CyberWire Daily - Dark Net Pricing with Flashpoint's Liv Rowley. [Research Saturday]
Episode Date: November 18, 2017Cybercriminals offer all sorts of illicit goods for sale on Deep and Dark Web markets. In this episode, Liv Rowley, cybercrime intelligence analyst at Flashpoint, takes us through her team's research... into the pricing of certain illegal goods online, including "Fullz", exploit kits, DDoS for hire, RDP servers, card data, bank logs and passports. Supply meets demand in this shady underground ecosystem. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities and solving some of the hard problems of
protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
And now a message from our sponsor Zscaler, the leader in cloud security. Enterprises have spent
billions of dollars on firewalls and VPNs,
yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools expand your attack surface with public-facing IPs
that are exploited by bad actors more easily than ever with AI tools. It's time to rethink your security. Thank you. specific apps, not the entire network. Continuously verifying every request based on identity and
context. Simplifying security management with AI-powered automation. And detecting threats
using AI to analyze over 500 billion daily transactions. Hackers can't attack what they
can't see. Protect your organization with Zscaler Zero Trust and AI. Learn more at zscaler.com slash security.
So the data came from a bunch of different sources. And as noted in the report, it's all
observational and based off a lot of what we've been seeing here at Flashpoint.
It's all observational and based off a lot of what we've been seeing here at Flashpoint.
That's Liv Rowley, a cybercrime intelligence analyst focusing on the deep and dark web at Flashpoint.
The report she's referring to is called Analysis, Pricing of Goods and Services on the Deep and Dark Web.
Some of the information came from the English language dark web marketplaces, which have been in the news a lot over the past six months or so.
We also looked at some of the card shops.
We looked at some RDP shops and then the forums. So both Russian and English language forums featured heavily in this.
I want to sort of work our way through the report together,
talk about some of the different things that you all took a look at.
And the first one is called FULZ,
which is F-U-L-L-Z. Describe to us what we're talking about here. So FULZ are, it's kind of
cyber criminal slang for a full set of personally identifiable information. And that normally
includes social security number, date of birth and full name. So as noted in the report, it can
also include all sorts of other information.
And take us through, how does the pricing break down for FOLs?
So we found that in English language dark web marketplaces, which is where we did most of our
FOLs research for this report, your average price per record, per FOLs for social security number
date of birth was between one and eight us dollars so for example
if you wanted to buy somebody's credit card number with their accompanying social security number
that's going to be more expensive um so there's other data that can be factored into this that
would make it more expensive but just the you know the typical social security number, date of birth, full name,
that was between $1 and $8. Yeah, I mean, it strikes me that these are pretty cheap,
relatively low prices, even for fulls that come with a lot more information. It's really,
looking at the data here, it's under $100. Yes, yeah, it's pretty low. So let's move on to some
of the exploit kits. Take us through what you found with that.
So exploit kits was, this was quite interesting. We focused mostly on Russian language forums,
which is where a lot of the exploit kits come from and are marketed. And exploit kits,
they're rarely sold. They're often almost entirely rented out on either a daily,
weekly or monthly basis.
And we found that the pricing for those tended to be very similar across exploit kits and across time for the newer ones, that is.
So as an exploit kit comes out when it's first new,
we found that it goes for between $80 to $100 to rent per day,
$500 to $700 per week, and $1,400 to $2,000 per month.
Those ranges depend a little bit on different functionalities that these exploit kits might
be offering. And as noted in the report, if an exploit kit is older, if it's something that
hasn't been updated fairly recently and it doesn't have those new functionalities,
it tends to be priced lower
than those ranges. And explain to us what would I be purchasing these exploit kits to do?
Exploit kits are used by cyber criminals who either they don't want to invest the time into
compromising systems themselves or they just don't have the skills to. So it's kind of an easy way for
cyber criminals that don't have these capabilities to start infecting and compromising different
systems. All right, let's move on to DDoS. Certainly lots of news about DDoS over the
past year or so. And you can buy DDoS for hire. Correct. Yeah, this is a very, you know,
popular and talked about service, especially
in the media. So what are the prices here? So the prices for DDoS for Hire, definitely very
a lot. And this was one of the ones that we had trouble nailing down, you know, a typical price.
We say that botnets can be rented for a typical price of $1 to $27, which is a little bit of a range right there.
And we weren't really able to determine what was determining these prices.
They were varying.
Some of these, you rent them out by how much traffic you want to be sending towards the victim IP.
Others are rented out on like a daily or weekly basis.
victim IP. Others are rented out on like a daily or weekly basis. So this was actually an interesting one to look at because there wasn't as consistent a pricing model as we saw with some of the other
products and services that we looked at. So it seems, judging from the report, that the more
sophisticated the DDoS for hire, the longer the attack, the more bots that they can wrangle to
go at someone, that the price naturally goes up.
