Report on commodities value in the cyber criminal underground market

Pierluigi Paganini November 25, 2013

Security experts Stewart from Dell SecureWorks and independent researcher David Shearhave explored online underground marketplace for stolen data.

Digital identity is one of the most attractive goods sold in the underground, to a growing demand coincided with a more structured supply that will satisfy even the most complex requirements. Cybercrime pays and in the majority of cases goes unpunished, that’s why we are observing the reconversion of many criminal gangs to the cyber business.

I’ve found an  interesting post that evaluates the economic value assigned by cybercriminals to digital identity in the underground market.

When we speak on identity theft and underground we refer a huge quantity of data and services provided by “black sellers”, stolen data and hacking services are obviously the most requested.

Researcher Joe Stewart of Dell SecureWorks and independent researcher David Shear provided an interesting overview of hacking services and stolen data cost in the black market specifically in this period. The two cyber experts infiltrated 15 different underground forums to collect the pricing information, four of which were Russian forums.

The experts have written the report titled, “The Underground Hacking Economy is Alive and Well” , published by Dell, that is the result of the investigation on the online marketplace for stolen data, specific to the economic value of products proposed.

Security experts have revealed that the price of a stolen identity has been reduced by 37 percent on the black market, passing reaching $25 for a U.S. identity and $40 for an overseas identity.

cybercrime underground

Doxing services, where a cybercriminals steals as much information as they can about a victim or target via malware based attacks, social media, social engineering ranges from $25 to $100.

A cyber criminal for nearly $300 can acquire stolen credentials for a bank account with a balance of $70,000 to $150,000, yes my friend the amount of balance is one the main factor that influence its price.

The increased number of data breaches (e.g. MacRumors, LexisNexis, Dun & Bradstreet and Kroll Background America, vBulletin) are flooding the underground market with huge quantity of data stolen during the cyber attacks, including bank account credentials, Social Security Number and many other personal information. The availability of so much information is leading to a leveling down of its prices.

“I expected to see the drop,” “The best thing we could hope for was for these prices to be very high. It would be a more encouraging trend if the prices increased.” said Stewart, who is director of malware research for Dell SecureWorks.

Stolen personal identities were quoted for $40 per U.S. stolen ID and $60 for a stolen overseas ID in 2011, today the quotation are 33 to 37 percent cheaper.

The experts found more cybercriminals selling a cardholder victim’s birth date and Social Security Number as well as the card data itself to ensure the stolen card data can be used.

“The hackers have come to realize that merely having a credit card number and corresponding CVV code (Card Verification Value–the 3 or 4 digit number on one’s credit or debit card) is not always enough to meet the security protocols of some retailers,” “Hackers are also selling cardholders’ Date of Birth and/or Social Security Number. Having this additional information would allow a hacker to answer additional security questions or produce a fake identification, to go along with a duplicate credit card.” SecureWorks said in its report.

Stolen credit cards for U.S. accounts (including CVV numbers) is not changed respect previous study conducted in 2011, they ranged from $4 to $8 per account, while European accounts dropped from $21 to $18 today.

Cheaper is also the cost of a cyber attack on demand, for example a distributed denial-of-service (DDoS)-for-hire attack that is quoted around $400. In June McAfee study found a DDoS-for-hire service for $2 per hour, and another for $3 per hour, Dell SecureWorks report found DDoS services anywhere from $3- to $5 per hour, $90- to $100 per day, and $400 to $600 a month.

We can support in the absolute certainty that the model known as cybercrime-as-a-service has been spreading because “It doesn’t require any technical knowledge, and you don’t even have to own a computer,””You just need to pay” and you can outsource anything”.

“This report shows that cybercrime is becoming more and more commoditized, turnkey, and the bar to entry had become lower and lower as more people develop kits” “It’s created a situation where it’s getting very easy for anyone to get into that business. I think these numbers confirm it,” Stewart says.

It is also quite easy to pay to get a website hacked, the cost runs from $100 to $300, curious the fact that attackers don’t hack government or military websites.

Botnets are very cheap, consider that an architecture composed of 1,000 bots go for $20, and 15,000, for $250 enough to arrange an illegal activity. Following the detailed price list.

There are thousands of compromised computers (bots) for sell by bot salesmen. The price per computer typically decreases when they are bought in bulk. The costs for infected computers (bots):

  • 1,000 bots = $20
  • 5,000 bots= $90
  • 10,000 bots = $160
  • 15,000 bots = $250

In the below table the detailed price list:

Hacker Credentials and Services Details Price
*Visa and Master Card (US) $4
American Express (US) $7
Discover Card with (US) $8
Visa and Master Card (UK, Australia and Canada) $7 -$8
American Express (UK, Australia and Canada) $12- $13
Discover Card (Australia and Canada) $12
Visa and Master Card (EU and Asia) $15
Discover and American Express Card (EU and Asia) $18
Credit Card with Track 1 and 2 Data (US) Track 1 and 2 Data is information which is contained in digital format on the magnetic stripe embedded in the backside of the credit card. Some payment cards store data in chips embedded on the front side. The magnetic stripe or chip holds information such as the Primary Account Number, Expiration Date, Card holder name, plus other sensitive data for authentication and authorization. $12
Credit Card with Track 1 and 2 Data (UK, Australia and Canada) $19-$20
Credit Card with Track 1 and 2 Data (EU, Asia) $28
US Fullz Fullz is a dossier of credentials for an individual, which also include Personal Identifiable Information (PII), which can be used to commit identity theft and fraud. Fullz usually include: Full name, address, phone numbers, email addresses (with passwords), date of birth, SSN or Employee ID Number (EIN), one or more of: bank account information (account & routing numbers, account type), online banking credentials (varying degrees of completeness), or credit card information (including full track2 data and any associated PINs). $25
Fullz (UK, Australia, Canada, EU, Asia) $30-$40
VBV(US) Verified by Visa works to confirm an online shopper’s identity in real time by requiring an additional password or other data to help ensure that no one but the cardholder can use their Visa card online. $10
VBV (UK, Australia, Canada, EU, Asia) $17-$25
DOB (US) Date of Birth $11
DOB(UK, Australia, Canada, EU, Asia) $15-$25
Bank Acct. with $70,000-$150,000 Bank account number and online credentials (username/password). Price depends on banking institution. $300 and less
Infected Computers 1,000 $20
Infected Computers 5,000 $90
Infected Computers 10,000 $160
Infected Computers 15,000 $250
Remote Access Trojan(RAT) $50-$250
Add-On Services to RATs Includes set up of C2 Server, adding FUD to RAT, infecting victim $20-$50
Sweet Orange Exploit Kit Leasing Fees $450 a week/$1800 a month
Hacking Website; stealing data Price depends on reputation of hacker $100-$300
DDoS Attacks Distributed Denial of Service (DDoS) Attacks– throwing so much traffic at a website, it takes it offline Per hour-$3-$5Per Day-$90-$100Per Week-$400-$600
Doxing When a hacker is hired to get all the information they can about a target victim, via social engineering and/or infecting them with an information-stealing trojan. $25-$100


Let me suggest the reading of this interesting report for more information on the topic.


Pierluigi Paganini

(Security Affairs –  Cybercrime, underground)

you might also like

leave a comment