<\/p>\n
![\"\"](\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2017\/10\/20171018144733.png\")
<\/a><\/p>\n(A price list of hidden links)<\/p>\n
Information Market<\/strong><\/h3>\n![\"\"](\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2017\/10\/20171018144734.png\")
<\/a><\/p>\n(Multiple personal directories are sold on the Internet.)<\/p>\n
<\/p>\n
Information obtained via the exploitation of certain vulnerabilities is of great value.<\/p>\n
![\"\"](\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2017\/10\/20171018144735.png\")
<\/a><\/p>\n(Bank information obtained by exploiting vulnerability)<\/p>\n
Attempting Login with Stolen User Data<\/strong><\/h3>\n![\"\"](\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2017\/10\/20171018144736.png\")
<\/a><\/p>\nAccount Scanner<\/strong><\/h3>\n![\"\"](\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2017\/10\/20171018144737.png\")
<\/a><\/p>\n(Accounts and passwords obtained by scanners.)<\/p>\n
Phishing Attacks<\/strong><\/h3>\n![\"\"](\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2017\/10\/20171018144738.png\")
<\/a><\/p>\n(A phishing site warning)<\/p>\n
0-day Deals<\/strong><\/h3>\n![\"\"](\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2017\/10\/20171018144739.png\")
<\/a><\/p>\nAnalysis of Techniques Employed by the Underground Industry<\/strong><\/h1>\n![\"\"](\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2017\/10\/20171018144740.png\")
<\/a><\/p>\nTypical method 1: login with stolen user data + account scanning<\/strong><\/h2>\nTechniques: SQL injection\/upload, authentication bypass, and restriction function missing<\/p>\n
Scenario: large- and medium-sized e-commerce websites with the voucher function<\/p>\n
Exploitation difficulty: \u2605<\/p>\n
Loss caused: \u2605\u2605\u2605\u2605<\/p>\n
Exploitation procedure:<\/p>\n
![\"\"](\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2017\/10\/20171018144741.png\")
<\/a><\/p>\nIn early years, for a good user experience, most e-commerce websites neither asked users to type the authentication code for the initial login, nor detected or restricted massive login attempts from individual IP addresses.<\/p>\n
![\"\"](\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2017\/10\/20171018144742.png\")
<\/a><\/p>\nWith fake consignees, hackers can use vouchers or reward points. From a medium-sized e-commerce website with about 500,000 registered users, attackers may steal around 2000 accounts with a voucher, making a profit of approximately CNY 100,000. Such attack events can make direct reputation damage and economic loss to e-commerce websites.<\/p>\n
![\"\"](\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2017\/10\/20171018144743.png\")
<\/a><\/p>\nTypical method 2: order hijacking<\/strong><\/h2>\nTechnique: direct object reference<\/p>\n
Scenario: change of delivery addresses on e-commerce websites<\/p>\n
Exploitation difficulty: \u2605<\/p>\n
Loss caused: \u2605\u2605\u2605\u2605<\/p>\n
Exploitation procedure:<\/p>\n
![\"\"](\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2017\/10\/20171018144744-1024x217.png\")
<\/a><\/p>\nAllowing to change delivery addresses is kind of ridiculous function \u2026<\/p>\n
![\"\"](\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2017\/10\/20171018144745.png\")
<\/a><\/p>\n(Addresses can be modified in Address Management function.)<\/p>\n
Typical method 3: cross-site scripting (XSS) with redirections<\/strong><\/h2>\nTechnique: XSS<\/p>\n
Scenario: certain e-commerce websites<\/p>\n
Exploitation difficulty: \u2605\u2605\u2605\u2605<\/p>\n
Loss caused: \u2605\u2605\u2605<\/p>\n
Exploitation procedure:<\/p>\n
![\"\"](\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2017\/10\/20171018144746-1024x265.png\")
<\/a><\/p>\nPlease think twice before you click short domain names, such as<\/p>\n
http:\/\/mcs.paipai.com\/RWsiZVpoe<\/strong><\/a><\/p>\nOtherwise, a 302 error will occur, directing you to the following link:<\/p>\n
http:\/\/shop1.paipai.com\/cgi-bin\/shopmsg\/showshopmsg?shopId=2622893717&page=1&iPageSize=1&t=0.8497088223518993&g_tk=2019233269&g_ty=ls&PTAG=40012.5.9<\/strong><\/a><\/p>\nThe preceding link references the QQ nickname of the shop owner and contains the web page code without filtering. The following figure shows the QQ nickname of the shop owner.<\/p>\n
![\"\"](\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2017\/10\/20171018144547.png\")
<\/a><\/p>\nClicking the link contained in the nickname displays the source code as follows:<\/p>\n
