Being a cyber criminal is becoming even easier as barriers to entry continue to be lowered. Digital Shadows’ research into deer.io, the site that hosted darkside.global, shows how this is playing out and what it means for security professionals.
Darkside.global is the URL of a shop associated with cybercriminal Tessa88 who has distributed leaked datasets from various social networking sites including MySpace and LinkedIn. Digital Shadows conducted research following the identification of darkside.global, and we decided to take a closer look into deer.io, the Russian-language site that hosted the shop. Our analysis provides insights into the broader cybercrime ecosystem which can help organizations better understand, mitigate and contain the effects of cybercrime.
A Look Inside
Deer.io offers an all-in-one outsourced online shop: providing hosting, design (based on WordPress-like templates) and a payment solution. The service appears to have been active since at least Oct 2013 and, at the time of this writing, claimed that its users have profited from over 240 million roubles (RUB) (approximately $3.8 million). We estimate the total number of shops hosted on the service to be close to 1,000. However, because some are hosted on separate domains and some as subdomains (i.e., shopname[.]deer[.]io), there are potentially a significant number of duplicates or mirrors.
Deer.io claims to offer technical hosting including anonymity and security, payment handling, website design and distributed denial of service (DDoS) protection. In so doing, it attracts users with low-technical capabilities who would find it challenging to orchestrate these services themselves. Furthermore, the automatic payment system provided – available for Webmoney, Yandex Money and QIWI – enables transactions to occur 24/7 without requiring constant vendor attention. Deer.io charges a monthly fee of 500 RUB (approximately $8) to provide customer service and product development, and was observed providing prompt responses to queries. The breadth of offerings and responsiveness almost certainly contribute to the apparent popularity of the service.
Figure 1 – The deer[.]io logo and tagline: “The right choice for creating your internet shop”
The majority of the shops hosted on deer.io sell products that are stolen, or from compromised accounts. Additionally there are a number of products that would not be compliant with many sites’ terms and conditions. Typical items offered for sale include the following (listed in relative order of quantity):
- Bot-registered social media accounts (usually sold in bulk), typically with the intent of supporting social media spam and artificially increasing the popularity of other accounts/posts.
- Stolen, legitimate social media accounts, which are advertised in small quantity but at higher prices compared to bot-registered accounts.
- A number of sites advertise “coupons” to services that artificially increase the popularity of social media accounts or posts; the most commonly seen focus on VK[.]com (VKontakte), ok[.]ru (Odnoklassniki), Instagram and Facebook.
- Stolen accounts from other services including banks, payment, gift and loyalty cards, and Uber.
- Dedicated servers (mostly Azure and AWS) and domain names available for sale.
[Note: A few shops did not fit the general trends, for example a “tennis score predictions” service.]
The platform offers prospective users the opportunity to login to a test shop to see how it operates from the inside. We were able to login and investigate and found what we consider to be a well-designed, simple user interface that allowed users to easily control and monitor their products, view shop statistics, review payments and shop design, and even ban visitors.
Figure 2 – The dashboard view where users edit their shop and contents
Deer.io’s popularity is assessed as likely to remain high for the foreseeable future. A factor that would indicate it could be targeted by law enforcement, though there was no indication of this occurring to date. Deer.io appears to take a proactive approach to service and functionality development and is, therefore, assessed as likely to improve over time. In fact, Alexa, the website monitoring service, reports in the last 12 months that the site has climbed by approximately 35,000 positions in the global website popularity ranking (currently 64,072 globally and 3,699 in Russia), although dropped 20,000 positions in the last quarter.
Figure 3 – A graph highlighting the global popularity of deer[.]io according to Alexa
While Deer.io does not appear to be a criminal site itself, many of the shops hosted on their infrastructure appear to be criminal. The administrators of deer.io warn their hosted shops not to sell illegal goods and deny all responsibility for any illegal items advertised. The service provides a “Report site” option, and detected blog conversations suggest that certain products (including banking and payment card details) may be removed. Nonetheless, it is assessed as likely that the site administrators are willing to ignore some activity and listings. Deer.io was detected as advertised on well-known criminal forums such as Xeksek (see below), AntiChat, Zloy and Exploit, and deer.io recommends that its users publicize their shops on these sites as well.
Figure 4 – deer.io advertised on Xeksek
Lowering the Barrier to Entry
Deer.io’s existence is a continuation of a trend of lowering the barrier to entry into the cybercriminal world. We have previously observed similar developments such as DDoS-as-a-service and the rental of exploit kits. The services offered by deer.io are not unique; a smaller venture primarily offering the sale of gaming accounts and a marketplace for those providing malware crypting services are also advertised. While this shows an increased level of maturity in the marketplace, it is also interesting due to its apparent mimicry of similar, legitimate ecommerce services.
So what does this mean for organizations? Just when you thought it couldn’t get any easier, cybercriminals are now experiencing even lower barriers to entry. While this trend is not necessarily new, the fact that all of these support services are wrapped into a one-stop shop marks a change. Moreover, amid constant hype surrounding the dark web, it is important to note that this exists on the surface web. It’s a reminder that the dark web does not monopolize criminality.
Organizations can be impacted more directly, too. For example, we alerted a global airline company to their user accounts being sold on one deer.io domain. For organizations that are mentioned in deer.io shops, gaining awareness can allow them to help mitigate and contain the effects.