Attacks/Breaches
11/19/2013
02:27 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Glut In Stolen Identities Forces Price Cut In Cyberunderground

New report unearths what cybercriminals are charging for stolen identities and hacking services, such as DDoS and doxing

Just in time for the holidays, the price of a stolen identity has dropped as much as 37 percent in the cybercrime underground: to $25 for a U.S. identity, and $40 for an overseas identity.

Researcher Joe Stewart of Dell SecureWorks teamed with independent researcher David Shear to get an insider's look at what a plethora of hacking services and stolen data cost these days in the underground. Among their findings: For $300 or less, you can acquire credentials for a bank account with a balance of $70,000 to $150,000, and $400 is all it takes to get a rival or targeted business knocked offline with a distributed denial-of-service (DDoS)-for-hire attack. Meanwhile, ID theft and bank account credentials are getting cheaper because there is just so much inventory (a.k.a. stolen personal information) out there.

"Fullz," or personal identities, went for $40 per U.S. stolen ID and $60 for a stolen overseas ID in 2011 when Dell SecureWorks last studied pricing in the underground marketplace. Now those IDs are 33 to 37 percent cheaper.

With the high volume of data breaches and leaks over the past couple of years, it's no surprise the price of a stolen identity would have declined, says Stewart, who is director of malware research for Dell SecureWorks. "I expected to see the drop," he says. "The best thing we could hope for was for these prices to be very high. It would be a more encouraging trend if the prices increased."

It's also getting easier to cash in on cybercrime. "This report shows that cybercrime is becoming more and more commoditized, turnkey, and the bar to entry had become lower and lower as more people develop kits" that simplify data theft, he says. Competition among the cybergangs also has intensified as more people join in the scams, he says. "It's created a situation where it's getting very easy for anyone to get into that business. I think these numbers confirm it," Stewart says.

Pricing trends are interesting, says Raj Samani, CTO of McAfee. But they also can be misleading, he says, because prices are all over the map. "You can have varying prices depending on the sources you go to."

McAfee in its June cybercrime study found a DDoS-for-hire service for $2 per hour, and another for $3 per hour, for instance, he says.

Dell SecureWorks found DDoS services anywhere from $3- to $5 per hour, $90- to $100 per day, and $400 to $600 a month.

The big takeaway for all of this, Samani says, is that cybercrime-as-a-service has arrived. "It doesn't require any technical knowledge, and you don't even have to own a computer," Samani says. "You just need to pay" and you can outsource anything, he says.

[Criminals have expanded use of the cloud-service model to make their illegal enterprises more efficient and accessible. See Dark-Side Services Continue To Grow And Prosper.]

To gather pricing information, researcher Shear infiltrated 15 different underground forums to gather the pricing information, four of which were Russian forums. Shear concentrated his efforts mainly on well-organized forums, according to SecureWorks.

Stewart and Shear found more cybercriminals selling a cardholder victim's birth date and Social Security Number as well as the card data itself to ensure the stolen card data can be used and the buyer won't get tripped up by any security questions or controls. "The hackers have come to realize that merely having a credit card number and corresponding CVV code (Card Verification Value--the 3 or 4 digit number on one’s credit or debit card) is not always enough to meet the security protocols of some retailers," SecureWorks said in its report. "Hackers are also selling cardholders’ Date of Birth and/or Social Security Number. Having this additional information would allow a hacker to answer additional security questions or produce a fake identification, to go along with a duplicate credit card."

The cost of getting a website hacked runs from $100 to $300, with more experienced black hat hackers charging more for their services. In an interesting twist, the researchers found that these attackers stipulated that they don't hack government or military websites.

Doxing services—where a hacker steals as much information as they can about a victim or target via social media, social engineering, or Trojan infection—ranges from $25 to $100.

Bots are cheap, too: 1,000 bots go for $20, and 15,000, for $250.

Meanwhile, stolen credit cards for U.S. accounts (with CVV numbers) remained about the same since SecureWorks last studied pricing on them in 2011. The ranged from $4 to $8 per account, while European accounts dropped from $21 to $18 today. It's all about inventory of such a commodity item, according to the researchers.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-3304
Published: 2014-10-30
Directory traversal vulnerability in Dell EqualLogic PS4000 with firmware 6.0 allows remote attackers to read arbitrary files via a .. (dot dot) in the default URI.

CVE-2013-7409
Published: 2014-10-30
Buffer overflow in ALLPlayer 5.6.2 through 5.8.1 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long string in a .m3u (playlist) file.

CVE-2014-3446
Published: 2014-10-30
SQL injection vulnerability in wcm/system/pages/admin/getnode.aspx in BSS Continuity CMS 4.2.22640.0 allows remote attackers to execute arbitrary SQL commands via the nodeid parameter.

CVE-2014-3584
Published: 2014-10-30
The SamlHeaderInHandler in Apache CXF before 2.6.11, 2.7.x before 2.7.8, and 3.0.x before 3.0.1 allows remote attackers to cause a denial of service (infinite loop) via a crafted SAML token in the authorization header of a request to a JAX-RS service.

CVE-2014-3623
Published: 2014-10-30
Apache WSS4J before 1.6.17 and 2.x before 2.0.2, as used in Apache CXF 2.7.x before 2.7.13 and 3.0.x before 3.0.2, when using TransportBinding, does properly enforce the SAML SubjectConfirmation method security semantics, which allows remote attackers to conduct spoofing attacks via unspecified vect...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.