![\"\"](\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2017\/10\/20171018144748.png\")
<\/a><\/p>\nA redirection of the short domain name displays the most malicious code as follows:<\/p>\n
![\"\"](\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2017\/10\/20171018144749.png\")
<\/a><\/p>\nVia DOM-based cross-site scripting, the attacker embeds an iframe tag in the paipai web page. Due to the JavaScript’s same-origin policy, the code will manipulate paipai cookies and send them to my.tuzihost.com. After collecting such cookies, the attacker can directly access paipai.com in the context of a victim.<\/p>\n
Since some websites rely on JavaScript for cookie operations and web page access analysis, the HttpOnly property cookies is left unconfigured.<\/p>\n
Typical method 4: phishing<\/strong><\/h2>\nTechnique: ingenious ideas<\/p>\n
Scenario: anywhere<\/p>\n
Exploitation difficulty:<\/p>\n
Loss caused: \u2605\u2605\u2605<\/p>\n
Exploitation procedure:<\/p>\n
![\"\"](\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2017\/10\/20171018144750.png\")
<\/a><\/p>\nFor phishing, what really matters is how to take advantage of human weaknesses, while the choice of attack techniques is irrelevant.<\/p>\n
![\"\"](\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2017\/10\/20171018144751.png\")
<\/a><\/p>\nGenerally, such attacks have complete functions, such as a backend management system.<\/p>\n
![\"\"](\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2017\/10\/20171018144752.png\")
<\/a><\/p>\nSometimes, attackers fight with each other, somewhat like big fish swallowing little fish.<\/p>\n
![\"\"](\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2017\/10\/20171018144753.png\")
<\/a><\/p>\nTypical method 5: open-source getshell<\/strong><\/h2>\nTechnique: unknown<\/p>\n
Exploitation scenario: all websites that are developed rapidly based on source code<\/p>\n
Exploitation difficulty: \u2605\u2605\u2605\u2605\u2605<\/p>\n
Loss caused: \u2605\u2605\u2605\u2605\u2605<\/p>\n
Exploitation procedure:<\/p>\n
![\"\"](\"https:\/\/staging.nsfocusglobal.com\/wp-content\/uploads\/2017\/10\/20171018144754.png\")
<\/a><\/p>\nThe price paid for rapid development is devoting more time into vulnerability remediation.<\/p>\n
<\/a><\/p>\nIn the early phase, the underground industry only involved malicious behaviors of a small gang of people who had a wide range of knowledge.<\/p>\n
Now, the underground industry becomes much more sophisticated, as shown in the following figure. My God!!<\/p>\n The underground industry is not simply the web underground industry, but the entire vast and sophisticated chain of interests. Vulnerabilities and interests respectively serve as the media and fuels to keep the massive “black machine” to run.<\/p>\n (A price list for launching DDoS attacks)<\/p>\n Hidden links, as the name indicates, are a type of links added to other websites through improper means, i.e. by obtaining the webshell of the website through the exploitation of a website program vulnerability or a server vulnerability. Most of those websites are of governments and enterprises, which have a higher PageRank and weight, but are carelessly managed. Actually, hidden links are added with texts of the same color as the website background or through a hidden layer. Doing so means to be unnoticeable, but this comes under the suspicion of fooling search engines, making a cheating behavior. Why are hidden links so popular? A great number of hidden links in various forms are used by the Black Hat Search Engine Optimization (SEO) service. Such links are usually sold at an affordable price to webmasters. Industries using black links are mostly hot sectors (such as SF and healthcare industries), which are profiteering.<\/p>\n (A price list of hidden links)<\/p>\n (Multiple personal directories are sold on the Internet.)<\/p>\n <\/p>\n Information obtained via the exploitation of certain vulnerabilities is of great value.<\/p>\n (Bank information obtained by exploiting vulnerability)<\/p>\n (Accounts and passwords obtained by scanners.)<\/p>\n (A phishing site warning)<\/p>\n Techniques: SQL injection\/upload, authentication bypass, and restriction function missing<\/p>\n Scenario: large- and medium-sized e-commerce websites with the voucher function<\/p>\n Exploitation difficulty: \u2605<\/p>\n Loss caused: \u2605\u2605\u2605\u2605<\/p>\n Exploitation procedure:<\/p>\n In early years, for a good user experience, most e-commerce websites neither asked users to type the authentication code for the initial login, nor detected or restricted massive login attempts from individual IP addresses.