Security Experts:

The Commodities of Underground Markets

This article is the second in a series describing the hottest commodities found in underground markets.

In this column we continue to explore the trending “commodities” in underground markets and how to protect from your data being exchanged in these markets.

Black Market DataCommodity #3: Credentials – The Real Gold

Symantec’s 2009 Internet Security Threat report shows an incredible black market shift where email accounts were the third most available virtual good for sale. Furthermore, on the low end, the online credentials were going for $1.00 a credential –higher than that of a credit card, and 10 times the previous year’s asking price!

Online credentials are composed of username/ password combinations in order to gain access to different Internet applications:

Online banking service – the credentials allow the attacker to transfer funds from the victim’s account to accounts controlled by the criminal (or most often a mule account that collaborates with the attacker).

Health-care providers – stolen accounts may be used for prescription drug trading or for health information compromise. The latter can be used in blackmail operations, targeted sting operation or even for sale as “targeted” marketing data for the healthcare market.

Webmail applications – a hacked webmail account allows the hacker to scrape the victim’s address book and use those addresses in spam lists. The criminal can then send the phishing messages from the compromised account, making the message all the more credible. Though there is additional value to stolen webmail accounts – compromising other credential sets through the password recovery feature of many applications. This feature usually sends the credentials of an online application to an email account designated by the owner upon registration. It is interesting to see that not all webmail credentials are considered equal in the black market. The credentials to a Hotmail account may fetch a mere $1.50, although a Gmail account may fetch more than $80 per account. The latter is probably to the wide variety of other cloud services that can be accessed through one’s Gmail credentials. These include anything from personal or corporate GoogleDocs through corporate Google Analytics and even Webmaster tools.

Social networks – the inherent viral nature of social networks, together with real-time updates in search engines, make stolen social network accounts most valuable. The price of these credentials varies according to the popularity of the application. For example, the credentials to a Facebook account may fetch higher value than a less-popular social application devoted to some niche community as the hacked account may reach more users. To complete the picture, the amount a social network account may fetch rises according to the “popularity” of the account in question. This means that a Twitter account with hundreds of followers will be worth more than a Twitter account with just a dozen of followers.

These were only a few common examples, but hackers can benefit from stolen credentials to nearly every online application. This is especially true given that credentials are known to be re-used by a single individual for a variety of online applications.

Other Markets, More Commodities

Although the bulk of the goods on sale in hacker forums relate to data, different underground markets publish their listings for different goods:

Hacker software – Code, automated software, and Trojan software are only a few examples of software being traded in the markets. Hackers have published the sale of the popular Zeus Trojan for around $800. The asking price for a more advanced Zeus version is about $1000.

Botnet rental - Last year, Panda labs concluded that the average price for a 24-hour botnet rental is $67 while an hourly rental costs $9. However, I tend to agree with security researcher Dancho Danchev that a price tag on botnet rental cannot be simplified to a static rate. After all, there are different aspects which are taken into consideration when hiring a botnet such as the size of the botnet, the type of attack (e.g. spam, DDoS, cred-fetching), the target (military, private organizations, focused targets or rather widespread), geo-location (targeted country, organization and even language considerations), and length of attack (1 hour of spam, 3-day DDoS attack or a monthly membership for phishing sites).

Hacked sites - Hackers gaining administrator control of legitimate Web sites are all too eager to sell them. Just recently, my employer had found a list of government, education and military websites up for sale. Military sites were going for just less than $500 while Italian government sites were being sold for a mere $99.

Advice

With all this underground activity, it is left to answer: How do you avoid having your organization’s sensitive data from appearing in an underground forum? What controls should be in place to prevent a hacker gaining full administrative control on your Web application? How do you avoid being a victim of a botnet campaign targeted against your servers?

Attack protection controls – This concept is similar to putting up fences around your property. The security controls block any attack attempt to surreptitiously extract data from the Web application, such as online credentials through the application’s authentication form. Alternatively, this solution could also block any hacker attempt to insert malicious scripts, which could, for instance, lead to the theft of a client’s session information with an online banking service.

Virtual patching – The analogy here is putting bars on a broken window. The security controls block any attack targeting a specific known vulnerability in the Web application. As an example, consider a recent Java patch that contained a fix against a known vulnerability that if exploited, allows a hacker to DDoS the server. Patching all applications in an enterprise against such an attack is not a quick and easy task. However, a virtual patching solution would block all attack requests exploiting this known vulnerability, thus minimizing the window of exploit until that code is fixed.

Reputation controls – In this case, we can imagine the solution to be similar to looking through the peep-hole and gaining an idea of whether to allow the guest in, or whether the individual is an intruder and to turn him around. This would help for example to block requests coming from known active bots or even phishing sites.

Part in a Series on Cybercrime - Read Noa's Other Featured Cybercrime Columns Here

Avoid Password Reuse – This popular consumer-oriented advice relates also to enterprises. Ensure that different passwords are used across different platforms.

Next Column – Tax Season

Underground forums are selling your data and hackers are being creative at finding ways to get you to provide them with sensitive details. As tax season is at its height, hackers are working hard to get you to fall to different tax schemes. What are these phishing schemes and how do you avoid becoming a victim?

Read More Cybercrime Columns in the SecurityWeek Cybercrime Section

Noa is a private consultant specializing in building thought leadership teams within tech companies. She is one of SecurityWeek’s first columnists with previous columns focusing on trends in the threat landscape. Her current interest lie on the business-side of security. Noa has worked for Imperva as a Sr. Security Strategist and before that, as a Sr. Security Researcher. She holds a Masters in Computer Science (specializing in information security) from Tel-Aviv University.