If you are a cybercriminal, the best way to hide your illegal activities might be to carry them out from the safety of someone else's innocent computer or server. Now, thanks to a new online illegal marketplace, getting access to strangers' hacked servers is easier and cheaper than ever.
xDedic is an online marketplace hosted on the surface web where anyone can buy access to a hacked server from more than 170 countries, even one of a government agency or a big corporation, for as little as $6, security firm Kaspersky Lab revealed on Wednesday.
In the old days of cybercrime, when hackers wanted to hide their trails, they'd use servers hosted in bulletproof bunkers or lawless countries. These days, as a Symantec researcher told me a few weeks ago, they prefer to "hide in plain sight" and use hacked servers such as the ones they can buy access to on xDedic.
For example, in the last few weeks, the site was offering hacked servers belonging to Airbnb, Target, Paypal and others, according to Kaspersky.
The emergence of xDedic, as well as the seemingly unstoppable boom of ransomware, shows that cybercrime is becoming a well-organized, almost professionalized ecosystem.
"Cybercrime-as-a-service is expanding through the addition of commercial ecosystems and trading platforms," Costin Raiu, a security researcher at Kaspersky Lab, said in a press release. "Its existence makes it easier than ever for everyone, from low-skilled malicious attackers to nation-state backed APTs to engage in potentially devastating attacks in a way that is cheap, fast and effective."
The xDedic forum essentially allows cybercriminals to buy and sell credentials to get access to hacked servers that run the Remote Desktop Protocol (RDP), which is used to connect to Windows servers from another location. As of Wednesday, there were more than 72,000 servers listed on xDedic, which Kaspersky believes to be run by a group of Russian hackers since 2014.
The website looks very professional, and if you weren't paying attention, it might not even look like an illegal marketplace. In the site's FAQ, the administrators pretend that there's nothing sketchy going on, saying the site is "only a marketplace to buy\sell RDPs. RDPs is uploaded by suppliers, and we dont [sic] know where they get them."
Yet, in the main page, the site advises members to always use anonymizing or obfuscating technologies such as VPNs or proxies when connecting to hacked servers to avoid the long arm of the law.
"RDP have logs inside, and your IP and your computer name is logged. So cops can find you very fast," the operators warn.
The site offers access to all kinds of servers, such as those of gaming, gambling and even dating sites. These can be turned into bots part of botnets to launch DDoS attacks, spam campaigns, or to host malware. All the hacked sites are categorized and tagged depending on what they are, where they're from, and what software they run, so miscreants have an easy way of choosing the ones they need.
Kaspersky Lab said law enforcement authorities are now aware of the site, but given its sudden popularity, there's a chance it will either attract more customers, or shut down and go underground to avoid too much unwanted attention.
UPDATE, June 15, 12:09 p.m.: As we suspected, the market has apparently shut down just a few minutes after we published this article, a few hours after Kaspersky Lab published its report.