xDedic hacked server market makes a comeback online
The xDedic market, a website that offered access to hacked servers for as little as $6 has resurfaced online again. This time the xDedic market has appeared on a Tor network domain with the inclusion of a new $50 USD enrolment fee.
xDedic original domain (xdedic[.]biz) went down last month on June 15 right after security firm Kaspersky Lab publicly exposed it. The report from Kaspersky Lab explained how xDedic provided a platform for the sale of compromised RDP servers. At the time of report, more than 70,000 hacked servers from governments, businesses and universities had been sold through the site for as little as $6, in the two years it was in operation, and the website was doing brisk business.
However, Kaspersky Lab, reported its finding to law enforcement agencies and said that “several major” internet service providers helped shut the site down.
But after a brief interruption, the makers of xDedic have been quick to revive the marketplace, security firm Digital Shadows said on Tuesday.
Researchers at Digital Shadows reported that a June 24 post to the Russian-language forum, exploit[.]in, included a link to the .onion site now hosting xDedic.
“The new xDedic site was found to be identical in design to the previous site and although discussion in the exploit[.]in thread indicated that accounts on the previous site had not been transferred to the new site, accounts could be freely registered,” Digital Shadows wrote in an incident report shared with Threatpost. “However, following registration, accounts had to be credited with $50 USD in order to activate them.”
It’s still not known how many users the revived xDedic site currently has, but the previous site attracted 30,000 users a month, Digital Shadows said.
CTO and co-founder James Chappell said domain had also been shared on a French-language dark web site.
“They’re upping their operational security a bit, but they’re obviously in a tricky place,” Chappell told Threatpost. “They’ve got to advertise it. You can’t find it by browsing; they have to publish the link to point users to it. There is an interesting tension here, they have to promote their services, but don’t want to slip up and reveal their identity. It’s a tricky balance marketing their services and hoping work of mouth will do the work for them.”
Kaspersky Lab researchers worked with a European ISP to collect data used to investigate xDedic. The security firm said that the market began in 2014 and rapidly grew to the 70,000 hacked servers from 173 countries it was advertising this spring.
Buyers were able to check a list of available servers, each entry offering specific details on system information, whether admin privileges are available, antivirus running on the machine, browsers, uptime information, download and upload speeds, and the price and location. xDedic marketed itself as a medium for getting affiliates together, taking a percentage of the money involved as its cut.
“We are aware of reports of the return of xDedic and are monitoring the situation,” Kaspersky Lab said in a statement. “We have a policy to share the findings of cybercriminal research with the relevant law enforcement agencies, and we have already done so in the case of xDedic.”
Kaspersky Lab has called the site a “hacker’s dream.” With cheap access to so many compromised servers, a buyer could use them to send out spam, steal data, or launch other cyberattacks. At the time of its shutdown, the list of hacked servers on the original xDedic spanned industries such as banking, dating and gambling websites, online shopping sites and ad networks.
Sometimes, the buyers searched for particular software running on a server, with particular interest shown in mass emailing software for spam campaigns, point-of-sale installations, as well as accounting or tax preparation software. The possibilities for theft and fraud are infinite via this forum.
According to some evidence, the xDedic site had actually sold access to as many as 170,000 servers, with the bulk of them located in the U.S. Kaspersky Lab has been alerting victims who were found to be affected.