Yes, typically that is the case.
All right.
Moving on, you also looked at remote desktop protocols, RDPS.
Take us through what's going on with this one.
Yeah, so these are very interesting.
And we've been seeing these RDP servers being increasingly used by cyber criminals in the past couple of years.
So we actually identified and looked at a couple of RDP shops, which are outside of the English
language marketplaces and off the forums. They're just sites that exist that just specialize in
selling thousands of RDPs. And on these sites, you can filter by all sorts of different things.
You can say what type of country or which country you are interested in buying an RDP from,
if you want an RDP with admin rights and all sorts of other things. So one thing that we noticed is,
again, we looked at two major RDP shops. And on one of the RDP shops, the pricing of these RDPs, pretty much $10 was a
minimum that it would go for. And it would go all the way up to hundreds of dollars for an RDP.
Whereas on the other shop that we looked at, they actually laid out their entire pricing model,
which was quite interesting. And their max pricing possible was only $15. So this one was really
interesting for us to look at because currently that more expensive shop has been more popular
among cyber criminals. There's been more reporting from journalists and researchers on how this shop
is being used by cyber criminals. But we're starting to see within our data set, within Flashpoint's
data set, it looks like cybercriminals are starting to move to using this cheaper RDP shop
more frequently. All right, well, let's move on to card data and bank logs. What did we learn
from these? Card data was very interesting to look at. This was another one where we just focused right on these card shops, which are sites
that specialize in the sale of compromised card information.
And the ranges for the pricing of card data were quite tremendous.
And that can be influenced by all sorts of things, depending on what country the card
is coming from.
If your card is a higher level card, like a gold card or a black card.
So the ranges that we saw here were quite big.
We saw that for cards, which in cyber criminal language is your card number,
your cardholder name, the expiration date, and the CDV.
So pretty much if you had physical access to a card,
you would get this information. That tended to $20, whereas card dumps, and dumps are the actual
track data, so what's written on the magnetic stripe, that ranged in price from $5 to up to
$100 at times. So there was definitely a range for the card data. One of the other things you looked at
was U.S. passports. So we saw that there were three different formats of U.S. passports that
were available for sale. One of them was just a simple digital scan. That can either be somebody
else's compromised passport. You know, somebody, some hacker got these scans fraudulently,
and that's a possibility for those. We also saw passport templates, which are just,
they're, you know, a template that you can add information to or a picture to, to make it look
like a passport, or especially a passport scan or we saw that there
were also physical passports available for sale and these physical passports were the most expensive
of these three groupings so while the scans were priced between five to sixty five dollars and the
templates were priced between 29 and 89 we saw that the physical passports were between $29.80 and $5,000. So significantly
more expensive than those other two. You know, it's interesting to me, I think,
and probably to a lot of our listeners, how inexpensive all of these records are.
Is this simply a matter of supply and demand? So some of it definitely is supply and demand, especially
this year and in years past, we've been experiencing these massive data breaches.
And for a cyber criminal, let's say you've obtained social security numbers on, even if it's
just a hundred people, right? That takes a lot of effort to monetize all 100 of those social security numbers.
So in many cases, it's just easier to sell it off.
Also, oftentimes these cyber criminals, they only know how to do one thing.
So they might know how to compromise systems and steal this information, but they don't necessarily know how to file a fraudulent tax return or how to open a bank account in somebody
else's name or after the fact, how to launder that money. So sometimes it's just easier for
them to sell it all off. And that ends up being quite cheap a lot of the times.
Yeah. And it's always been something that's puzzled me is particularly when you have some
of these people offering things as a service, your DDoS as a service and things like that is to, you know, what's the motivation for
them to offer it as a service versus actually doing the crime themselves, which would be more
profitable. So that's an interesting case you make for that. Yes, it is very interesting. And
I think that's one of the things that this report kind of highlights is that the deep and dark web and the cyber criminal element is it's absolutely an ecosystem.
And that's why these areas exist is so that cyber criminals can come together and collaborate and make these purchases for information that they might not be able to obtain on their own or for services that they might not know how to carry out themselves.
What is your sense for how difficult it is to be a buyer of these sorts of services?
Is there some sort of initiation that you have to go through or demonstrate that you're, you know,
prove that you're not law enforcement, things like that?
So that depends a lot on the place where you're buying this information from, how difficult that is.
So on places like the card shops or the RDP shops, it appears to be rather easy to create an account on one of these shops and then make some purchases and get that information.
And it's also very, because there are entire websites that are set up to sell this, it's very impersonal. There's not a lot of sensitive exchanges between the buyer and
seller. Whereas sometimes in the Russian cyber criminal space, especially, trust is very, very,
very important in those spaces. And that's probably partially because the Russian speakers
don't often use marketplaces. They function primarily just on forums.
