By Paul Prudhomme
Head of Threat Intelligence Advisory, IntSights
For a first-time home buyer, the experience of being handed that set of keys is exhilarating. You’ve jumped through lots of hoops to get to this moment, and now you’re going to reap the reward.
But what if I told you that right now, a novice cybercriminal could get the keys to your company’s network for just a few thousand dollars and turn a profit of tens or hundreds of thousands, if not millions?
Cybercriminals handing over the keys to a compromised network is the topic of the newest IntSights white paper, “Selling Breaches: The Transfer of Enterprise Network Access on Criminal Forums”. The initial break-in has already occurred, and now the focus turns to the monetization of that unauthorized access via fraud, extortion, or other means.
The Criminal-to-Criminal Marketplace
The “criminal-to-criminal” marketplace is a key driver of criminal threats. Few cybercriminal operations are truly autarchic or self-sufficient, with full “vertical integration.” Many cybercriminals specialize in specific fields in which they can perform optimally or more cost-effectively. This specialization allows the various stages and components of the cybercriminal “kill chain” to function at closer to maximum efficiency. They turn to other, equally specialized vendors to acquire other components in areas beyond their own specialty.
There have long been specialized vendors for malware payloads, other malicious tools, hosting infrastructure, and the other components of cybercriminal operations. This specialization has now progressed to the point that there are now specialized vendors who provide compromised network access as well. Cybercriminals no longer need the ability to compromise a network; now they can just buy that access from another criminal.
Like any e-commerce community, underground criminal forums aim to establish a “circle of trust” that enables criminals to do business with each other with a reasonable degree of confidence. The risk that a buyer or vendor will rip off, cheat, or defraud a vendor or customer is a significant concern for them, as is the risk of unwittingly doing business with undercover law enforcement or security researchers.
Cybercrime forum users can vet prospective vendors or buyers by reviewing their history and status, and the feedback or ratings that they have received from other users, so as to develop confidence in them. Many of these communities use escrow systems to instill further confidence in large purchases by entrusting funds to website administrators as a transaction proceeds. The risk of receiving negative feedback or being reported to website administrators serves as an additional deterrent to misconduct.
Bargain Basement Prices
Pricing varies considerably from one network access sale to another, but most prices are low enough that they do not constitute a significant barrier to entry. Our statistical analysis for the Selling Breaches white paper found a median price of $3,000 USD. Most prices are in the four-figure range, with more expensive offerings in the five-figure range and cheaper ones in the three-figure range. IntSights found prices as low as $240 and as high as $95,000; however, the lower end of this scale — as is reflected in our median figure — is much more common.
Factors that can influence pricing include the extent and the privilege level of the access; the size and value of the victim as a source of criminal revenue; the industry and location of the victim; and the sales strategies of the various sellers. Some offers do not specify a price, allowing prospective buyers to make their own offers and name their own prices, while others take the form of auctions. Higher privileges and larger networks generally increase the price of the offering. Victims in wealthy, English-speaking economies are generally more desirable, hence the disproportionate percentage of identified victims in North America (37.5%). We nonetheless found unauthorized access to North American companies on sale for as little as $500.
When you compare the immense financial losses that a breached company suffers with the much smaller-scale financial transactions taking place on these criminal forums, the challenge becomes painfully clear.
Read “Selling Breaches: The Transfer of Enterprise Network Access on Criminal Forums” to better understand this challenge and get pointers for prevention and mitigation.
About the Author
Paul Prudhomme is Head of Threat Intelligence Advisory at IntSights. He previously served as a leader of the cyber threat intelligence subscription service at Deloitte and as an individual contributor to that of iDefense. Prior to that Paul covered cyber issues as a contractor in the US Intelligence Community. Paul specializes in the coverage of state-sponsored cyber threats, particularly those from Iran. He originally served as a linguist and cultural advisor and speaks multiple languages, including Arabic. Paul has a Master’s degree in History from Georgetown University. He is also a certified scuba diver and an award-winning amateur underwater photographer.