Cybercriminals offer all sorts of illicit goods for sale on Deep and Dark Web markets. In this episode, Liv Rowley, cybercrime intelligence analyst at Flashpoint, takes us through her team's research into the pricing of certain illegal goods online, including "Fullz", exploit kits, DDoS for hire, RDP servers, card data, bank logs and passports. Supply meets demand in this shady underground ecosystem.
Dave Bittner: [00:00:03] Hello everyone, and welcome to the CyberWire's Research Saturday.
Dave Bittner: [00:00:07] I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, and solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
Dave Bittner: [00:00:23] I'd like to tell you a little bit about our sponsor, Cybrary, the people who know how to empower your security team. Cybrary is the learning and assessment tool of choice for IT and security teams at today's top companies. They deliver the kind of hands on training fifty-five percent of enterprises say is the most important qualification when they're hiring. And once you hire, you want to retain. And Cybrary helps there too, because seventy percent of employees say professional development is a big reason for staying on board. Visit www.cybrary.it/teams and see what they can do for your organization. Not only is it effective, it's affordable too, costing just about a 12th of what legacy approaches to training would set you back. So contact Cybrary for a demo. That's www.cybrary.it/teams, and tell them the CyberWire sent you.
Liv Rowley: [00:01:20] So, the data came from a bunch of different sources and, as noted in the report, it's all observational, and based off a lot of what we've been seeing here at Flashpoint.
Dave Bittner: [00:01:30] That's Liv Rowley, a cybercrime intelligence analyst focusing on the deep and dark web at Flashpoint. The report she's referring to is called "Analysis: Pricing of Goods and Services on the Deep & Dark Web."
Liv Rowley: [00:01:44] Some of the information came from the English language dark web marketplaces, which have been in the news a lot over the past six months or so. We also looked at some of the card shops, we looked at some RDP shops, and then the forums. So both Russian and English language forums featured heavily in this.
Dave Bittner: [00:02:02] I want to sort of work our way through the report together, talk about some of the different things that you all took a look at. And the first one is called "fullz," which is F-U-L-L-Z. Describe to us what we're talking about here.
Liv Rowley: [00:02:15] So fullz are, it's kind of cyber criminal slang for a full set of personally identifiable information, and that normally includes Social Security number, date of birth, and full name. Though, as noted in the report, it can also include all sorts of other information.
Dave Bittner: [00:02:31] And take us through, how does the pricing break down for fullz?
Liv Rowley: [00:02:34] So we found that in English language dark web marketplaces, which is where we did most of our fullz research for this report, your average price per record, you know, per fullz for Social Security number, date of birth, was between $1 and $8 U.S. dollars. So, for example, if you wanted to buy somebody's credit card number with their accompanying Social Security number, that's going to be more expensive. So there's other data that can be factored in to this that would make it more expensive. But just the, you know, the typical Social Security number, date of birth, full name, that was between $1 and $8.
Dave Bittner: [00:03:13] Yeah, I mean, it strikes me that these are pretty cheap. Relatively low prices, even for fullz that come with a lot more information, it's really, looking at the data here, it's under a hundred bucks.
Liv Rowley: [00:03:25] Yes, yeah, it's pretty low.
Dave Bittner: [00:03:28] So let's move on to some of the exploit kits. Take us through what you found with that.
Liv Rowley: [00:03:32] So exploit kits, this was quite interesting. We focused mostly on Russian language forums, which is where a lot of the exploit kits come from and are marketed. And exploit kits, they're rarely sold, they're often almost entirely rented out, on either a daily, weekly, or monthly basis. And we found that the pricing for those tended to be very similar across exploit kits and across time, for the newer ones that is. So as an exploit kit comes out when it's, you know, first new. We found that it goes for between $80 to $100 to rent per day, $500 to $700 per week, and $1400 to $2000 per month.
Liv Rowley: [00:04:13] You know, those ranges depend a little bit on different functionalities that these exploit kits might be offering and, as noted in the report, if an exploit is older, if it's something that hasn't been updated fairly recently and it doesn't have those new functionalities, it tends to be priced lower than those ranges.
Dave Bittner: [00:04:33] And explain to us, what would I be purchasing these exploit kits to do?
Dave Bittner: [00:04:38] Exploit kits are used by cyber criminals who, either they don't want to invest the time into compromising systems themselves or they just don't have the skills to, so it's kind of an easy way for cyber criminals that don't have these capabilities to start infecting and compromising different systems.
Dave Bittner: [00:04:57] All right, let's move on to DDoS. Certainly lots of news about DDoS over the past year or so, and you can buy DDoS for hire.
Liv Rowley: [00:05:06] Correct, yeah, this is a very popular and talked about service especially in the media.
Dave Bittner: [00:05:12] So what are the prices here?
Liv Rowley: [00:05:14] So, the prices for DDoS for hire definitely vary a lot, and this is one of the ones that we had trouble nailing down, you know, a typical price. We say that botnets can be rented for a typical price of $1 to $27, which is a little bit of a range right there. And we weren't really able to determine what was determining these prices. They were varying, some of these you rent them out by how much traffic you want to be sending towards the victim IP. Others are rented out on like a daily or weekly basis. So this was actually an interesting one to look at, because there wasn't as consistent a pricing model as we saw with some of the other products and services that we looked at.
Dave Bittner: [00:05:58] So it seems, judging from the report, that the more sophisticated the DDoS for hire, the longer the attack, the more bots that they can wrangle to go at someone, that the price naturally goes up.
