There are more attacks than ever, but prices on underground sites for stolen financial data and some attacks tools have been stagnant. This suggests that attackers are finding what they need from other sources.
In its survey of prices for attack tools and stolen data on the Dark Web, analysts from risk management firm Flashpoint found that the selection and prices of attack tools available in these marketplaces are mostly unchanged since 2017. Public Dark Web forums aren’t generally where the sophisticated criminal gangs loiter, but looking at what is available in those forums is an “important barometer” for how the cybercrime landscape is evolving, said Ian Gray, Flashpoint’s director of analysis and research.
"Unlike the hardly static pace of activity, pricing for products and services for sale on underground sites has remained relatively constant,” Gray said.
Flashpoint analysts focused on deep and dark web marketplaces—those areas of the web that aren't easily accessible. Dark web forums typically require special tools, such as Tor proxies and anonymizers, while deep web marketplaces don't require any special tools to access, but still are hard to reach. Many dark web forums tend to specialize in buying and selling narcotics, although there are some that focus on attack tools and stolen wares. Flashpoint warned that its analysis presents a representative sample from popular forums, and should not be treated as an “average” of the marketplace. Many of the marketplaces Flashpoint looked at has since been shut down.
The analysts focused on changes in pricing for “fullz,” or packages of detailed personally identifiable information, passports, distributed denial-of-service attack tools, exploit kits, remote desktop protocol (RDP) servers, payment card data, and bank logs.
Just a handful of years ago, exploit kits were the primary method for distributing malware and attack tools for web-based breaches. They are not as widespread as they used to be, and the prices reflect that. The cost to rent out these kits varied between $80 to $100 per day, which was more or less the same as 2017 prices, Flashpoint found.
One exception: the tools for launching distributed denial-of-service attacks. In 2017, the most expensive of these DDoS tools was, at most, $27. An attack can cost up to $100 in 2019, Flashpoint found. The change in price likely reflected the fact that many sites now use Content Delivery Networks and have other technologies in place to handle DDoS attacks.
The quality of tools available on these forums have stayed more or less the same, which is an indicator that these are commodity tools. A number of listings were written for entry-level attackers, Gray said. The tools with new techniques capable of getting around the latest defenses and sophisticated features are likely being saved for private sales over encrypted chat channels, or are available only in restricted marketplaces, Flashpoint said.
“There’s a lack of innovation we’re seeing in the kinds of goods and on the marketplaces,” Gray said. “It might be an indication they’re looking at more trusted cybercrime marketplaces.”
That can mean Dark Web marketplaces with even more restrictive membership requirements, such as needing to demonstrate that the new user has committed a crime or carried out an attack. Online marketplaces (not on the Dark Web) may also allow new members to join only if they were invited by an existing member. They may also be moving to encrypted chat applications.
The stagnant prices don’t mean criminals have moved on from personal information. The fact that there are so many online attacks and fraud indicates the exact opposite. Spear phishing attacks, business email compromise, and other forms of fraud tend to be more effective when personal information is used. The prices don’t reflect the high demand because the near-constant pace of data breaches has created a massive supply of stolen information. More than 3,800 data breaches have been reported in the first half of 2019, so there are plenty of sources for stolen information. There is less of a reason for criminals pay top dollar for this kind of data.
Another thing to note from Flashpoint’s analysis: the pricing in these reports don’t reflect the “dramatic innovation” in other parts of the criminal ecosystem, such as targeted ransomware and SIM swapping. A lot of the services in Flashpoint’s analysis were “baseline commodity services,” Gray said.
The majority of the listings on these forums were likely from resellers, using a price point established by overall market supply and demand factors, Flashpoint said. Monitoring product and price listings give enterprise defenders an idea of what the market looks like for an entry-level actor and what kind of defenses are necessary.