Oh cool, tech service prices are plummeting. And by tech services, we mean botnet rentals and stolen credit cards

Supply and demand in action

Crime has never been cheaper to pull off, so long as you're not particular about quality.

At least that's according [PDF] to a Trend Micro whitepaper on the cost of criminal services, which says over the past five years the prices for botnet rentals and credit card numbers have taken a nosedive.

"In 2015, generic botnets started selling at around $200 in Russian underground forums. Generic botnet prices today cost around $5 a day, and prices for builders start at $100," Trend said.

"United States credit cards were sold at $20 in 2015, but prices start at $1 in 2020. High-balance credit cards are selling for over $500 in 2020. Meanwhile, monthly crypting services dropped to around $20." A crypting service is one that encrypts and obfuscates malware and other malicious code to evade detection.

Essentially, criminal services that once commanded fairly high prices are now commonplace, and as a result asking prices have plummeted. Having said that, prices for specialized services have stayed rather steady. Ransomware, for example, fetches the same price it did five years ago.

"Ransomware-as-service prices still start at $5. Crypterlocker, which has been around since 2013, continues to demand a high price (around $100)," Trend noted. "Scanned document services, such as copies of driver's licenses, passports, and bill statements, still start at $5 – similar to the prices in 2015."

There is still a premium market to be had for boutique malware. The Trend team observed that particularly nasty strains of ransomware, such as Jigsaw, are able to command prices of up to $3,000, while the Ranion ransomware charges around $900 for an annual subscription. Similarly, Trend said the top pieces of banking malware, things like the Osiris trojan, still sell for around $3,000, and specialized services such as spamming are still able to command the same prices they fetched five years ago.

Rather, it's the low-hanging fruit that has become cheaper. With so many poorly maintained services out there, things like compromised streaming accounts are now easy to come by.

"The market is actually oversaturated," the Trend team said. "Stolen accounts make up 32 per cent of all underground offerings. Most accounts start from $1, with only a few high tier accounts demanding premium prices. Disney only launched their new streaming platform, Disney Plus, in November 2019, but available account credentials have already flooded the market."


If someone could stop hackers pwning medical systems right now, that would be cool, say Red Cross and friends


The same can be said for bank accounts. The researchers said that due to oversaturation, there is a glut of compromised banking credentials, and as a result the asking price for a stolen credit card has plummeted, from $20 each in 2015 to just a dollar these days. Still, as with everything else, there is a premium on the high end. Trend noted that high-balance cards, accounts that allow purchases of $5,000 or more, will still sell for around $500 on the open market.

Interestingly enough, registered passports are a hot commodity, fetching around $2,500 each. Additionally, crackdowns on prescription drugs is creating a new opportunity in the criminal markets.

"The US opioid crisis has also had an effect on underground goods and services. Opioid prescription has gone down, thus making the drugs more difficult to obtain," said Trend. "This resulted in an increased demand for forged prescriptions pads. Medical professionals have also started to move to e-prescriptions, which may impact the market further. Forged prescription labels continue to be found in dark web marketplaces for around $60."

There is also an emerging market for, disturbingly enough, deepfake videos. The researchers found scumbags making faked videos for $50 apiece, though if you're on a budget, faked images will only cost around $2.50

One of the main drivers, said the researchers, is sextortion scams.

"People would be more likely to pay the extortion amount if cybercriminals started attaching or sending links of realistic Deepfake images of their victim. A real image or video would be unnecessary," noted Trend. "Virtually blackmailing individuals is more efficient because cybercriminals wouldn't need to socially engineer someone into a compromising position. Deepfake videos can also be used to undermine the reputation of a political candidate or senior executive." ®

Broader topics

Narrower topics

Other stories you might like

  • HelloXD ransomware bulked up with better encryption, nastier payload
    Russian-based group doubles the extortion by exfiltrating the corporate data before encrypting it.

