New Dark Web Market Is Selling Zero-Day Exploits 30
Sparrowvsrevolution writes Over the last month, a marketplace calling itself TheRealDeal Market has emerged on the dark web, with a focus on sales of hackers' zero-day attack methods. Like the Silk Road and its online black market successors like Agora and the recently defunct Evolution, TheRealDeal runs as a Tor hidden service and uses bitcoin to hide the identities of its buyers, sellers, and administrators. But while some other sites have sold only basic, low-level hacking tools and stolen financial details, TheRealDeal's creators say they're looking to broker premium hacker data like zero-days, source code, and hacking services, often offered on an exclusive, one-time sale basis.
Currently an iCloud exploit is being offered for sale on the site with a price tag of $17,000 in bitcoin, claiming to be a new method of hacking Apple iCloud accounts. "Any account can be accessed with a malicious request from a proxy account," reads the description. "Please arrange a demonstration using my service listing to hack an account of your choice." Others include a technique to hack WordPress' multisite configuration, an exploit against Android's Webview stock browser, and an Internet Explorer attack that claims to work on Windows XP, Windows Vista and Windows 7, available for around $8,000 in bitcoin. None of these zero days have yet been proven to be real, but an escrow system on the site using bitcoin's multisignature transaction feature is designed to prevent scammers from selling fake exploits.
Currently an iCloud exploit is being offered for sale on the site with a price tag of $17,000 in bitcoin, claiming to be a new method of hacking Apple iCloud accounts. "Any account can be accessed with a malicious request from a proxy account," reads the description. "Please arrange a demonstration using my service listing to hack an account of your choice." Others include a technique to hack WordPress' multisite configuration, an exploit against Android's Webview stock browser, and an Internet Explorer attack that claims to work on Windows XP, Windows Vista and Windows 7, available for around $8,000 in bitcoin. None of these zero days have yet been proven to be real, but an escrow system on the site using bitcoin's multisignature transaction feature is designed to prevent scammers from selling fake exploits.
first (Score:2)
This sounds like a honeypot to me..
Re:first (Score:4, Insightful)
Perhaps the vendors themselves should buy the exploits. Perhaps, it's not that different than a bounty program except for the fact that market pricing would determine the value of a vulnerability (and the lack of nobility in the mercernary nature of the process).
Re: (Score:1)
Really! 'Dark Web'... Hollywood invades the Internet! It's not like I'm sexist or anything, but how come guys have to keep proving how dumb they are? Broken Beer Bottles here too...
Re: (Score:3)
This sounds like a honeypot to me..
Especially when selling 0-days isn't actually illegal in most circumstances, only rather shady. Researchers do deals all the time. Total anonymity on one or both sides doesn't really help anyone. Hell, it's so commonplace they have discussed it on NPR: http://www.npr.org/blogs/money... [npr.org]
If anything this is just a new way to scam people out of money or to ferret out security researchers for further recruitment/waterboarding by the CIA.
Re:Who cares (Score:5, Insightful)
The danger presented by script kitties and hackers is much more likely to actually effect your life and property.
Re: (Score:1)
script kitties
I'm in ur boxen h4xxin ur scripts.
|\_/|
`o.o'
=(_)=
U
Re: (Score:3)
Re: (Score:2)
The danger the NSA presents is largely symbolic and philosophical.
this is not quite true. the NSA is a HUGE threat while they are currently focused on hacking/spying on Pakistan, they have undermined many technologies that leave everyone vulnerable.
Re: (Score:2)
Re: (Score:2)
even within that, the threat passes right through hackers again.
when someone shoves you into a pit of snakes, are you angry at the snake that bites you?
First thoughts... (Score:2, Interesting)
At first I realized even on the darknet, and for exploits, Apple commands a price premium. Hopefully the exploit is well polished and deserves this premium. Second, the site uses a multiple signature escrow system to assure an exploit is real. The presumption being the site is real and is not itself a means to pirate Bitcoin by them being put in escrow.
Re: (Score:1)
Second, the site uses a multiple signature escrow system to assure an exploit is real. The presumption being the site is real and is not itself a means to pirate Bitcoin by them being put in escrow.
Any idea how that works? The only way I know of to produce partial keys has one person entirely in charge, which wouldn't work for an untrusted escrow service.
And unlike most Dark Web markets, it allows only so-called multisignature transactions. That means the bitcoins are held at an address jointly controlled by the buyer, the seller, and the market’s admins. For the money to be moved to the seller’s account, two out of three of those parties must sign off on the deal, giving the administrators the tie-breaking vote to resolve disputes.
Re: (Score:2)
Any idea how that works? The only way I know of to produce partial keys has one person entirely in charge, which wouldn't work for an untrusted escrow service.
Bitcoin allows for escrow and arbitration where you can select any arbitrator both parties trust and agree to and thus eliminates counterparty risk. The keys are split with either multi-sig or shamir's secret sharing.. here is one example amongst many:
https://www.bitrated.com/ [bitrated.com]
make Zero Day a National Holiday (Score:2)