Security Experts:

You Can DDoS an Organization for Just $10 per Hour: Cybercrime Report

The cost of having an organization targeted by a distributed denial of service (DDoS) attack for an hour is as low as $10, cybersecurity firm Armor says.

The low cost of launching such attacks results from the proliferation of cybercrime-as-a-service, one of the most profitable business models adopted by cybercriminals over the past years. It allows criminals-wannabe to employ the resources of established cybercriminals for their nefarious purposes, including malware distribution, DDoS-ing, spam, and more.

All that miscreants have to do is to access underground markets or forums and hire the desired cybercrime service to conduct the malicious actions for them. And while the incurred financial losses total billions or even more for affected organizations, the price of hiring such a service is highly affordable to anyone.

According to Armor’s The Black Market Report: A Look into the Dark Web (PDF), anyone can DDoS an organization for only $10 an hour or $200 per day. Remote Desktop Protocol (RDP) access for a system for three months costs only $35.

The data was collected through the analysis of dozens of online underground markets and forums during the fourth quarter of 2017 and reveals a slight increase in prices compared to a couple of years ago. Considering how powerful DDoS attacks have become lately, however, the cost of launching an attack remains incredibly low.

DDoS-for-hire services, however, are only one example of how cheap cybercrime services are on the dark web. The Disdain exploit kit could be rented for $80 a day, $500 a week or $1,400 a month, Armor has discovered. A botnet capable of webinject and other nefarious actions was available at $750 or $1,200 a month, with support available at an extra $100 or $150 a month.

“When source code is offered, there is a trend toward offloading risk by selling malware or exploit code to someone else and then selling support as well. In the spirit of helping others, some sellers have taken to hawking hacker tutorials and known exploits in bundles at relatively low cost, most likely to low-skill hackers known as script kiddies,” the security firm says.

Armor's researchers found a Microsoft Office exploit builder targeting the CVE-2017-0199 vulnerability available at $1,000. A banking Trojan license, on the other hand, was available at $3,000 to $5,000, while a remote access Trojan was seen selling for $200.

On underground forums, buyers can also find code-signing certificates (a Class 3 code-signing certificate was selling for $400, while an Extended Validation (EV) certificate was offered for $2,500), account hacking programs (for as low as $12.99), WordPress exploits (at $100), password stealers ($50), Android malware loader ($1,500), ATM skimmers ($700 - $1,500), and various other tools as well.

Credit card skimmers and magnetic stripe readers were found selling for as little as $700 and $450, respectively. Credit card data is available for purchase as well, with prices starting as low as $7 for US Visa cards.

Card numbers sold with additional identifying information are a bit more expensive: $18 vs $10-$12 at the same vendor. Customers looking to verify the bank information number (BIN) may be charged as much as $15 for the operation, Armor has discovered. American Express and Discover card numbers were available at $12 to $17 with BIN verification.

The cost of credit card information was also influenced by the credit limit on the card: one with a $10,000 limit was available at $800, while another with a $15,000 limit was $1,000. Access to bank accounts too is priced in line with the available balance, ranging from $200 to $1,000 for accounts at Wells Fargo, JPMorgan Chase and Bank of America with balances between $3,000 and $15,000.

PayPal accounts were also available for sale: $200 for a verified PayPal account with a balance of $3,000. Furthermore, the researchers found U.K. bank accounts up for sale, priced at 300 and 400 GBP, for accounts at Lloyds Bank with balances of 3,000 GBP and 5,000 GBP, respectively.

“Buying access to an account, however, is only part of a successful heist. From there, the buyer needs to be able to get their hands on the money. To accomplish this, cybercriminals traditionally have turned to money mules. Their role is to receive the funds from the compromised account, after which, they will be often tasked with transferring that money to another account overseas in exchange for a commission,” Armor notes.

The security researchers discovered that one can buy all kinds of compromised accounts on the dark web, not only finance-related accounts. One vendor offered 1,000 Instagram accounts for a price of $15, 2,500 for $25, 5,000 for $40 and 10,000 for $60. Another said they would hack into accounts for Facebook, Netflix, Twitter and other services for as low as $12.99.

Personally identifiable information (PII) and counterfeit documents are also available on underground markets and forums. The price for U.S. PII (name, address, phone number, SSN, DOB, bank account data, employment history, credit history, criminal history) was of $40 - $200, while U.S. green cards, driver’s license, Insurance, and Passport Visas (bundled) would cost $2,000.

Other data being sold on the dark web that attackers can turn into profit includes airline and hotel rewards points. A Southwest Airlines rewards account with at least 50,000 miles was being sold for $98.88, while a large international hotel chain rewards points account with at least 50,000 points was available at $74.99.

“Whether you are a small business owner, an enterprise executive or a private individual using a computer from the comfort of your home, there are attackers who are interested in your data. As long as these markets continue to thrive, cyberattacks will remain a constant threat, making it vital business leaders arm their security teams with the resources they need to keep information secure,” Armor concludes.

"A great wealth of Cybercrime-as-a-Service offerings have existed for a while already, let alone exploit, malware and stolen data markets that are more than fifteen years old," Ilia Kolochenko, CEO of web security company, High-Tech Bridg, adding that most of these publicly-traded goods and services are low quality. "Backdoors and trojans are usually based on the same engine, slightly modified or improved. Stolen data is a mix of several dumps from different data breaches or leaks," Kolochenko said. "Many fraudsters sell overt fakes or garbage. While professional cybercriminals usually deal via private channels, established for many years and very well camouflaged on legitimate systems, beyond cybersecurity companies and law enforcement's field of vision. With cryptocurrencies, money laundering problems virtually disappeared and cybercriminals may enjoy their growing wealth without fear."

Join SecurityWeek and Armor for a Webinar on March 28th at 2PM ET - Inside The Cyber Uderworld: Armor's Black Market Report

Black Market Report Webinar

Related: Largest Ever 1.3Tbps DDoS Attack Includes Embedded Ransom Demands

view counter