    Windows and Linux systems are coming under attack by new variants of the HelloXD ransomware that includes stronger encryption, improved obfuscation and an additional payload that enables threat groups to modify compromised systems, exfiltrate files and execute commands.

    The new capabilities make the ransomware, first detected in November 2021 - and the developer behind it even more dangerous - according to researchers with Palo Alto Networks' Unit 42 threat intelligence group. Unit 42 said the HelloXD ransomware family is in its initial stages but it's working to track down the author.

    "While the ransomware functionality is nothing new, during our research, following the lines, we found out the ransomware is most likely developed by a threat actor named x4k," the researchers wrote in a blog post.

    Continue reading
  • Now Windows Follina zero-day exploited to infect PCs with Qbot
    Data-stealing malware also paired with Black Basta ransomware gang

    Miscreants are reportedly exploiting the recently disclosed critical Windows Follina zero-day flaw to infect PCs with Qbot, thus aggressively expanding their reach.

    The bot's operators are also working with the Black Basta gang to spread ransomware in yet another partnership in the underground world of cyber-crime, it is claimed.

    This combination of Follina exploitation and its use to extort organizations makes the malware an even larger threat for enterprises. Qbot started off as a software nasty that raided people's online bank accounts, and evolved to snoop on user keystrokes and steal sensitive information from machines. It can also deliver other malware payloads, such as backdoors and ransomware, onto infected Windows systems, and forms a remote-controllable botnet.

    Continue reading
  • Emotet malware gang re-emerges with Chrome-based credit card heistware
    Crimeware groups are re-inventing themselves

    The criminals behind the Emotet botnet – which rose to fame as a banking trojan before evolving into spamming and malware delivery – are now using it to target credit card information stored in the Chrome web browser.

    Once the data – including the user's name, the card's numbers and expiration information – is exfiltrated, the malware will send it to command-and-control (C2) servers that are different than the one that the card stealer module uses, according to researchers with cybersecurity vendor Proofpoint's Threat Insight team.

    The new card information module is the latest illustration of Emotet's Lazarus-like return. It's been more than a year since Europol and law enforcement from countries including the United States, the UK and Ukraine tore down the Emotet actors' infrastructure in January 2021 and – they hoped – put the malware threat to rest.

    Continue reading
  • Even Russia's Evil Corp now favors software-as-a-service
    Albeit to avoid US sanctions hitting it in the wallet

    The Russian-based Evil Corp is jumping from one malware strain to another in hopes of evading sanctions placed on it by the US government in 2019.

    You might be wondering why cyberextortionists in the Land of Putin give a bit flip about US sanctions: as we understand it, the sanctions mean anyone doing business with or handling transactions for gang will face the wrath of Uncle Sam. Evil Corp is therefore radioactive, few will want to interact with it, and the group has to shift its appearance and operations to keep its income flowing.

    As such, Evil Corp – which made its bones targeting the financial sector with the Dridex malware it developed – is now using off-the-shelf ransomware, most recently the LockBit ransomware-as-a-service, to cover its tracks and make it easier to get the ransoms they demand from victims paid, according to a report this week out of Mandiant.

    Continue reading
  • DeadBolt ransomware takes another shot at QNAP storage
    Keep boxes updated and protected to avoid a NAS-ty shock

    QNAP is warning users about another wave of DeadBolt ransomware attacks against its network-attached storage (NAS) devices – and urged customers to update their devices' QTS or QuTS hero operating systems to the latest versions.

    The latest outbreak – detailed in a Friday advisory – is at least the fourth campaign by the DeadBolt gang against the vendor's users this year. According to QNAP officials, this particular run is encrypting files on NAS devices running outdated versions of Linux-based QTS 4.x, which presumably have some sort of exploitable weakness.

    The previous attacks occurred in January, March, and May.

    Continue reading
  • Unpatched Exchange server, stolen RDP logins... How miscreants get BlackCat ransomware on your network
    Microsoft details this ransomware-as-a-service

    Two of the more prolific cybercriminal groups, which in the past have deployed such high-profile ransomware families as Conti, Ryuk, REvil and Hive, have started adopting the BlackCat ransomware-as-as-service (RaaS) offering.

