The key commodities prices of oil, grains, sugar, and cotton don't just affect business sectors as they rise and fall with supply and demand: They also drive global trading activity and form the foundation of the world economy. The same applies to cybercrime.
The prices for key "goods" in the underground economy — pilfered credentials, hacked accounts, or payment card information — doesn't only mirror fluctuations in supply and usage. They also determine the kinds of attacks criminals will launch. This should come as no surprise. Criminals are businesspeople, after all, and they want to maximize their return on investment.
The recently released Dark Web Price Index 2020 reveals current average prices for a selection of cybercrime commodities available "on demand." Stolen credit card details start at $12 each, and online banking details at $35. "Fullz" (full identity) prices are around $18, which is less than it was a couple of years ago because a series of large breaches created an oversupply of personally identifiable information. A basic malware attack on targets on Europe or the US costs $300, and a targeted distributed denial-of-service (DDoS) attack goes for $10 per hour.
These rates shed light on a big shift in cybercrime since 2018: the move away from ransomware and toward DDoS attacks that attempt to extort money from their targets. Ransomware is old school and was deployed only on a fairly small scale because it couldn't be spread without help from unwitting users. As a result, most attacks tended to be limited to scrambling data on a few PCs or servers.
Later, in 2017, the infamous EternalBlue exploit changed everything. Ransomware created to take advantage of it — such as WannaCry and NotPetya — could spread without assistance to any unprotected company computer. If even a single user opened a malicious attachment, the organization's network could be taken down in minutes, making it easy for bad actors to demand payoffs.
This drove a spate of ransomware attacks that lasted for about a year and a half. It also compelled organizations to install EternalBlue patches and implement extra security measures so attacks became less successful. High-end malware like WannaCry and NotPetya require financial and human resources to develop, and blockbuster exploits like EternalBlue are rare. As a result, ransomware use has dropped. Today, it's once again being used as a tool for targeted attacks.
DDoS Deeds, Done Dirt Cheap
As ransomware use has waned (for now), DDoS attacks have become the go-to weapon for online extortion. As we've seen, thanks to the proliferation of Dark Web services, it doesn't cost much to unleash a damaging attack — some DDoS-for-hire services cost just $10 per hour or $60 for 24 hours. The "salespeople" even offer volume discounts.
One reason why DDoS attacks are so inexpensive is that, more and more, the people offering DDoS-for-hire services are leveraging the scale and bandwidth of the various public clouds, providing more artillery firepower than ever. Research by Link11 reveals that the year-over-year share of attacks using public clouds ballooned by 64% — from 31% in the second half of 2018 to 51% in second half of 2019. (Full disclosure: I'm the COO of Link11.) It's easy to set up public cloud accounts using a cheap fake ID and an equally cheap stolen credit card — thanks again, Dark Web! — and simply rent the accounts to whoever has an attack target in mind. If the credit card stops working, no problem. They're (almost) a dime a dozen. Because they're so easy to procure, often DDoS attacks are used to produce a smoke screen to keep IT teams busy and cover up a targeted hacking campaign.
Making matters worse, it's not terribly risky to run or rent these services. According to the World Economic Forum's "Global Risks Report 2020" report, in the United States, the chances of a cybercrime actor being caught and prosecuted are almost nil (0.05%). At the same time, the business impact on targeted companies is massive. IBM's "Cost of a Data Breach Report" pegs the average total cost of a security breach at $3.92 million.
These days, because of the COVID-19 pandemic, organizations around the globe are embracing remote work at unprecedented levels. This has made the online services of all kinds — from governments to banks to e-commerce or e-gaming — more vulnerable to criminals, and DDoS attacks more alluring as a means of extortion. Like the best business propositions, such attacks don't cost much and can reap excellent returns. On the target's side, when online connections are halted or significantly slowed for even a few hours, employees' work is disrupted, customers can't buy anything, and the organization's revenues and public image are damaged.
Make Sure Crime Doesn't Pay
With DDoS attacks growing heavily in size, multiple times larger than the available internet bandwidth, on premise solutions are turning into a toothless tiger. If a large attack hits an organization, the pipe is doomed to collapse before any local hardware can start interfering. As a result, the ISP is going to discard (black hole) all traffic for the duration of the attack, making the organization inaccessible to anyone. To ward off new flood of DDoS extortion attacks and prevent having to pay ransom money to cybercriminals, organizations need to protect their IT infrastructure using cloud-based services capable of fending off even large-scale attacks. These route all IP traffic to the organization's networks to an external cloud service that automatically and instantly filters out all malicious traffic using AI wizardry and ML to spot anomalies — before an attack can take down mission-critical services. Such an off-premise-service is usually underpinned by a multi-terabit MPLS network, capable of absorbing even large-scale attacks.
There's no doubt the cybercrime economy will continue to be a bonanza for the evildoers who know how it works. But organizations can still avoid feeding the beast.
- 7 Recent Wins Against Cybercrime
- Dark Web Travel Fraudsters Left Hurting From Lockdowns
- Average Cost of a Data Breach: $3.86 Million
- The Threat from the Internet — and What Your Organization Can Do About It