Glut In Stolen Identities Forces Price Cut In Cyberunderground

  /     /     /  
Publicated : 22/11/2024   Category : security


Glut In Stolen Identities Forces Price Cut In Cyberunderground


New report unearths what cybercriminals are charging for stolen identities and hacking services, such as DDoS and doxing



Just in time for the holidays, the price of a stolen identity has dropped as much as 37 percent in the cybercrime underground: to $25 for a U.S. identity, and $40 for an overseas identity.
Researcher Joe Stewart of Dell SecureWorks teamed with independent researcher David Shear to get an insiders look at what a plethora of hacking services and stolen data cost these days in the underground. Among their findings: For $300 or less, you can acquire credentials for a bank account with a balance of $70,000 to $150,000, and $400 is all it takes to get a rival or targeted business knocked offline with a distributed denial-of-service (DDoS)-for-hire attack. Meanwhile, ID theft and bank account credentials are getting cheaper because there is just so much inventory (a.k.a. stolen personal information) out there.
Fullz, or personal identities, went for $40 per U.S. stolen ID and $60 for a stolen overseas ID in 2011 when Dell SecureWorks last studied pricing in the underground marketplace. Now those IDs are 33 to 37 percent cheaper.
With the high volume of data breaches and leaks over the past couple of years, its no surprise the price of a stolen identity would have declined, says Stewart, who is director of malware research for Dell SecureWorks. I expected to see the drop, he says. The best thing we could hope for was for these prices to be very high. It would be a more encouraging trend if the prices increased.
Its also getting easier to cash in on cybercrime. This report shows that cybercrime is becoming more and more commoditized, turnkey, and the bar to entry had become lower and lower as more people develop kits that simplify data theft, he says. Competition among the cybergangs also has intensified as more people join in the scams, he says. Its created a situation where its getting very easy for anyone to get into that business. I think these numbers confirm it, Stewart says.
Pricing trends are interesting, says Raj Samani, CTO of McAfee. But they also can be misleading, he says, because prices are all over the map. You can have varying prices depending on the sources you go to.
McAfee in its June cybercrime study found a DDoS-for-hire service for $2 per hour, and another for $3 per hour, for instance, he says.
Dell SecureWorks found DDoS services anywhere from $3- to $5 per hour, $90- to $100 per day, and $400 to $600 a month.
The big takeaway for all of this, Samani says, is that cybercrime-as-a-service has arrived. It doesnt require any technical knowledge, and you dont even have to own a computer, Samani says. You just need to pay and you can outsource anything, he says.
[Criminals have expanded use of the cloud-service model to make their illegal enterprises more efficient and accessible. See
Dark-Side Services Continue To Grow And Prosper
.]
To gather pricing information, researcher Shear infiltrated 15 different underground forums to gather the pricing information, four of which were Russian forums. Shear concentrated his efforts mainly on well-organized forums, according to SecureWorks.
Stewart and Shear found more cybercriminals selling a cardholder victims birth date and Social Security Number as well as the card data itself to ensure the stolen card data can be used and the buyer wont get tripped up by any security questions or controls. The hackers have come to realize that merely having a credit card number and corresponding CVV code (Card Verification Value--the 3 or 4 digit number on one’s credit or debit card) is not always enough to meet the security protocols of some retailers, SecureWorks said in its report. Hackers are also selling cardholders’ Date of Birth and/or Social Security Number. Having this additional information would allow a hacker to answer additional security questions or produce a fake identification, to go along with a duplicate credit card.
The cost of getting a website hacked runs from $100 to $300, with more experienced black hat hackers charging more for their services. In an interesting twist, the researchers found that these attackers stipulated that they dont hack government or military websites.
Doxing services—where a hacker steals as much information as they can about a victim or target via social media, social engineering, or Trojan infection—ranges from $25 to $100.
Bots are cheap, too: 1,000 bots go for $20, and 15,000, for $250.
Meanwhile, stolen credit cards for U.S. accounts (with CVV numbers) remained about the same since SecureWorks last studied pricing on them in 2011. The ranged from $4 to $8 per account, while European accounts dropped from $21 to $18 today. Its all about inventory of such a commodity item, according to the researchers.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Glut In Stolen Identities Forces Price Cut In Cyberunderground