The Underground Hacking Economy is Alive and WellBy: Elizabeth Clarke
Many businesses around the world are struggling financially, but sadly the underground hacking economy seems to be alive and well.
In July of this year, the FBI charged two Russian hackers for hacking into US Financial Institutions that resulted in the theft of millions of dollars from more than 800,000 victim bank accounts.
One of these same hackers and several other hackers, were also charged with the stealing and selling of at least 160 million credit and debit card numbers, resulting in losses of hundreds of millions of dollars. According to the indictment, these losses "included $300 million in losses for just three of the corporate victims and immeasurable losses to the identity theft victims, due to the costs associated with stolen identities and fraudulent charges."
Joe Stewart, Dell SecureWorks' Director of Malware Research for the Counter Threat Unit™ (CTU) and independent researcher David Shear decided to investigate this dark marketplace to find out just what is selling and for how much.
Table 1: Underground Prices for Stolen Credentials and Hacker Services
|Hacker Credentials and Services||Details||Price|
|*Visa and Master Card (US)||$4|
|American Express (US)||$7|
|Discover Card with (US)||$8|
|Visa and Master Card (UK, Australia and Canada)||$7 -$8|
|American Express (UK, Australia and Canada)||$12- $13|
|Discover Card (Australia and Canada)||$12|
|Visa and Master Card (EU and Asia)||$15|
|Discover and American Express Card (EU and Asia)||$18|
|Credit Card with Track 1 and 2 Data (US)||Track 1 and 2 Data is information which is contained in digital format on the magnetic stripe embedded in the backside of the credit card. Some payment cards store data in chips embedded on the front side. The magnetic stripe or chip holds information such as the Primary Account Number, Expiration Date, Card holder name, plus other sensitive data for authentication and authorization.||$12|
|Credit Card with Track 1 and 2 Data (UK, Australia and Canada)||$19-$20|
|Credit Card with Track 1 and 2 Data (EU, Asia)||$28|
|US Fullz||Fullz is a dossier of credentials for an individual, which also include Personal Identifiable Information (PII), which can be used to commit identity theft and fraud. Fullz usually include: Full name, address, phone numbers, email addresses (with passwords), date of birth, SSN or Employee ID Number (EIN), one or more of: bank account information (account & routing numbers, account type), online banking credentials (varying degrees of completeness), or credit card information (including full track2 data and any associated PINs).||$25|
|Fullz (UK, Australia, Canada, EU, Asia)||$30-$40|
|VBV(US)||Verified by Visa works to confirm an online shopper's identity in real time by requiring an additional password or other data to help ensure that no one but the cardholder can use their Visa card online.||$10|
|VBV (UK, Australia, Canada, EU, Asia)||$17-$25|
|DOB (US)||Date of Birth||$11|
|DOB(UK, Australia, Canada, EU, Asia)||$15-$25|
|Bank Acct. with $70,000-$150,000||Bank account number and online credentials (username/password). Price depends on banking institution.||$300 and less|
|Remote Access Trojan(RAT)||$50-$250|
|Add-On Services to RATs||Includes set up of C2 Server, adding FUD to RAT, infecting victim||$20-$50|
|Sweet Orange Exploit Kit Leasing Fees||$450 a week/$1800 a month|
|Hacking Website; stealing data||Price depends on reputation of hacker||$100-$300|
|DDoS Attacks||Distributed Denial of Service (DDoS) Attacks-- throwing so much traffic at a website, it takes it offline||
|Doxing||When a hacker is hired to get all the information they can about a target victim, via social engineering and/or infecting them with an information-stealing trojan.||$25-$100|
As always, there is no shortage of stolen credit cards, personal identities, also known as Fullz, and individual social security numbers for sale. However, the hackers have come to realize that merely having a credit card number and corresponding CVV code (Card Verification Value--the 3 or 4 digit number on one's credit or debit card) is not always enough to meet the security protocols of some retailers. Hackers are also selling cardholders' Date of Birth and/or Social Security Number. Having this additional information would allow a hacker to answer additional security questions or produce a fake identification, to go along with a duplicate credit card. VBV (Verified by Visa) data is also being sold. VBV is another password or piece of data assigned to Visa card holders to help defend against online fraud.
