What Is That Stolen Data Worth? 11 Most Lucrative Hacking Targets, Services

Financially Motivated Hackers Making Gains, Profits Dipping

Financially motivated cybercriminals are making substantial gains sorting, bundling and getting stolen goods to market in record time, according to new data recently released in separate reports from Symantec and Dell SecureWorks. The prices have dipped over the past year, due to an abundance of stolen bank credentials for sale and an overabundance of cybercriminal hackers willing to carry out hacking services and flood the market with more stolen data, according to security researchers from both companies that monitor underground forums where goods and services are bought, sold and bartered.

The underground market is still quite lucrative. In order to make big gains, cybercriminals must establish themselves because the market is based on a hacker's reputation and consistency, the security researchers said. Dell SecureWorks' report noted that attackers are increasingly gaining access to bank accounts with significant balances. Accounts with balances in excess of $100,000 are available. In 2011, those balances were typically less than $10,000, Dell SecureWorks said. CRN pulled together the most profitable data types and hacking services.

11. Spam-As-A-Service

Symantec said it found a service that will send spam to 1 million verified email addresses for between $70 and $150. Meanwhile, Dell SecureWorks uncovered a service connected to the Cutwail botnet capable of sending out 100 million emails per day for $10,000 a month. Dell SecureWorks said it estimates the cybercriminals behind Cutwail spent between $1,500 and $15,000 on a recurring basis to grow and maintain their botnet. Their estimated profit: between $1.7 million and $4.2 million since June 2009.

10. Infected Computers

Hordes of infected systems are rented out to spammers and malware pushers. For $20 a cybercriminal will get temporary access to 1,000 infected bots. Renting 15,000 bots costs $250. A list of compromised SMTP credentials can be distributed to bots for ’high-quality’ spam campaigns, according to the Dell SecurewWorks researchers.

9. Denial-Of-Service Attacks

Distributed denial-of-service (DDoS) attacks can be ordered for $10 to $1,000 per day, according to Symantec. The Dell SecureWorks researchers said rental services have a payment model that can be subscribed on a per-hour, per-day or per-week basis. Denial-of-service attacks can cost up to $5 an hour, $100 a day or $600 a week, Dell SecureWorks said. Most services will offer a guarantee that the target will be knocked offline. DDoS is a big business. In March, a 21-year-old Australian man was charged with computer hacking for gaining access to the IP addresses of players of the online game League of Legends. Investigators believe the man made $1,000 a day selling the information, which was then used to conduct targeted denial-of-service attacks against the victim players.

8. Hacking Services

Dell SecureWorks said the price for hacking services depends on the reputation of the hacker being sought. Hacking a website can cost between $100 and $300. Hacking government or military websites was not on the menu of services offered, Dell SecureWorks said. Doxing services, the cost of hiring hackers to get as much information as they can on a targeted victim by social engineering them or infecting their system with malware, can range between $25 and $100, Dell SecureWorks said.

7. Remote Access Trojans, Custom Malware

Custom malware can cost between $12 and $3,500 depending on the functionality, Symantec said. The company said it has spotted tools for stealing bitcoins by diverting payments to the attackers instead of the intended recipient. Assistance with remote access Trojans can also be acquired, according to Dell SecureWorks. Services that help criminals set up a command-and-control server, adding persistence to an infected victim's system, can cost between $20 and $30 per user, the Dell SecureWorks researchers said.

6. Drive-By Attack Toolkit

An automated attack toolkit designed to help criminals set up a drive-by attack campaign can be rented for about $100 to $700 per week, according to Symantec. The rental agreement includes updates and 24x7 support. The Symantec researchers said banking malware called SpyEye is sold for $150 to $1,250 for a six-month lease.

Dell SecureWorks said the Sweet Orange Exploit Kit is being leased to criminals for about $400 a week or $1,800 a month. Sweet Orange spreads through malicious website ads and compromised websites. The kit contains various exploits for vulnerabilities in Internet Explorer, Adobe and Java.

5. Valid Bank Accounts

The cost for a bank account and valid online credentials depends on the banking institution, Dell SecureWorks said. Typically accounts holding between $70,000 and $100,000 will sell for $300 or less on underground forums. Earlier this year, attackers behind a botnet that spread the Zeus Trojan were able to gain access to an account of a Pennsylvania-based plastics manufacturer, bilking the company's bank account of hundreds of thousands of dollars in less than 24 hours. The money, transferred to bank accounts in New York and Florida, were then sent out to a global money laundering operation, investigators said in court documents reviewed by CRN.

4. Fullz

For $25, a person can strike a deal to gain a full dossier of credentials for a U.S. citizen. The stolen information would include a valid Social Security number, full name, address, phone numbers, email addresses and a data of birth. The $25 package typically contains online banking credentials and credit card information, Dell SecureWorks said. A Fullz package for citizens of countries in the EU, Asia Australia, the UK and Canada typically sell between $30 and $40 each.

3. Credit Card Information

The high-profile retail data breaches flooded the underground forums with bundles of stolen credit cards that range from between 50 cents and $20,depending on the credit card type, location and credit line. Symantec noted that prices have fallen slightly over the last few years as the number of cards being sold in bulk increased significantly. Dell SecureWorks' analysis found American Express cards selling at about $7 a piece. An American Express held by UK, Australia and Canada residents sell for between $12 and $13 each. Standard Visa and MasterCards in the U.S. sell for about $4 each, Dell said.

2. Social Networks, Gaming Accounts

A Symantec analysis of the underground market for stolen data found gaming accounts selling for $10 to $15 each and stolen cloud accounts selling for $7 to $8 each. Access to valid cloud hosting accounts can give criminals a place to host a command-and-control server or a drop site for stolen files. Gaming accounts can yield Bitcoin or game credits that can be bartered or sold to the highest bidder at a discount. In addition, a criminal gang seeking to establish an attack campaign that spreads over social networks may seek the assistance of a social network follower service, which sells 1,000 followers from $2 to $12 depending on the perceived value of the network. An account with a high number of followers can evade detection from social network monitoring and analytics that work to spot and block suspicious activity as quickly as possible.

1. Stolen Email Accounts

A bundle of 1,000 stolen email accounts sells for between 50 cents and $10, according to Symantec. The accounts are used to spread spam and phishing attacks. The value is based on how quickly the email service can detect and block suspicious activity. For example, cybercriminals were seizing Yahoo accounts for months this year before the service was forced to ramp up its efforts to thwart account hijacking. Google takes a proactive approach with Gmail users, monitoring account activity for anything that may be out of the ordinary in order to block the activity before criminals get a chance to spread the campaign to tens of thousands of accounts.