Two weeks ago Kaspersky Lab security researchers published a report on xDedic, a shadow market where access to compromised servers is sold.
An online market place of hacked servers
On June 15, 2016, Kaspersky Lab published a report on xDedic. Dedic, for dedicated server, is a term used on Russian forums, describing a computer remotely controlled by a hacker and made available to other users who are may or may not be well-meaning. This platform seems to have been online since October 2014.
xDedic is a very specific market: this platform sells access to more than 176,000 compromised servers, and enables black hats and other malicious actors to meet each other on a real eBay of cybercrime.
These servers, pre-equipped by software vendors to implement DDoS attacks, launch spam campaigns, illegally mine for bitcoins or compromise online payment systems, are provided as turnkey solutions to hackers.
The software already present on the server before being hacked can also be very useful for hackers; so, the preference is for servers whose activities before being compromised included online betting, accounting or tax returns.
According to the researchers at Kaspersky Lab, the forum is maintained by Russian speakers. They do not sell the servers, but simply provide the platform to sellers and take a 5% commission on each sale. Diversity is preferred, because one can find access to government computers as well as company or university networks, in over 173 countries, of course without the knowledge of the owners of these machines.
Most striking: the price of a server located in the governmental network of a country in the European Union is only $ 7 (6 euros). The prices are between 6 and 6,000 dollars (5,400 euros), but on average range between 7 and 8 dollars (7 euros). Only 50 servers have a price above 50 dollars (45 euros), according to Kaspersky Lab. Once the price is paid, the buyer has access to all data stored on the server and can then use that server to create botnets or launch phishing campaigns.
But it is not only the price that makes xDedic a particularly accessible buying platform. The creators of this forum make more features and mechanisms available to sellers: special tools for patching hacked servers to allow multiple users to connect to them using remote control software, real-time technical support services and profiling tools that download information from the hacked servers directly into the xDedic database, etc. The owners of the market are therefore trying to provide quality service by providing “customer follow-up.”
The United States is the first target
When they discovered this platform, Kaspersky Lab researchers estimated the number of servers to be 70,000; shortly after the report was issued by the Russian company, the market was closed by its owners, who preferred to hide their activities. Kaspersky Lab then received new information indicating that the number of servers between October 2014 and February 2016 was actually closer to 176,000.
This information from an anonymous individual was carefully checked; it propels the United States to the top of the list of affected countries with more than 60,000 servers, followed by the United Kingdom (8800), Brazil (8770), Canada, France, Spain, Australia Russia, Italy and Germany (5000). These differences from the first ranking (obtained through information available directly on the website), which put Brazil in first place and removed the United States, Canada and Great Britain, come from the fact that the most interesting servers are sold the fastest.
A new xDedic?
This market made the work of hackers a lot easier, and we can assume there will be successors, if not this market itself which is back in business, better hidden this time. Our services have also detected threads that indicate xDedic has resumed operations. Claiming to provide explanations in Russian and English on the maneuvers required to access the new xDedic address inside the TOR network, these threads may just as well hide a scam to collect bitcoins or servers. But in the meantime, one of the first results of the Google query “xDedic” provides direct access to this site. Scam, provocation or rebirth of the platform?