Read Reverse Deception: Organized Cyber Threat Counter-Exploitation Online
Authors: Sean Bodmer
Tags: #General, #security, #Computers
Robtex (
www.robtex.com
)
It would be wise to spend a few minutes just hitting some of these sites and seeing what content they provide (if you’re not already familiar with them).
Underground Forums
Literally hundreds of websites host underground forums, where all of our BFFs post information in plain sight for the world to see (EP_0XFF, we know who you are
), but without enough tangible evidence to allow them to actually be prosecuted. Once you register with some of these forums, you will get a great deal of information about the bad guys. It is up to you to get closer to them by building a reputation within their groups.
CAUTION
In these forums, you will need to use a nonproduction system, because you will find some of them attempt to exploit you. Some of these sites are safe to surf, and others are not safe. They all change over time, so it is difficult to be sure of the infections and which sites cause them, although malvertising has popped up here and there
.
Some of these sites freely advertise the subleasing of botnet infrastructures, and some go so far as to specify individual organizations, enterprise networks, net blocks, and top-level domains (such as .gov, .mil, and gov.cn). You can even get close enough to see ratings of specific operators by previous customers and the operators’ service-level agreements. This is all quite interesting when trying to tie a threat to an individual or group. Most of these criminals live in countries that don’t respond well to law enforcement requests, so they post freely about what they do and how well they do it.
The following are some underground forums that may be useful. This list doesn’t include the URLs, but we hope you’ll do your own cyber sleuthing and look them up yourself. Just be cautious when visiting these sites.
Hack Forums
Kernelmode.info
opensc.ws
Wildersecurity
Zloy forums
l33t hackers
Linux-Hacker.net
Kosovo-hackers Group
Dmoz.org
—Addressed SMB
Rootkit.com
(before it was popped)