    The use of the modern Rust programming language to stabilize and port the code, the variable nature of RaaS, and growing adoption by affiliate groups all increase the chances that organizations will run into BlackCat – and have difficulty detecting it – according to researchers with the Microsoft 365 Defender Threat Intelligence Team.

    In an advisory this week, Microsoft researchers noted the myriad capabilities of BlackCat, but added the outcome is always the same: the ransomware is deployed, files are stolen and encrypted, and victims told to either pay the ransom or risk seeing their sensitive data leaked.

    Continue reading
  • Symantec: More malware operators moving in to exploit Follina
    Meanwhile Microsoft still hasn't patched the fatal flaw

    While enterprises are still waiting for Microsoft to issue a fix for the critical "Follina" vulnerability in Windows, yet more malware operators are moving in to exploit it.

    Microsoft late last month acknowledged the remote code execution (RCE) vulnerability – tracked as CVE-2022-30190 – but has yet to deliver a patch for it. The company has outlined workarounds that can be used until a fix becomes available.

    In the meantime, reports of active exploits of the flaw continue to surface. Analysts with Proofpoint's Threat Insight team earlier this month tweeted about a phishing campaign, possibly aligned with a nation-state targeting US and European Union agencies, which uses Follina. The Proofpoint researchers said the malicious spam messages were sent to fewer than 10 Proofpoint product users.

    Continue reading
  • Costa Rican government held up by ransomware … again
    Also US warns of voting machine flaws and Google pays out $100 million to Illinois

    In brief Last month the notorious Russian ransomware gang Conti threatened to overthrow Costa Rica's government if a ransom wasn't paid. This month, another band of extortionists has attacked the nation.

    Fresh off an intrusion by Conti last month, Costa Rica has been attacked by the Hive ransomware gang. According to the AP, Hive hit Costa Rica's Social Security system, and also struck the country's public health agency, which had to shut down its computers on Tuesday to prevent the spread of a malware outbreak.

    The Costa Rican government said at least 30 of the agency's servers were infected, and its attempt at shutting down systems to limit damage appears to have been unsuccessful. Hive is now asking for $5 million in Bitcoin to unlock infected systems.

    Continue reading
  • Symbiote Linux malware spotted – and infections are 'very hard to detect'
    Performing live forensics on hijacked machine may not turn anything up, warn researchers

    Intezer security researcher Joakim Kennedy and the BlackBerry Threat Research and Intelligence Team have analyzed an unusual piece of Linux malware they say is unlike most seen before - it isn't a standalone executable file.

    Dubbed Symbiote, the badware instead hijacks the environment variable (LD_PRELOAD) the dynamic linker uses to load a shared object library and soon infects every single running process.

    The Intezer/BlackBerry team discovered Symbiote in November 2021, and said it appeared to have been written to target financial institutions in Latin America. Analysis of the Symbiote malware and its behavior suggest it may have been developed in Brazil. 

    Continue reading
  • Cheers ransomware hits VMware ESXi systems
    Now we can say extortionware has jumped the shark

    Another ransomware strain is targeting VMware ESXi servers, which have been the focus of extortionists and other miscreants in recent months.

    ESXi, a bare-metal hypervisor used by a broad range of organizations throughout the world, has become the target of such ransomware families as LockBit, Hive, and RansomEXX. The ubiquitous use of the technology, and the size of some companies that use it has made it an efficient way for crooks to infect large numbers of virtualized systems and connected devices and equipment, according to researchers with Trend Micro.

    "ESXi is widely used in enterprise settings for server virtualization," Trend Micro noted in a write-up this week. "It is therefore a popular target for ransomware attacks … Compromising ESXi servers has been a scheme used by some notorious cybercriminal groups because it is a means to swiftly spread the ransomware to many devices."

    Continue reading

Biting the hand that feeds IT © 1998–2022