When Selling Stolen Identities on The Dark Net, Customer Service Is Key
A survey found the dark net hacker markets are starting to look more and more like the e-commerce markets that exist everywhere else online.
Image: John Lambert Pearson/Flickr
Dark net hacker markets are starting to look more and more like the e-commerce markets that exist everywhere else online, according to a report published by Dell. Just like on Amazon and the ilk, dark net prices for premium products are going up, obsolete services are being driven out of the market, and good customer service is increasingly valued.
Dell enlisted in-house malware researcher Joe Stewart and security analyst David Shear to review and catalog the underground hacker markets, following up on a similar report the company released last year. The pair found the market was "booming with counterfeit documents to further enable fraud, including new identity kits, passports, utility bills, social security cards, and drivers' licenses." Prices for highly-sought information and documents are climbing, while other information is getting cheaper as hacking becomes more ubiquitous.
Stewart and Shear found bulk pricing for bots, for example, has gone up: last year you could buy 1,000 bots for $20, 10,000 for $160. This year, 1,000 bots alone will cost you $140-$190 and they are tied to specific locations in the US, UK, or Asia.
Distributed denial of service (DDoS) attacks—hiring someone to knock a particular website offline on your behalf—have also gone up in price slightly, although now you can get a deal if you pay by the week instead of the day. A daily rate for a DDoS attack costs between $90-$100 (compared to $60 to $90 last year) while a weekly rate ranges from $400 to $600 (compared to $350 to $600 in 2013).
The pair also noticed a number of new products and services cropping up that weren't available during last year's survey. In particular, identification documents are booming. Non-US passports (typically just a photoscan) go for $200 to $500, while US passports are virtually non-existent on the market. But US drivers licenses are available, for $100 to $150 a pop, while social security cards will run you $250 to $400. Are they legit? Well, more on that in a minute.
You can even purchase an entire identity online for less than the cost of a new iPhone, the report found. For about $350, you'll receive a scan of a working social security card, a name, an address, and a matching utility bill. Entrepreneurial hackers are also monetizing their skills by selling hacking tutorials to wannabe Kevin Mitnicks.
These new products are replacing others that have been pushed out since last year. The market for remote access trojans (RATs), which allow hackers to remotely use someone's computer, has dropped off significantly as RAT source codes have been cracked and circulated online for free. Last year, RATs cost between $50 and $250. Now, if you bother to pay, you can grab the trojans for $20.
The reputation of the vendor becomes critical to running a successful business
Though the report did not speculate on the quality of the products offered, it did note the dark net is no stranger to the necessities of good customer service. As hacking becomes more accessible to a wider user base, Stewart and Shear found an increased emphasis on quality and service from hackers hocking their stolen wares.
"Like any market, which is crowded with multiple vendors selling many of the same products and services, reputation of the vendor becomes critical to running a successful business," the report read.
Knowing that potential customers may be concerned about buying a fake ID online, vendors have taken steps to assuage consumer fears in the hopes of boosting sales.
"It looks like more hackers on the underground have realized this and are trying to distinguish themselves by offering prompt customer service and '100% guarantees' on the stolen data they are selling," the report added.
If the variety of personal info available for sale online has made you nervous, there are ways to protect yourself from winding up in the identity bargain bin. It's best to follow the rules you were taught as a kid: change your password frequently; don't open email links from unknown senders; and don't install random, unidentified software you download.
Alternatively, you can put all your money into a mattress, burn off your fingertips, and live in a tent in the woods. That works too.