There are way more stolen card numbers floating around the dark market than there used to be. Image via Flickr/EP Technology
Ahead of the holiday season, a couple of cyber security researchers released a shopping list describing how much hackers charge for various services, including stolen credit cards numbers, forged documents, DDoS attacks, and data theft.
Joe Stewart, Director of Malware Research for the Counter Threat Unit at Dell SecureWorks, and David Shear, an independent researcher, collected details of how much different stolen credentials and hacks-for-hire will generally set you back, and for most services it's probably not as much as you'd think.
What’s interesting about their findings—aside from the relatively inexpensive price points—is that the “underground hacking economy” hasn’t changed all that much since the last time the security researchers conducted the study in 2011. “The only noticeable difference is the drop in price for online bank account credentials and the drop in price for Fullz or Personal Credentials,” the report stated.
“Fullz” is a collection of personal credentials that include a person's name, address, phone numbers, emails, date of birth, social security number, and usually some banking information like login credentials. Fullz used to run for between $40 and $60 on the dark market, but now go for a mere $25 in the US and $30-$40 abroad. The reason for the change in pricing is a “dramatic” increase in supply—there are now way, way more stolen card numbers and identities floating around the dark market.
Card numbers alone—including the CVV code—are amazingly cheap. US credit cards cost under $10, with magnetic strip data available for an additional charge. Overall, foreign cards were generally more expensive, at somewhere just under $20. Foreign credentials, stolen card numbers and bank accounts were in fact almost always worth more than their American counterparts, but the researchers didn't draw any conclusions about why that’s the case.
Other strikingly inexpensive information included bank account login and password combinations. Such credentials for an account with a balance between $70,000 and $150,000 cost about $300—maybe less, depending on the bank and country.
Infamous hacker services like malware-infected computers, or botnets, were also ridiculously cheap. At the low end, 1,000 bots were a mere $20. The pricing went up to 15,000 infected machines for $250. In this case, however, American machines fetched a higher price than those located in Asia because of superior Internet connections.
Malware-infected computers have a variety of uses, and cyber crooks will often harvest them for financial credentials, use them as spam bots, and in some cases install ransomware. Ransomware restricts access to a computer until a fee is paid to the hacker controlling the machine, and according to McAfee it's become increasingly popular across the world.
Another option available on the dark market, which allows access to a remote machine, is a “remote access trojan” or RAT. According to the research, a RAT would set you back between $50 to $250, often with an optional software package to make the trojan “fully undetectable” by anti-virus software. And if you're too lazy to set up the remote control server for a trojan, a hacker would be happy to do so for an extra $20 to $50.
For the more advanced, a new exploit kit has also cropped up by the name of Sweet Orange. This one isn’t so easy on the wallet. Hackers charged about $450 per week or $1800 a month, as the exploit kit is actually just hosted code on a website that detects and exploits vulnerabilities on apps on various computers. But while the price is higher than other hacker services, it’s cheaper than Sweet Orange's predecessor, the once-popular exploit kit BlackHole.
Rounding out the shopping list, DDoS attacks like those made popular by the hacktivist group Anonymous are leasable by the hour, day or week—costing $3-5, $90-100,and $400-$600 respectively. All price points came with a guarantee the target website would be knocked offline, and hackers with a reputation charged more than others. Meanwhile, a classic website hack to break into an organisation's website cost around $100 to $300—though it could be much greater depending on the hacker’s reputation. And not any target was for sale: the hackers the researchers dealt with made it clear they would not attack government or military websites.
In conclusion, the researchers wrote that there's "no shortage of hackers willing to do about anything, computer related, for money, and they are continually finding ways to monetize personal and business data." And the more hackers out there, the more competitive their pricing. Perhaps it's time to put online security at the top of your New Year's resolutions.