The digital criminal underground can be intensely competitive. Cyber-criminals are constantly finding new ways to extort money or information from their unsuspecting victims and crafting new software to stay ahead of the curve.
Now that hackers are creating viruses so user-friendly that they can be deployed by anyone with a little cyber know-how, they are competing with each other for the business of the low-level criminals that use their services.
Hackers are offering customer service and support, guarantees, and custom features to attract criminal customers and differentiate themselves from their competitors.
“[Cyber-criminals] have a very crowded market and they are competing with themselves.” Ed Cabrera, Vice President of Cybersecurity Strategy at Trend Micro, told Business Insider.
According to Cabrera, Trend Micro is now seeing customer support functionality in nearly all cyber-criminal undergrounds the company researches.
Support and service are particularly important to sellers whose market is comprised of relatively inexperienced hackers who may need some degree of hand-holding.
Carders went first
Some of the first cyber-criminals to adopt this line of thinking were “carders:” those who sell stolen credit card info. After the shutdown of several major carding operations and forums in the early 2000s, market forces kicked in as new upstarts sought to differentiate themselves. Soon enough, carders were frequently verifying cards with test donations to charities and even offering money-back guarantees to their customers.
The idea has since caught on.
“You name the service or product and you have high specialisation [in that market],” Cabrera said. “Customer service is just a natural effect of that.”
Brian Krebs, a journalist who has written extensively on cybercrime, echoed Cabrera’s statements in an email to Business Insider.
“Those who profit are the ones who manage to develop strong customer service models,” wrote Krebs. “Those who screw this up — whether they’re renting some kind of malware as a service setup or rolling their own — are not going to be successful in the long term.”
Virus developers often seem to offer perks out of a sense of hacker camaraderie and general goodwill toward their customers, if not their victims.
Often, hackers deploying a virus will share tips with others doing the same or offer suggestions to the original author on how to improve the service.
Jeiphoos, the developer of ransomware service Encryptor RaaS, told Business Insider that he has received a few dozen comments and had conversations with multiple people interested in his service.
In addition to asking questions about his service, users have given Jeiphoos feature requests, requests for custom webpage templates or ransom notes, and inquiries about virus detection. Some write just to say thank you. He responds to them when they leave him an address to reach them at and even posts on forum threads discussing his software, seeking out improvements and verifying his identity to establish trust.
Jeiphoos said that he occasionally implements features recommended by customers looking to improve the service or tweak the software for a given user’s needs, like providing a white-label version with no Encryptor branding.
But Encryptor is free for anyone to use and Jeiphoos doesn’t make a cent unless the ransom is paid, in which case he gets a cut. Asked why he provides free support to his “customers” before they have earned him any money, Jeiphoos compared himself to an employee in an ordinary store helping potential shoppers.
“Others have called me [selfless] in my ‘non-criminal’ side of life,” Jeiphoos said. “I almost plead [with] them to stop saying that.”
Retired ransomware as a service developer Tox told Business Insider over encrypted chat how the users of his malware helped him find bugs, test the malware’s viability on different operating systems, and make improvements.
As his service became popular, a community evolved in a chatroom on malware’s website.
“At the beginning I had to answer questions and help users, but after a few days my users were helping each other and I just had to answer to private messages,” Tox told Vocativ in June.
In an effort to help users find legitimate services, some dark web marketplaces offer the ability to leave seller and item reviews. The result ends up looking like an eBay seller’s feedback page.
“excellent vendor, great communication, thx bro!”
A dark web marketplace called AlphaBay not only offers seller reviews but “vendor levels” indicating how much business a seller has done on the site and “trust levels” to help gauge a seller’s honesty. The site also features an active forum where users discuss products, individual sellers, get help with using the site, and report scammers. For even more convenience, moderators for the site are assigned to help handle disputes.
In the scam report forum, one user has just reported receiving two packets of flour in a shipment that should have contained a Beretta pistol. In another thread, a seller accused of scamming intervenes to mention that he offered a refund. Even more incredibly, Alphabay will offer refunds to buyers in instances where the seller has been banned.
One seller on AlphaBay describes himself as a “friendly guy” who does his best to “keep you satisfied and help” and has 92% positive feedback for his efforts. In his listing for customisable ransomware, he mentions that he will set the service up for customers for a small fee.
“Excellent vendor, great communication, thx bro!!!” one user wrote on the seller’s feedback page.
The vendor leaves a reply: “No problem, have fun mate!”
The exchange might look like any ordinary eBay feedback comments, except this sale was for “fullz”: personal information used for identity theft.
When asked about the support he offers, he had a simple response:
“It’s called hacking, friend. Sharing is the key to power, freedom, and success.”