So there's a tremendous amount of trust that has to go between these two, a buyer and a seller, in order for them to start sending money between each other and letting each other use each other's services or see the data that they've stolen.
each other's services or see the data that they've stolen. It also strikes me that there's a sort of lack of proportionality where if I can buy even, you know, pay for a high quality credit card for
$80 and potentially have access to thousands of dollars of available credit, the effect on that
that that may have on the person whose credit I'm stealing or bank account I'm draining
is pretty significant for that $80 investment. Yes. Yeah, absolutely. I think that point that
you're making is especially highlighted in our section about bank logs or compromised bank
accounts, where we talk about one particular vendor who had an account for a compromised
bank account for sale
with over $1,000 in it and was selling it for $90. And then they also had another account for sale
that had $25,000 in it that they were selling for $390. So for $390, if you're a skilled
cyber criminal, you have access to a bank account with $25,000 in it that you can drain and move into accounts that you control.
And how does the actual moving of money take place? Are we talking about most of these
transactions happening with Bitcoin? What's going on with that?
Yes, most of the transactions happen with Bitcoin, though now we're starting to see
these other cryptocurrencies gain a lot of popularity, especially right now at Monero, because it's such a privacy-minded cryptocurrency.
A lot of cybercriminals are starting to push for that to become kind of the standard.
What is your sense in terms of the presence of law enforcement?
Are any of these people getting tracked down, or is this a case where crime really does pay?
This is something I can't fully comment on just because I'm not involved in law enforcement.
I'm on the vendor side.
We're just looking at this cyber criminal chatter in these marketplaces, though we definitely have seen in the past several months the arrest of some pretty high profile cybercriminals. One of the admins of the Dream Marketplace, which is
currently the biggest darknet marketplace, was arrested when he came to the U.S. several months
ago. There is some law enforcement effort, but in terms of the scale of it, that's something I'm not
super sure about. So looking at the results of this, I mean, what is your advice? It seems to
me like with some of these big breaches, your chances are at least some of your information is out there.
Does the information you've gathered inform the ways that people should take efforts to protect themselves?
Yes.
So especially when looking at the Social Security numbers and that personally identifiable information that's often sold in the form of foals,
and that personally identifiable information that's often sold in the form of foals.
There are some things that one can do to at least try to be aware of if they've been compromised.
The advice tends to be just to pull your credit report occasionally and take a look at it and see,
are there any credit cards on there that you don't know about?
Or, you know, is there any loan that somebody is taking out in your name? And just be aware of what financial information is attached to you and your social security number and make sure that's correct. Another thing that's been suggested, especially
after some of the more major breaches, is to put a freeze on your credit report so that nobody can
pull it. You've frozen it. And that's because oftentimes cybercriminals
will use these free credit report services to get a credit report on one of their victims and
understand how to target them better. We've seen this been used by cybercriminals in the past to
target people with HSA accounts, health savings accounts, where they could identify that that
person had a health savings account and then go in and drain
the money. So being able to protect that information can be something that can be done here.
Occasionally, you'll find cybercriminals selling these foals organized by credit scores. So
somebody with a higher credit score, their information would be sold for a steeper price
than somebody with a lower credit score. And that's because
if you have a higher credit score, it's easier for you to get approved for new credit cards or
whatever. So I just thought that was very interesting that cyber criminals were actually
taking the effort to, and this goes back to what I was saying about freezing your credit report,
taking the time to find out what all their victims' credit scores
were and organize them and then commodify that information in different ways.
They're putting the effort in to, I guess, get maximum return on their investments.
Absolutely. And yeah, if you're a buyer of this information,
being able to know someone's credit score could be of great interest to you.
able to know someone's credit score could be of great interest to you.
Our thanks to Liv Rowley for joining us. You can find the complete report,
Pricing of Goods and Services on the Deep and Dark Web on the Flashpoint website in their blog section. And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected
lives. Because when executives are compromised at home, your company is at risk. In fact, over
one-third of new members discover they've already been breached. Protect your executives and their
families 24-7, 365, with Black Cloak. Learn more at blackcloak.io.
with Black Cloak.
Learn more at blackcloak.io.
The Cyber Wire Research Saturday is proudly produced in Maryland
out of the startup studios of Data Tribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing Cyber Wire team is
Elliot Peltzman,
Puru Prakash,
Stefan Vaziri,
Kelsey Bond,
Tim Nodar,
Joe Kerrigan,
Carol Terrio, Ben Yellen, Nick Valecki, Gina Johnson, Bennett Moe, Chris Russell, Thanks for listening.