For that hacker who has everything -- why not get him an exploit this holiday season? Potential criminal offenses are available in all price ranges, from just $7 to more than $50,000.
If you know where to look, online shopping for hackers could be just this easy and affordable, according to researchers at Trend Micro. Through its own unnamed sources, the security vendor recently cracked into a major marketplace for buying and selling online exploits, and earlier today officials shared their findings with Dark Reading.
"It's amazing what's available for sale," says Raimund Genes, CTO of Trend Micro. "We estimate that the malware industry now generates more revenue for criminals than the content security industry generates for vendors and service providers." The latter figure was about $26 billion last year, he says.
This week, Trend Micro got a glimpse at one of the fleeting online marketplaces used by attackers to buy and sell online exploits. Genes emphasized that the prices he saw were the offer prices, and that, unlike eBay, the marketplace did not show whether or not anyone had purchased the exploits at these prices. "Still, it gives you a sense of the relative value and economics of these exploits."
At the high end of the market was a zero-day exploit for Microsoft Vista, which was priced at $50,000. Other zero-day exploits were selling for around $20,000 to $30,000 each. Bots that allow users to self-generate botnets were priced at $5,000 and up.
But exploits aren't just for those with deep pockets. The marketplace also yielded a variety of more affordable holiday gifts, including:
- $1,000-$5,000: Customized trojan program, which could be used to steal online account information
- $500: Credit card number with PIN
- $80-$300: Change of billing data, including account number, billing address, Social Security number, home address, and birth date
- $150: Driver's license
- $150: Birth certificate
- $100: Social Security card
- $7-$25: Credit card number with security code and expiration date
- $7: Paypal account log-on and password
Online marketplaces such as these pop up periodically, then are quickly disassembled and moved to avoid detection, Genes says. "Prices like these can change quickly as demand and the availability of exploits shifts."
The lowest-priced exploits, such as credit card numbers and Paypal account information, are becoming commodity items because of the widespread success of spam-based phishing campaigns, Genes says. In recent spam statistics, Trend Micro has found some ISPs, particularly in Europe, that are handling more than 1 billion spam messages per day.
"It's really a little bit scary," Genes says.
Tim Wilson, Site Editor, Dark Reading