Bot Marketplaces as a Source of Future Data Breaches

The criminal underground is rife with marketplaces – attackers interested in malware, stolen financial and healthcare data, or hacking tools don’t have to look hard to find a willing seller. As adversaries increasingly rely on stolen passwords or compromised login credentials to carry out their cyberattacks, many are shopping on bot markets, security analytics company Cognyte says in a new report.

Bot markets are automated stores that sell stolen login credentials – and Cognyte identified four of the most active bot marketplaces in 2021: 2easy, Amigos, Genesis, and Russian Market. Of the nearly 5.3 million login credentials stolen between 2019 and 2021 that Cognyte looked at as part of its research, 73% were collected in 2021, Cognyte says. The majority of the login credentials offered for sale in 2021 were on the Russian Market, at 71%.

Last year’s data breach at video game publisher Electronic Arts, which exposed sensitive data and the source code for the video game FIFA 21, was reportedly the result of an attacker purchasing access to the company’s internal Slack environment from Genesis Market. The attacker reportedly spent $10 for a Slack credential and, once in, convinced corporate IT to grant access to the rest of the internal network. In Cognyte’s research, Genesis Market accounted for just 5% of login credentials being sold on bot markets in 2021.

Genesis sold 20,000 to 30,000 login credentials each month for most of 2020 and 2021 – its peak was in January 2020, when 52,004 records were offered for sale.

Infostealers supply the stolen wares on these bot markets, Cognyte says. Infostealers are malware designed to collect specific pieces of information from the infected system, such as username and passwords to the system, credentials used to access applications, login information for websites, payment card details, and cryptocurrency wallets. Some infostealers can collect fingerprint information about the compromised system, such as the type of hardware and software applications installed, IP address, and configuration settings, which the attacker can use to masquerade as the compromised system.

Not all markets expose which stealers are behind the login credentials available for sale, but Cognyte’s analysis highlights five most active ones: AZORult, Racoon, Redline, Taurus, and Vidar. These infostealers are sold on criminal forums and are available at prices ranging from a few dollars to hundreds of dollars. Some even offer a subscription model.  

Usage of the infostealers varied throughout the year, Cognyte says. At the beginning of 2021, Vidar was the most used infostealer, followed by Taurus. Racoon was mainly used in March 2021, with 152,508 records. Redline became more widely used in April and has maintained its status as the most-used infostealer. In 2021, Redline provided 32% of the login credentials that was analyzed.

“Due to the malware’s accessibility and reliability, we believe we will keep seeing it as a prime source on the bot markets in the future,” the researchers say.