The dark web is not the only place to find dark things. As we've shown in the past, there are plenty of criminals operating on the clear web, often in places more open than you'd expect. This week, researchers from threat intelligence firm KELA released a report on a marketplace called MagBo.
This particular site specializes in selling remote access to products such as compromised servers. If you've ever heard of xDedic, the popular shop for RDP access to compromised servers (until last year), you might think MagBo is doing the same thing. But the KELA researchers found that marketplaces have evolved beyond simply selling credentials or sitting around waiting for buyers.
MagBo, and other sites like it, are being calling Remote Access Markets (RAM).
Products range from bulk credentials, to fully compromised networks, and the marketplace itself is streamlining operations. In order to maximize profits, marketplaces have shifted to automated
sales platforms, allowing buyers to get what they need quickly and giving the sellers more opportunity for higher sales volumes.
These shifts in marketplace dynamics are not unique to MagBo, but something else is. It's very easy to start a marketplace, but incredibly difficult to make it successful- regardless of whether you're on the dark web or the clear web. So why did MagBo take off? Researchers noted that most marketplaces obfuscate the target of their products in order to prevent competitors from stealing their own access, but not MagBo. They list everything in the clear. This allows the buyer to know what they are paying for and likely leads to a quicker sale. That level of transparency also allowed researchers greater insight into MagBo's products.
Writers from ZDNet found listings for everything from small business web pages to government portals. Access is sold for targets across all major industries and the site's offerings are growing by the day. KELA estimates "between 200 and 400 new sites are being added on a daily basis, with around 200 being sold off." In its roughly two years of operation, MagBo has grown to include "over 28,000 servers totaling around $700,000 worth of goods." KELA was further able to identify 43,000 unique hostnames from historical data and they estimate around 150,000 unique websites have been offered for sale throughout MagBo's operation. Web shells are the most popular product available and "190 different threat actors currently have active listings on the market."
So how do you find out if access to your organization is for sale on MagBo? That depends on who you know. It's an invitation only marketplace, which means you either have to know someone on the in-side or find someone that is selling an invite. The best thing you can do is make sure you are following security best practices, because with all of this visibility, MagBo may not last much longer and it's just a matter of time before another marketplace takes its place.