Stewart and Shear found that credit cards and personal identities for non-US residents continue to sell for more money than the credit cards and identities for US residents. An example of the pricing Stewart and Shear discovered for stolen credit cards, Track 1 and 2 Data of Credit Cards, Fullz, Date of Birth and VBVs for cardholders is listed in Table 1.
Online Bank Accounts for Sale: Name Your Bank and Country Preference
Just as with stolen credit cards, there are hundreds of online banking credentials for sale. Dell SecureWorks' Security Risk and Consulting (SRC) team also spends time researching the hacking underground and found that one can purchase the username and password for an online bank account with a balance between $70,000 and $150,000 for $300 and less, depending on which banking institution the account is located. Plus, one can specify the login information for an account within a specific bank and country.
Malware Infected Computers for Sale
There are thousands of compromised computers (bots) for sell by bot salesmen. The price per computer typically decreases when they are bought in bulk. The costs for infected computers (bots):
- 1,000 bots = $20
- 5,000 bots= $90
- 10,000 bots = $160
- 15,000 bots = $250
Infected computers in Asia tend to sell for less. It is thought that infected computers in the U.S. are probably more valuable than those in Asia, because they have a faster and more reliable Internet connection.
Once scammers buy the malware-infected computers, they can do anything they want with the machines. They can harvest them for financial credentials, infect them with ransomware so as to extort money from their owners, or use them to form a spam botnet to send out malicious spam on behalf of other scammers. If you don't think there is much money in the spam business think again. In researching one of the largest spam botnets, Cutwail, CTU Sr. Security Researcher Dr. Brett Stone-Gross and several other academic researchers, estimated that the Cutwail gang's profit for providing spam services was roughly between $1.7 million to$4.2 million over a two year period.
Malware and Exploit Kits for Sale
Stewart and Shear found that there was a variety of Remote Access Trojans (RATs) for sale ranging from $50 to $250. Most of the RATs were sold with a program to make it Fully Undetectable (FUD) to anti-virus and anti-malware. However, there were some hackers who sold the FUD component for an additional $20. For those RAT buyers who want the seller to do all the work for them, eg: setting up the RAT's Command and Control Server (C2), configure the malware to be FUD and possibly infect the target, they could pay an additional $20 to $50.
Exploit Kits-- Stewart and Shear found that one of the hackers offering the Sweet Orange Exploit Kit for lease charged $450/week or $1800/month. Sweet Orange is certainly more expensive to lease than the once popular BlackHole Exploit kit. Before BlackHole's supposed creator was arrested, the leasing rates for BlackHole were:
- 3 months---$700
- 6 months--$1,000
- One year--$1,500
Hacker Services for Hire: DDoS Attacks, Hacking of Websites, Doxing
Hacking into a Website
The cost to hire a hacker to break into an organization's website runs between $100-$300. Generally the higher the fee, the more reputable the hacker. What Stewart and Shear did note when investigating these particular services is that the particular hackers they dealt with made it clear that they would not hack into a government or military website.
Distributed Denial of Service (DDoS) Attacks
Those customers wanting to purchase DDoS Attack Services could pay by the hour, day or week. All of the hackers providing the DDOS attacks guaranteed that the target website would be knocked offline. Some of the premium hackers charged more than others and offered to let the attacks continue for days or weeks. The rates were as follows:
- DDoS Attacks Per hour = $3-$5
- DDoS Attacks Per Day = $90-$100
- DDoS Attacks per Week = $400-600
Doxing is when a hacker is hired to get all the information they can about a target victim. Their methods include searching public information sites, social media sites, as well as manipulating the victim via social engineering and infecting them with an information-stealing Trojan. Stewart and Shear found that there are a lot of "Doxing" services for sell on the hacker underground, A "Vouch" from customers is used to verify that the hacker providing the "Doxing" service is legitimate. "Doxing " services range from $25 to $100.