<\/p>\n With fake consignees, hackers can use vouchers or reward points. From a medium-sized e-commerce website with about 500,000 registered users, attackers may steal around 2000 accounts with a voucher, making a profit of approximately CNY 100,000. Such attack events can make direct reputation damage and economic loss to e-commerce websites.<\/p>\n Technique: direct object reference<\/p>\n Scenario: change of delivery addresses on e-commerce websites<\/p>\n Exploitation difficulty: \u2605<\/p>\n Loss caused: \u2605\u2605\u2605\u2605<\/p>\n Exploitation procedure:<\/p>\n Allowing to change delivery addresses is kind of ridiculous function \u2026<\/p>\n (Addresses can be modified in Address Management function.)<\/p>\n Technique: XSS<\/p>\n Scenario: certain e-commerce websites<\/p>\n Exploitation difficulty: \u2605\u2605\u2605\u2605<\/p>\n Loss caused: \u2605\u2605\u2605<\/p>\n Exploitation procedure:<\/p>\n Please think twice before you click short domain names, such as<\/p>\n http:\/\/mcs.paipai.com\/RWsiZVpoe<\/strong><\/a><\/p>\n Otherwise, a 302 error will occur, directing you to the following link:<\/p>\n http:\/\/shop1.paipai.com\/cgi-bin\/shopmsg\/showshopmsg?shopId=2622893717&page=1&iPageSize=1&t=0.8497088223518993&g_tk=2019233269&g_ty=ls&PTAG=40012.5.9<\/strong><\/a><\/p>\n The preceding link references the QQ nickname of the shop owner and contains the web page code without filtering. The following figure shows the QQ nickname of the shop owner.<\/p>\n Clicking the link contained in the nickname displays the source code as follows:<\/p>\n A redirection of the short domain name displays the most malicious code as follows:<\/p>\n Via DOM-based cross-site scripting, the attacker embeds an iframe tag in the paipai web page. Due to the JavaScript’s same-origin policy, the code will manipulate paipai cookies and send them to my.tuzihost.com. After collecting such cookies, the attacker can directly access paipai.com in the context of a victim.<\/p>\n Since some websites rely on JavaScript for cookie operations and web page access analysis, the HttpOnly property cookies is left unconfigured.<\/p>\n Technique: ingenious ideas<\/p>\n Scenario: anywhere<\/p>\n Exploitation difficulty:<\/p>\n Loss caused: \u2605\u2605\u2605<\/p>\n Exploitation procedure:<\/p>\n For phishing, what really matters is how to take advantage of human weaknesses, while the choice of attack techniques is irrelevant.<\/p>\n Generally, such attacks have complete functions, such as a backend management system.<\/p>\n Sometimes, attackers fight with each other, somewhat like big fish swallowing little fish.<\/p>\n Technique: unknown<\/p>\n Exploitation scenario: all websites that are developed rapidly based on source code<\/p>\n Exploitation difficulty: \u2605\u2605\u2605\u2605\u2605<\/p>\n Loss caused: \u2605\u2605\u2605\u2605\u2605<\/p>\n Exploitation procedure:<\/p>\n The price paid for rapid development is devoting more time into vulnerability remediation.<\/p>\n<\/a><\/p>\n<\/a><\/p>\nHow Dark Is the Entire Underground Industry Chain?<\/strong><\/h2>\n
<\/a><\/p>\nUnderground Industry Around Us<\/strong><\/h2>\n
<\/a><\/p>\nMisuse of Internet Resources and Services<\/strong><\/h3>\n
<\/a><\/p>\nTheft of Other Assets<\/strong><\/h3>\n
<\/a><\/p>\nTheft of Virtual Assets<\/strong><\/h3>\n
<\/a>Technique and Training<\/strong><\/h3>\n<\/a><\/p>\nBotnet<\/strong><\/h3>\n
<\/a><\/p>\nSpam<\/strong><\/h3>\n
<\/a><\/p>\nDDoS<\/strong><\/h3>\n
<\/a><\/p>\nHidden Links <\/strong><\/h3>\n
<\/a><\/p>\nInformation Market<\/strong><\/h3>\n
<\/a><\/p>\n<\/a><\/p>\nAttempting Login with Stolen User Data<\/strong><\/h3>\n
<\/a><\/p>\nAccount Scanner<\/strong><\/h3>\n
<\/a><\/p>\nPhishing Attacks<\/strong><\/h3>\n
<\/a><\/p>\n0-day Deals<\/strong><\/h3>\n
<\/a><\/p>\nAnalysis of Techniques Employed by the Underground Industry<\/strong><\/h1>\n
<\/a><\/p>\nTypical method 1: login with stolen user data + account scanning<\/strong><\/h2>\n
<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\nTypical method 2: order hijacking<\/strong><\/h2>\n
<\/a><\/p>\n<\/a><\/p>\nTypical method 3: cross-site scripting (XSS) with redirections<\/strong><\/h2>\n
<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\nTypical method 4: phishing<\/strong><\/h2>\n
<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\n<\/a><\/p>\nTypical method 5: open-source getshell<\/strong><\/h2>\n
<\/a><\/p>\n