Hacker Underground: How Markets for Cyber-Tools, Stolen Data Work

by Chris Preimesberger

Like other forms of e-commerce, many data records, exploit kits and goods are bought and sold from storefronts—which can encompass everything from instant-messaging chat channels and forums to sophisticated stores. RAND found that some organizations can reach 70,000 to 80,000 people, with a global footprint that brings in hundreds of millions of dollars.

Not only goods, but criminal services are available for purchase, RAND found. These tools, sold on the black market as traditional software or leased like any other managed service, can help enable the most unskilled hackers to launch fairly elaborate and advanced attacks. For example, RAND found botnets, which can be used to launch a distributed denial-of-service (DDoS) attack, are sold for as low as $50 for a 24-hour attack.

There is indeed honor among thieves. Many parts of the cyber black market are well-structured, policed and have rules like a constitution, according to RAND. In addition, those who scam others are regularly banned or otherwise pushed off the market.

RAND identified widely available tools and resources on the black market that teach criminals how to hack, including instructions for exploit kits and where to buy credit cards. This access to training has accelerated sophistication and a broader set of roles and has helped facilitate entry into the hacker economy.

Transactions in the cyber black markets are often conducted by means of digital currencies. Bitcoin, Pecunix, AlertPay, PPcoin, Litecoin, Feathercoin and Bitcoin extensions such as Zerocoin are a few of the currencies used. RAND found many criminal sites are starting to accept only cryptocurrencies due to their anonymity and security characteristics.

Cyber-criminals from China, Latin America and Eastern Europe, according to RAND, are typically known for quantity in malware attacks, while those from Russia tend to be thought of as the leader in quality. RAND also found areas of expertise and focus among cyber-criminals from different countries. Many Vietnamese cyber-criminals, for example, focus on e-commerce hacks. Cyber-criminals from Russia, Romania, Lithuania and Ukraine focus on financial institutions. Many Chinese cyber-criminals specialize in intellectual property. U.S.-based cyber-criminals primarily target U.S.-based systems and, more specifically, financial systems.

Much like a legitimate business, it takes connections and relationships to move up the (cyber) food chain, the study found. Getting to the top requires personal connections, but those at the top are making the lion’s share of the money.

Even the criminal cyber black market has criminals. Known as “rippers,” these bad guys do not provide the goods or services they claim they will provide.

Twitter accounts are generally worth more on the black market when compared with the average cost of a credit card record. This is potentially due to the oversaturation of cards following the recent mega data breaches and the ability to use social media accounts for follow-on attacks.

There are currently gray markets where zero-day vulnerabilities are bought and sold for sky-high prices to governments and other private actors. RAND found that zero-day prices range from a few thousand dollars to $300,000, depending on the severity of the vulnerability, the complexity of the exploit and how long the vulnerability remains undisclosed.