The Deep & Dark web is the source of many of the cyber and physical risks that organisations face today. The forums and marketplaces where illicit goods and services are exchanged have come to play an influential role in today’s cyber and physical threat landscape by providing access to the means to carry out various attacks and schemes. What stands out to me the most is how the small cost of these illicit materials pales in comparison to the damage they can inflict.
To enhance the context within which these illicit goods and services are obtained, abused, and ultimately contribute to such risks, myself and other Flashpoint analysts have conducted a survey of the prices for various offerings listed for sale across the Deep & Dark Web. The resulting report, entitled “Analysis: Pricing of Goods and Services on the Deep & Dark Web,” examines the expansive and dynamic underground economy of Deep & Dark Web, which is facilitated and shaped by the diverse skills and motivations of a wide range of adversaries.
Shaped by the varying skillsets and motivations of a wide range of adversaries, this economy has become a driving force behind a broad spectrum of cyber and physical threats. Indeed, these illicit forums and marketplaces are where the by-products of past breaches, insider threats, unpatched vulnerabilities, fraudulent schemes, and other security incidents change hands and, in many cases, become integral to the existence of current and future security incidents.
The availability of illicit goods and services on the Deep & Dark Web enables a more efficient and democratised cybercriminal underground where adversaries can pay other actors to fill gaps in their own capabilities.
I have found relatively low selling prices for goods and services on the Deep & Dark Web. This can be attributed to the sheer magnitude of recent high-profile breaches—many of which occurred due to lax user-access controls, poor password hygiene, unpatched vulnerabilities, and/or insufficient security awareness. The low price of stolen card data and bank logs pales in comparison to the financial damage they have been known to inflict. Fraudulent passports are also sold for an affordable price. These fraudulent documents can be used to conceal one’s identity, commit financial crimes such as bank fraud, gain access to social welfare services, and facilitate international border crossings.
While frequently updating security patches can go a long way to protecting networks and systems, it is important for organisations to recognise that certain adversaries will likely always be actively seeking to identify zero-day vulnerabilities, create new exploit kits, and further develop and enhance existing ones. As such, maintaining stringent security awareness, requiring employees to partake in comprehensive OPSEC training programs, and proactively seeking visibility into emerging social engineering tactics and malware campaigns can help organisations across all sectors reduce their risk of a compromise.
To provide defenders with enhanced context surrounding the current state of the underground economy, I have gathered observational research to provide pricing examples for the following goods and services:
"Fullz" refers to complete sets of personally identifiable information (PII)—such as an
individual’s social security number, date of birth, and full name. PII is typically used to support a wide variety of fraudulent schemes, and is abundant and inexpensive for purchase on the Deep & Dark Web. The low prices do not reflect the damage compromised fullz can inflict on victims if leveraged effectively to commit identity theft or other forms of fraud.
Once the criminal is in possession of fullz, they can access the individual’s credit score and gauge their financial status via one of the numerous free online credit monitoring services. On English-language Dark Web marketplaces, the price range for fullz of U.S. citizens is typically $1 to $8, but I have observed instances where bulk discounts have been offered.
Often used to deliver payloads containing ransomware, banking Trojans, and other types of malware, exploit kits have become increasingly popular among less-skilled adversaries seeking to infect multiple users with relative ease.
The automated, user-friendly nature of exploit kits lowers the barriers to entry for fledgling threat actors by making it possible to wage an impactful attack without advanced expertise. I assess with a moderate degree of confidence that exploit kit rental fees typically range from $80 to $100 per day, $500 to $700 per week, and $1,400 to $2,000 per month.
Like exploit kits, the introduction of DDoS-for-hire services to Deep & Dark Web forums has significantly reduced barriers to entry for amateur adversaries keen on waging an attack. These services are inexpensive and tend to reflect the size and potential damage caused by the resulting DDoS attack.
Botnets—the networks of infected machines used to execute DDoS attacks—can be rented at a typical price range of $1 to $27. Booter services, which carry out a DDoS attack on the customer’s behalf, are priced based on size. Booters tend to range from $5 to $30. The most expensive DDoS-forhire services are for attacks geared towards government, military, or bank websites, ranging from $100 to $150 per hour.
Remote desktop protocol (RDP) servers
Over the past several years, compromised RDPs have become increasingly popular commodities on the Deep & Dark Web because they can serve as a vector for initial penetration of a targeted network.
In addition to being able to launch external attacks and move laterally within networks, adversaries can leverage compromised RDPs to plant malicious software, exfiltrate data, and manipulate network settings. As such, the potential damages can be extensive. RDPs sold on one marketplace are priced around $10, regardless of country of origin, operating system, or other factors.
Many Deep & Dark Web card shops offer both “cards” and “dumps,” often sourced directly from malware-infected or skimmed point-of-sale (POS) terminals. Cards are usually sourced from online transactions and include information such as card number, expiration date, and cardholder name.
I assess that card prices range between $2 and $20 with a moderate degree of confidence, and dump prices range between $5 and $100, with a low degree of confidence.
Access to online bank accounts is typically sold at a price that reflects the bank account’s available balance. Access to online bank accounts known as “bank logs” are also made available for sale on cybercriminal marketplaces and forums.
Price typically depends on the bank account’s available balance, with higher balances selling at higher prices. For example, one bank log offered for sale by a well-known threat actor allegedly contained $1,000 and was offered for $90. Another bank log for an account allegedly containing $25,000 was being offered for $390.
Illicit U.S. passports are sold in three formats on Dark Web marketplaces: digital scans, templates, and physical travel documents. Driver’s licenses, social security cards, and/or birth certificates—are sometimes included within the price of passports at the higher end of the cost spectrum.
It is unclear whether any of the actors advertising these physical documents on the Deep & Dark Web are malicious insiders with the capacity to issue genuine U.S. passports, or if the passports being sold are simply counterfeit or altered documents.
Created with the information provided by the buyer, digital scans typically range in price from $5 to $65. Passport templates, which allow the buyer to create their own digital passports, typically sell between $29 and $89. Physical passports are far more expensive, typically ranging in price from $2,980 to $5,000.
The inner workings of this underground economy continue to shape many of the risks facing organisations today. While the prices of the goods and services exchanged within these forums and marketplaces can be complex, unstable, and laden with unexplained discrepancies, gaining insight into the context surrounding such pricing can and should inform the security and risk strategies of organisations across all sectors.
Although it is impossible to prevent each and every data breach, malware infection, instance of fraud, or case of identity theft, taking basic measures to practice proper OPSEC, maintain stringent password hygiene, update software and systems regularly, and ensure all peers and employees do the same can be extremely beneficial for everyone.
For a more in-depth look at how these illicit goods and services are priced on the Deep & Dark Web you can download our latest research paper “Analysis: Pricing of Goods and Services on the Deep & Dark Web.”
Olivia Rowley, Intelligence Analyst, Flashpoint
Image source: Shutterstock/Sergey Nivens