Researchers at Kaspersky Labs have discovered that an underground marketplace is selling access to more than 70,000 compromised government and private RDP servers located across 173 countries for as little as $6 and $8 each.
The online market, called xDedic, is described as an eBay for criminals. The security firm said it appeared to be run by a Russian-speaking group that earns a commission from every transaction that takes place.
"It’s a marketplace similar to EBay where people can trade information about cracked servers," said Costin Raiu, head of global research at Kaspersky Lab. "The forum owners verify the quality of the hacked data and charge a commission of 5 percent for transactions."
Kaspersky jointly investigated the marketplace with an unnamed European internet service provider. The Russian company had received a tipoff about xDedic from the same ISP back in March of this year.
The researchers said that purchasing access to one of the servers also bought a number of hacking tools that would allow buyers to launch denial-of-service attacks on businesses, steal credit card details, mine bitcoins, distribute spam and malware, or compromise online or retail payment systems.
In addition to providing access to email credentials, the servers allowed access to interior and foreign ministries, universities, town halls, and commerce departments. Others hosted or allowed access to consumer websites, including those used for gambling, retail, dating, and banking.
“Stolen credentials are just one aspect of the cybercrime business,” Raiu told Reuters in an interview. “In reality, there is a lot more going on in the underground. These things are all interconnected.”
Brazil was found to be the country where most of the servers are located – around 6000. China has the second largest number, about 5000, and Russia has just under that amount. The US wasn’t in the top 10 countries, which made up 49 percent of the RDPs on the market.
While it didn’t give out any names, Kaspersky said that some of the compromised servers included those used by a US aerospace firm and banks in the US, Philippines, Kazakhstan, Jordan, Ghana, Cyprus, South Korea and Saudi Arabia.
Kaspersky has notified Interpol about the marketplace and begun alerting those organizations that have servers for sale on XDedic. It has also notified Computer Emergency Response Teams in several countries.