Name Brand Products, Get Them For Cheap
Another service being sold on the hacker underground is where hackers will sell popular products, below the retail price. The hackers will obtain a specified product for a buyer either by using a stolen credit card or by working a scam, where they contact the retailer's customer service representative and pretend to have purchased the item from the vendor, and it was damaged. The customer service representative is convinced that the complaint is legitimate, and they send out a replacement to the scammer, who in turn sells the product below the retail price.
For the most part, it does not appear that the types of hacker services and stolen data for sell on the hacker underground have changed dramatically in the past several years. The only noticeable difference is the drop in price for online bank account credentials and the drop in price for Fullz or Personal Credentials. In 2011, the CTU saw hackers selling US bank account credentials with balances of $7,000 for $300. Now, we see accounts with balances ranging from $70,000 to $150,000 go for $300 and less, depending on the banking institution where the account is located. In 2011, we also saw hackers selling Fullz for anywhere from $40 to $60, depending on the victim's country of residence. Fullz are now selling between $25 and only go up to $40, depending on the victim's location. Dell SecureWorks believes the drop in prices further substantiates that there is an abundance of stolen bank account credentials and personal identities for sale. There is also no shortage of hackers willing to do about anything, computer related, for money, and they are continually finding ways to monetize personal and business data.
The CTU has outlined some key security steps to help organizations and individuals protect themselves from hacker attacks and the potential loss of Financial, PII Data, Intellectual Property and business productivity.
Key Protective Security Steps
Dell SecureWorks advises a layered approach to security. Organizations should consider implementing the following:
- Firewalls around your network and Web applications
- Intrusion Prevention Systems or Intrusion Detection Systems (IPS/IDS). These inspect inbound and outbound traffic for cyber threats and detect and/or block those threats
- Host Intrusion Prevention Systems (IPS)
- Advanced Malware Protection Solution
- Vulnerability scanning
- 24 hours a day x7 days a week x365 days a year log monitoring, and Web application and network scanning
- Security Intelligence around the latest threats (people working on the latest threats in real-time, human intelligence)
- Encrypted email
- Educating your Employees on Computer Security. A key protective measure is to educate your employees to never click on links or attachments in emails, even if they know the sender. Employees should check with the sender prior to clicking on the email links or attachments. Email and surfing the web are the two major infection vectors.
Individuals Should Implement the Following Security Steps
- Computer users should use a computer dedicated only to doing their online banking and bill pay. That computer or virtualized desktop should not be used to send and receive emails or surf the web, since Web exploits and malicious email are two of the key malware infection vectors.
- Avoid clicking on links or attachments within emails from untrusted sources. Even if you recognize the sender, you should confirm that the sender has sent the specific email to them before clicking on any links or attachments.
- Reconcile your banking statements on a regular basis with online banking and/or credit card activity to identify potential anomalous transactions that may indicate account takeover.
- Make sure your anti-virus is current and can protect against the latest exploits. Also, make sure that your anti-virus vendor has signatures for detecting the latest Trojans and that you have the most up- to-date anti-virus protections installed.
- Do not use "trial versions" of anti-virus products as your source of protection. Trial versions of anti-virus products are good for testing products, but do not continue to use the trial version as your protection for your home or work PC. The danger is that the trial version does not receive any updates, so any new Trojan or virus that is introduced after the trial version was released will have total access to your PC.
- Make sure you have your security protections in place. Patch management is key. It is critical that as soon as they become available you install updates for your applications and for your computer's operating system.
- Be cautious about installing software (especially software that is too good to be true – e.g., download accelerators, spyware removal tools), and be conscience about pop-ups from websites asking users to download/execute/or run otherwise privileged operations. Often this free software and these pop-ups have malware embedded.