A new report examines the buying and selling of unauthorized access to compromised enterprise networks and finds an active market for illegal access, which not only lines criminal pockets but enables future crime.
The research, "The Transfer of Enterprise Network Access on Criminal Forums," was conducted by IntSights, now owned by Rapid7, and found some pricey criminal offerings. For example, access to an organization supporting hundreds of retail and hospitality businesses was found offered at approximately $66,000 worth of Bitcoin. The victim, according to the report, was a third-party operator of customer loyalty and rewards programs.
In their post, the seller highlighted various ways in which a buyer could monetize the access: they could review and manipulate source code, for example, or access the accounts and points of loyalty program members. They could also conduct spam and phishing attacks, including ransomware campaigns against loyalty program members via legitimate communication channels.
Despite the high price tag for access to this loyalty and rewards program, researchers found pricing for access to compromised networks varies considerably from one sale to another. Many factors influence price, such as the extent and privilege level of the access, sales strategies of the sellers, and the victim's size, industry, location, and value to criminals.
The average offering price on the criminal market was $3000. The single lowest price of $240 USD was for access to a healthcare organization in Colombia.
"Criminals typically prefer victims in wealthier countries with advanced economies, as they are generally more lucrative," the report states.
Overall, the cost of access in healthcare trends lower than other industries, with an average price of $4,860 USD and median price of $700, according to the research.
"Healthcare organizations have long been popular targets for ransomware operators, well before these sales of access matured," say researchers in the report. "The lower cost of buying access to healthcare organizations has probably made them an even more desirable target for those ransomware operators that depend on these sellers."
The full report can be found here.