Endpoint Protection

 View Only

Underground black market: Thriving trade in stolen data, malware, and attack services 

Nov 20, 2015 06:49 AM

FireShot Screen Capture #002 - 'UK Passports - Buy real UK passports, become a UK citizen now_ Our passports are no fake pa_' - vfqnd6mieccqyiit_onion.png

During the holiday season, shoppers scour the Internet to find the best deals for the perfect gifts. Ordinary consumers aren’t the only ones looking for bargains at this time of year. Cybercriminals are also looking to shop--at other people’s expense-- by using underground marketplaces to buy and sell illegal goods and services. Stolen data, compromised online accounts, custom malware, attack services and infrastructure, fraudulent vouchers, and much more can be bought if you know where to go.

Prices for illegal goods and services can vary widely, depending on what’s offered, but bargains exist even for cybercriminals on the tightest budgets. Attackers can pick up stolen data and compromised accounts for less than a dollar. Larger services, such as attack infrastructure, can cost anything from a hundred dollars to a few thousand. However, considering the potential gains that attackers could make by using this infrastructure, the upfront cost may be worth it for them.

Considering all of the data breaches and point-of-sale (POS) malware incidents that occurred in the last 12 months, you may think that underground markets are flooded with stolen data, causing prices to drop. Interestingly enough, this does not seem to be the case for all illegal goods on these marketplaces.

Shopping in the underground
While some illegal marketplaces are viewable on the public Internet, news coverage around underground sites has increased this year, forcing many scammers to move to darker parts of the Internet. For example, some forums are now hosted on the anonymous Tor network as hidden services. Other markets are only accessible with an invitation and require a buy-in, which could involve money or goods—like 100 freshly stolen credit cards. Other markets are run on private chat rooms and have rigid vetting procedures for new users. In these closed circles, prices are usually much lower and the traded amount of goods or services is higher. 

Stolen data for sale
Prices have dropped for some of the data offered, such as email accounts, but they remain stable for more profitable information like online bank account details. In 2007, stolen email accounts were worth between US$4 and $30. In 2008, prices fluctuated between $0.10 and $100. In 2009, the price hovered between $1 and $20. Today, you can get 1,000 stolen email accounts for $0.50 to $10.  The latest pricing is a good indication that there is now oversupply and the market has adjusted accordingly.

Credit card information, on the other hand, has not decreased in value in recent years. In 2007, this information was advertised at between $0.40 and $20 per piece. How much you pay can depend on a number of factors, such as the brand of the card, the country it comes from, the amount of the card’s metadata provided, volume discounts, and how recently the card data was stolen. In 2008, the average asking price for credit card data was slightly higher--$0.06 to $30--and later in the year it rose to from $0.85 to $30. Today, prices for stolen credit card information range between $0.10 and $20. In general, credit card data prices have fallen slightly over the last few years, especially in cases where cybercriminals trade in bulk volumes.

Of course, we have no visibility into transactions and do not know how many buyers actually pay the upper end of the price range. The quality of the stolen goods is also questionable, as some sellers try to sell old data or resell the same data multiple times. This may also explain why there has been a boom in additional service offerings that verify that the seller’s accounts are still active or that a credit card has not yet been blocked. Most underground marketplaces even provide a guarantee for the data’s freshness and replace blocked credit cards within 15 minutes of purchase. As expected, where there is demand, someone will step in and address the gap in the market.

Attack services for hire
Crimeware-as-a-service has also become popular on underground marketplaces. Attackers can easily rent the entire infrastructure needed to run a botnet or any other online scams. This makes cybercrime easily accessible for budding criminals who do not have the technical skills to run an attack campaign on their own.

A drive-by download web toolkit, which includes updates and 24/7 support, can be rented for between $100 and $700 per week. The online banking malware SpyEye (detected as Trojan.Spyeye) is offered from $150 to $1,250 on a six-month lease, and distributed denial-of-service (DDoS) attacks can be ordered from $10 to $1,000 per day. Any product or service directly linked to monetary profit for the buyer retains a solid market price.

The evolution of Ransomware

Ransomware, which is also known as digital extortion, has become a growing problem for consumer and enterprises. Simply defined, ransomware is a type of malware that restricts access to a computer system that it infects in some way, and demands that the user pay a ransom to the operators of the malware to remove the restriction.

The majority of ransomware threats today are designed to target personal computers running the Windows operating system. This is unsurprising, as Windows-based computers make up around 89 percent the OS market share for desktop computers, with Mac OS X and Linux making up the rest. Given that ransomware
is a commercial activity for cybercriminals, it makes sense for them to maximize potential returns on their investments.

It’s now evolved to become another malware commodity on the underground market. 

Cashing out with fraudulent vouchers and tickets
Cybercriminals are always coming up with new strategies to cash out their profits. Vouchers and online gift cards are currently in vogue, as they can easily be traded or sold online. Attackers pay for them using stolen credit cards or generate them from hijacked online retailer accounts. They then sell the vouchers and online gift cards for 50 to 65 percent of the nominal value. Cybercriminals can also sell hotel, airline, and train tickets for approximately ten percent of the original asking price. Of course, this is very risky for the people who buy these tickets. Recently, 118 people were arrested in a global operation on suspicion of using fake tickets or obtaining stolen card data to purchase airline tickets. The airline industry believes that fraudulent tickets are costing it around $1 billion annually.

Older methods such as packet re-sending agents have declined in popularity. This method involved buying expensive goods with stolen credit cards and having them shipped to an uninvolved volunteer, who then reships the goods to the attacker’s  anonymous PO box.  This is getting harder to do, as many shops will only ship to the registered home address of the credit card. This also led to some attackers picking up the items in a physical store nearby, rather than shipping them somewhere first.

The expansive underground marketplace
These examples aren’t the only goods and services on offer on underground marketplaces. Also for sale are:

  • Scans of real passports ($1 to $2), which can be used for identity theft purposes
  • Stolen gaming accounts ($10 to $15), which can yield valuable virtual items
  • Custom malware ($12 to $3,500), for example tools for stealing bitcoins by diverting payments to the attackers
  • 1,000 followers on social networks ($1 to $12)
  • Stolen cloud accounts ($5 to $8), which can be used for hosting a command-and-control (C&C) server
  • Sending spam to 1 million verified email addresses ($70 to $150)
  • Registered and activated Russian mobile phone SIM card ($100)

The booming underground marketplace is another reason it’s important to protect your data and identity. Otherwise, you may find your personal information in the shopping basket of a cybercriminal during this holiday season.

Symantec recommends the following basic security guidelines:

  • Always use strong passwords, and never reuse them across other websites.
  • Update the software on all of your devices regularly to prevent attackers from exploiting known vulnerabilities.
  • When entering personal or financial information, ensure that the website is encrypted with a Secure Sockets Layer (SSL) certificate by looking for the padlock icon or “HTTPS” in the address bar. Report any suspicious behavior before submitting sensitive information online.
  • Use comprehensive security software, such as Norton Security, to protect yourself from cybercriminals.
  • Exercise caution when clicking on enticing links sent through emails or posted on social networks. If something looks too good to be true, then it likely is.

For more insights:

Symantec White Paper: The evolution of ransomware

Blog article: The phishing economy: How phishing kits make scams easier to operate

{Editor's note: This article was originally published 12/10/14 and has been updated with new findings}

0 Favorited
0 Files

Tags and Keywords

Related Entries and Links

No Related Resource entered.