There's no better lesson in the mechanics of a free market than
watching a black market at work. And in this era of cybercrime, there
may be no better observational laboratory of black market dynamics than
on the Dark Web. For years now, security researchers have observed the
evolution of the cybercrime economy, as malware authors, identity
thieves and fraudsters have peddled their wares in a marketplace that
has grown increasingly specialized in its division of labor.Today, the menu of options is staggering, with many widely available items and services becoming quickly commoditized. Social security numbers, stolen credit card numbers and full identity information run for as cheap as a few bucks each. Botnet booter rentals can be had for under $100 a day to conduct DDoS and stressor campaigns against targets. And many malware authors offer both software for sale and malware-as-a-service in the SaaS model for a range of prices.
Additional services and differentiated items like 0-day vulnerability information net attackers more lucrative price points, as attackers seek out the means for targeted campaigns. The illicit shops and salespeople on the Deep Web operate as true businesses, with many components of committing cybercrime bundled in special discount packages for customers seeking the best bang for their criminal buck. It is truly a complex and sophisticated economy out there.
We've compiled some of the prices to give readers a feel for how cheaply crooks can get started in their criminal enterprises. All prices are given in USD, unless otherwise noted.
Botnet Booter Rental
So called booter or botnet rentals can be used by crooks
to stress test networks or distract their target during a larger cyber
heist.
Rental Costs
Daily: $60
Weekly: $400
Daily: $60
Weekly: $400
Discounts
10% on orders of $500
15% on orders of $1000
10% on orders of $500
15% on orders of $1000
Source: Arbor ASERT
Ransomware
As one of the most popular and profitable forms of
malware today, ransomware has seen a huge surge in popularity in black
market shops and Dark Web bulletin boards.
Costs
Radamant Ransomware Kit for One Month: $1000
Average cost for Basic Malware: $10
Radamant Ransomware Kit for One Month: $1000
Average cost for Basic Malware: $10
Source:
Radamant Ransomware Kit for sale
Compromised Website Access
Compromised websites and servers are a favorite means
for distributing malware and launching attacks. Crooks can buy access to
compromised sites through Cpanel management portals or, for a premium,
through remote desktop protocol (RDP) tools.
Costs
Cpanel: $3-$5
RDP: $10-$25
Cpanel: $3-$5
RDP: $10-$25
Source:
TREND MICRO report
Bullet Proof Hosting Services
Bullet Proof Hosting Services (BPHS) help attackers keep
their phishing sites and command and control infrastructure more
resilient to takedowns and other law enforcement action. They usually
come with set IP address, and a set amount of hard disk space and
memory.
Montly Costs:
North American account with IP address, 100 GB of disk space and 2 GB of RAM: $75
Basic access to bulletproof server: $3
North American account with IP address, 100 GB of disk space and 2 GB of RAM: $75
Basic access to bulletproof server: $3
Source:
TREND MICRO report
Exploit Kits
Exploit kits offer criminals a turnkey way to jump right
into an attack with very little technical abilities. Everything comes
packaged up for the bad guys.
Costs
Nuclear Exploit Kit Lease: $50/day, $400/week, $600/month
Sweet Orange Exploit Kit Lease: $450/week, $1800/month
Nuclear Exploit Kit Lease: $50/day, $400/week, $600/month
Sweet Orange Exploit Kit Lease: $450/week, $1800/month
Fraud Tutorials
Crooks are even making money off of teaching newbies the
ropes of committing cybercrime, selling helpful tutorials and ebooks
for beginners.
Costs
Carding tutorials: $0.35-$500
Carding tutorials: $0.35-$500
Source:
TREND MICRO Prototype Nation
Stolen Credit Card Credentials
Stolen identity and financial information is available in all sorts of shapes, sizes and packaging.
US Payment Card Number With CVV2: $5-$8
Plus Bank ID Number: $15
Card Number with all details about the card and owner ("Fullz"): $30
Plus Bank ID Number: $15
Card Number with all details about the card and owner ("Fullz"): $30
Source:
McAfee The Hidden Data Economy
Online Payment Service Account
Whether it is bank accounts or other payment services, pricing for access to these accounts depends on the balance.
Costs
$400-$1000 Balance: $20-$50
$1000-$2500 Balance: $50-$120
$2500-$5000 Balance: $120-$200
$5000-$8000 Balance: $200-$300
$400-$1000 Balance: $20-$50
$1000-$2500 Balance: $50-$120
$2500-$5000 Balance: $120-$200
$5000-$8000 Balance: $200-$300
Source:
McAfee The Hidden Data Economy
Healthcare Data
Even healthcare data is subject to sale, available for those seeking to commit insurance fraud.
Costs
Bundle of 10 Medicare numbers: $4700
Bundle of 10 Medicare numbers: $4700
Source:
NPR