Security Experts:

Here's What $50 Can Get You in the Cybercrime Underground

A dizzying array of services and products are available to people interested in embarking on the cyber-crime lifestyle. The offerings cover the entire criminal enterprise from getting started, distribution, and monetizing attacks, and aren't all that expensive, according to an analysis of the underground market by Trend Micro.

Underground Cybercrime Forums

Trend Micro outlined two dozen basic and fundamental tools and services that can be bought and sold on underground shopping forums in its research paper released Tuesday. The top 10 activities included programming and software, hacking, server sales and hosting, spam and flooding services, pay-per-install services for downloads and traffic, denial-of-service attacks, file encryption, Trojans, and exploit writing, Trend Micro said. 

The bulk of data used in this report was gathered from online forums and services used by Russian cyber-criminals, such as,, and, Max Goncharov, senior threat researcher at Trend Micro, wrote in the report. The Russian shadow economy is increasingly becoming one that is service-oriented and resembles real-world businesses in the way it sells products to others.

The Russian cybercrime market is large. Earlier this year, Group-IB, a Russian cybercrime investigations and forensics company with offices in New York and Moscow, released a report that pegged the size of the Russian cybercrime market in 2011 at $2.3 billion.

After examining the prices charged for various types of services, Trend Micro concluded the "investment to become a cyber-criminal is minimal."

Even $50 will give a criminal-wannabe access to a wide range of products. A stub crypter, which can be used to conceal infected file or malware from security scanners, with various add-ons typically ranges between $30 and $80, according to the report. A one-day denial-of-service attack goes for $30 to $70, and the source code for a Trojan backdoor is a mere $50. Installing Zeus, whether on a hosted server or an in-house server, is a mere $35 or $40 investment, Trend Micro said. VPN service for three months to make it possible to access the Web anonymously costs $50 to $55.

Programming services and software sales was the most popular form of business activity in the criminal underground, according to Trend Micro. Programmers offer to write customized programs such as spammers, Trojans, and worms, using languages ranging from assembly to Python. Other programmers can sell "off-the-shelf" software, such as malware, Winlockers, Trojans, spammers, brute-force tools, crypters, and DDoS bots, as well as licenses for popular toolkits such as Zeus and SpyEye. Exploits and Trojans are also available for sale.

Hacking covers an impressive array of services, including brute-forcing, guessing answers to security questions, SQL injection and Cross-site scripting attacks to compromise Websites, and using sniffers, phishing sites, and other social engineering tricks. Tools to hack various Russian sites and social networks are plentiful. Services to hack Gmail, Hotmail, and Yahoo Mail are "somewhat available but at premium prices," Goncharov wrote.

Cybercrime Underground MarketDedicated servers are among the "most popular goods" in the underground market and are considered "unique consumables" with constant demand, Goncharov wrote. Dedicated servers are usually sold by the tens or hundreds with prices depending on their processing power and Internet access speed. Bulletproof-hosting services are also widely available. Criminals may look into hosting services for their exploits or for drive-by-downloads.

File encryption services fall into two categories—encrypting individual files and ensuring malicious files aren't detected by security software using crypter tools, Trend Micro said. Spamming services remain popular, as databases containing social networking accounts, forum members, and email addresses are in high demand.

Pay-per-install services such as download services are immensely popular and widespread. Customers provide the malicious file to a service provider, who handles the distribution side and how the people get infected. Traffic services, such as promising to direct a certain number of users to a Website, or using black hat search engine optimization techniques to improve search engine visibility, are also popular.

Traffic partner programs convert traffic to downloads, such as getting 1,000 unique visitors to the site and infecting up to 50 people, Goncharov said.

Customers interested in DDoS offerings rent out enough bots to launch an attack against a target for a specified period of time. The customer can buy attacks for one hour, one day, one week, or one month. DDoS attacks. Various attack types are available, including UDP, ICMP, TCP, and TCP/SYN flood attacks, as well as a Smurf attack. Smurf attacks involve sending ICMP ping requests using a fake source address.

Criminals willing to invest more money can buy sophisticated technology, tools, and services, Trend Micro noted.

"The Russian shadow economy is an economy of scale, one that is service oriented and that has become a kleptocracy wherein crony capitalism has obtained a new lease on life in cyberspace," the report's authors concluded.

The full report is available here.

Related News: Imperva's Latest Report Looks Inside Hacker Forums

view counter
Fahmida Y. Rashid is a Senior Contributing Writer for SecurityWeek. She has experience writing and reviewing security, core Internet infrastructure, open source, networking, and storage. Before setting out her journalism shingle, she spent nine years as a help-desk technician, software and Web application developer, network administrator, and technology consultant.