Diving in the Illegal Underground Hacking Markets

Experts at Dell Secure Works Counter Threat Unit (CTU) published a new report on the evolution of the hacking underground marketplaces.

The monitoring of black hat markets is one the principal activities of security experts and intelligence agencies, it allows information gathering on evolution of cyber threats and emerging trends in the criminal ecosystem.

In 2013, experts at Dell Secure Works Counter Threat Unit (CTU) published a very interesting report titled “The Underground Hacking Economy is Alive and Well.”, which investigated the online marketplace for stolen data and hacking services. The report detailed the goods sold in the black markets and related cost, giving the readers an interesting picture of the criminal underground.

The criminal underground is characterized by rapid dynamics and a careful analysis could allow law enforcement and security agency to understand the evolution of cyber threats and the TTPs of principal operators. One year later, the same team of experts at Dell SecureWorks released an update to the study of black hat markets, titled “Underground Hacker Markets“, which reports a number of noteworthy trends.

The researcher noticed a growing interest in the personal data, in particular in any kind of documentation that could be used as a second form of authentication, including passports, driver’s licenses, Social Security numbers and even utility bills.

“The markets are booming with counterfeit documents to further enable fraud, including new identity kits, passports, utility bills, social security cards and driver’s licenses.” states the report.

Another distinguishing element of the evolution of the underground marketplaces in the last year is the offer of Hacker Tutorials.

Training tutorials provide instruction to criminals that want to sell stolen credit cards to other crews, or detailed information on running exploit kits, on the arrangement of spam and phishing campaigns or how to run DDoS attacks.

“These tutorials not only explain what a Crypter, Remote Access Trojan (RAT) and exploit kit is but also how they are used, which are the most popular, and what hackers should pay for these hacker tools,” the report said.

Other tutorials include instruction to do an ATM hack, how to do bank transfers without being detected and cashing out stolen credit card data.

The data provided by Dell confirms the findings of another report issued by TrendMicro that noticed in the Brazilian underground a significant availability of similar products and services.

Criminal crews specialized their business in selling premium credit cards, a direct consequence of the large number of data breaches occurred this year and that flooded the underground hacking markets with millions of credit and debit card stolen data.

The researchers explained black marketplaces, exactly like any other market, reward the reliability and reputation of the leading vendors who devote so much attention to customer care.

In particular, cyber criminals are differentiating their offer based on the service levels provided to the buyers and guarantees on stolen data.

“It is apparent that the underground hackers are monetizing every piece of data they can steal or buy and are continually adding services so other scammers can successfully carry out online and in-person fraud,” is reported in the report.

For those criminals that desire to acquire a new identity for illegal activities, the underground market offer identity packages that include passports, drivers licenses and social security cards, practically anything is necessary to commit an identity theft.

In the underground marketplace, it is possible to acquire a working social security card, name, and address for $250, paying another $100 a scammer can buy a utility bill to use in identity verification processes. Counterfeit non-US passports are available for a cost between $200 to $500. The experts explained that it is very hard to find US passports because US law enforcement is believed to infiltrate the Hacking community, making risky their commercialization. Fake US driver’s licenses run for $100-$150, meanwhile counterfeit Social Security Cards run between $250 and $400 on average, in both cases, these documents could be used to improve efficiency of fraud schemes.

Premium cards continue to be precious commodities in the criminal underground, a full collection of stolen credentials, also referred with the hacker slang term “fullz”, run for $30 in US while in 2013 it was offered for $5. The fullz includes also information related to the card holder like name, address, phone number, email addresses, dates of birth, Social Security numbers, bank account numbers, credit card numbers and banking credentials.

The researchers noticed that the price of individual credit card numbers remains unchanged from last year, Premium Master Card and Visa cards including both Track 1 and 2 data are selling for $35 and $23 respectively.

Another precious commodity in the hacking underground is the malware, cost for Remote access Trojans (RATs) is decreased respect the previous year, and today are sold for a price ranging from $20 to $50 for notorious RATS such as DarkComet. Several RATs are also offered for free deflating the prices. The underground community also offers popular exploit kits like Nuclear and Sweet Orange for the best prices with Sweet Orange at $450 for a weekly lease up to $1,800 for an entire month.

“Hackers are looking for a RAT that is easily available for purchase or to use for free and which they can run through a Crypter (a program which encrypts malware, making it FUD or fully undetectable to Anti-Virus and Anti-Malware programs),” the report said.

The report includes a lot of interesting data related to products and services offered in the hacking underground, including botnet available for rent and DDoS attack on demand.

Regarding the price for bots located in specific countries, it is increased respect previous year and it depends on the location of the infected computers.

“These random bots were considerably cheaper, for example, 1,000 bots ran $20; 5,000 bots ran $90; 10,000 ran $160; etc. However, this year they found pricing for bots located in specific countries, and these bots are considerably more expensive. The price for buying access to compromised computers does vary from country to country. The price for 5,000 individual bots located in the US runs from $600 to $1,000, while the same number of UK-based bots runs $400 to $500, a 50 to 100 percent decrease in price from the US bots.”

Don’t waste time … give a look to report!

Pierluigi Paganini

(Security Affairs –  Hacking underground, cybercrime)