Researchers have discovered that a new bug detection service is being offered in underground online communities where ill-gotten user credentials and malware are bought and sold.
The service entails finding buggy PHP -- a programming code of choice among fraudsters -- and a range of other vulnerabilities that could allow an attacker to wreak havoc on another hacker's infrastructure.
RSA cyber intelligence head Idan Ahoroni said a Russian fraudster began offering the service in the last couple of weeks.
"Cyber criminals need to protect their assets just as any legitimate organisations would,” Ahoroni said.
"As fraudsters become more sophisticated, it's gotten to the point that they need a new type of service to make sure that their infrastructure is safe and nobody is taking advantage of [it],"
Fees for discovering vulnerabilities ranged from $20 to $150 for flaws allowing code execution in small scripts.
Miscreants have increased precautions to keep their activity hidden. For instance, suppliers of stolen credit card credentials were now listed under a business name rather than a personal moniker.
“Now, they usually use the name of the store like an official customer support [service],” Ahoroni said. “Potential buyers are only exposed to the specific supplier.”
Many black market services, like buying credit card details, have become automated, so buyers and sellers never have to speak to one another unless there is a service issue, Ahoroni added.
While it's not surprising that cyber criminals are seeking out options to secure their operations, especially since they are often vulnerable to being attacked by competitors or others in the black market – it is noteworthy that fraudsters are considering their peers for the job.
Deception to leverage power plays in the underground market has been ample, but in 2006, one of the more memorable cases occurred.
Max Butler, the operator of the now defunct site CardersMarket, infamously hacked into the databases of competitor boards to consolidate members' information into one board that he managed. In 2010, Butler was sentenced to 13 years in federal prison for hacking financial institutions and selling the stolen data.