Liv Rowley: [00:06:11] Yes, typically that is the case.
Dave Bittner: [00:06:13] All right. Moving on, you also looked at remote desktop protocols, RDPs. Take us through what's going on with this one.
Liv Rowley: [00:06:21] Yeah, so these are very interesting, and we've been seeing these RDP servers being increasingly used by cyber criminals in the past couple of years. So we actually identified and looked at a couple of RDP shops, which are outside of the English language marketplaces and off the forums, they're just sites that exist, that just specialize in selling thousands of RDPs.
Liv Rowley: [00:06:47] And on these sites you can filter by all sorts of different things, you can say what type of country, or which country you are interested in buying an RDP from. If you want an RDP with admin rights, and all sorts of other things.
Liv Rowley: [00:07:01] So one thing that we noticed is, again we looked at two major RDP shops, and on one of the RDP shops, the pricing of these RDPs, pretty much $10 was the minimum that it would go for, and it would go all the way up to hundreds of dollars for an RDP. Whereas on the other shop that we looked at, they actually laid out their entire pricing model, which was quite interesting, and their max pricing possible was only $15.
Liv Rowley: [00:07:30] So this one was really interesting for us to look at, because currently that more expensive shop has been more popular among cyber criminals. There's been more reporting from, you know, journalists and researchers on how this shop is being used by cyber criminals, but we're starting to see within our data set, within Flashpoint's data set, it looks like cyber criminals are starting to move to using this cheaper RDP shop more frequently.
Dave Bittner: [00:08:00] All right, well let's move on to a card data and bank logs. What did we learn from these?
Liv Rowley: [00:08:06] Card data was very interesting to look at. This was another one where we just focused right on these card shops, which are sites that specialize in the sale of compromised card information. And the ranges for the pricing of card data were quite tremendous, and that can be influenced by all sorts of things, depending on what country the card is coming from, if your card is, you know, a higher level card like a gold card or a black card.
Liv Rowley: [00:08:34] So the ranges that we saw here were quite big. We saw that for cards, which, in cyber criminal language, is your card number, your card holder name, the expiration date, and the CVV. So, pretty much if you had physical access to a card you would get this information. That tended to be $20, whereas card dumps--and dumps are the actual track data, so what's written on the magnetic stripe--that ranged in price from $5 to up to a $100 at times. So there is definitely a range for the card data.
Dave Bittner: [00:09:10] One of the other things you looked at was U.S. passports.
Liv Rowley: [00:09:13] So we saw that there were three different formats of U.S. passports that were available for sale. One of them was just a simple digital scan, that can either be somebody else's compromised passport, you know, if somebody, some hacker got these scans fraudulently, and that's a possibility for those. We also saw passport templates, which are just, you know, a template that you can add information to, or a picture to, to make it look like a passport or especially a passport scan.
Liv Rowley: [00:09:50] Or we saw that there were also physical passports available for sale, and these physical passports were the most expensive of these three groupings. So while the scans were priced between $5 to $65, and the templates are priced between $29 and $89, we saw that the physical passports were between $29, $80, and $5000. So, significantly more expensive than those other two.
Dave Bittner: [00:10:17] You know, it's interesting to me, I think and probably to a lot of our listeners, how inexpensive all of these records are. Is this simply a matter of supply and demand?
Liv Rowley: [00:10:28] So, some of it definitely is supply and demand, especially, you know, this year and in years past we've been experiencing these massive data breaches. And for a cyber criminal, let's say you've obtained Social Security numbers on, even if it's just a hundred people, right? That takes a lot of effort to monetize all one hundred of those Social Security numbers. So in many cases, it's just easier to sell it off.
Liv Rowley: [00:10:56] Also, oftentimes these cyber criminals, they only know how to do one thing. So they might know how to compromise systems and steal this information, but they don't necessarily know how to, you know, file a fraudulent tax return, or how to open a bank account in somebody else's name, or after the fact how to launder that money. So sometimes it's just easier for them to sell it all off. And that ends up being quite cheap a lot of the times.
Dave Bittner: [00:11:23] Yeah, that's always been something that's puzzled me, particularly when you have some of these people offering things as a service. You know, your DDoS as a service and things like that, is to, you know, what's the motivation for them to offer it as a service, versus actually doing the crime themselves? Which would be more profitable? So that's an interesting case you make for that.
Liv Rowley: [00:11:42] Yes. It is very interesting, and I think that's one of the things that this report kind of highlights, is that the deep and dark web in the cyber criminal element is, it's absolutely an ecosystem. And that's why these areas exist, um, is so that cyber criminals can come together and collaborate, and make these purchases for information that they might not be able to obtain on their own, or for services that they might not know how to carry out themselves.
Dave Bittner: [00:12:11] What is your sense for how difficult it is to be a buyer of these sorts of services? Is there some sort of initiation that you have to go through, or demonstrate that you're, you know, prove that you're not law enforcement, things like that?
Liv Rowley: [00:12:26] So that depends a lot on the place where you're buying this information from, how difficult that is. So on places like the card shops, or the RDP shops, it appears to be rather easy to create an account on one of these shops, and then make some purchases and get that information. It's also very--because there are entire websites that are set up to sell this--it's very impersonal. There's not, you know, a lot of sensitive exchanges between the buyer and seller.
Liv Rowley: [00:12:57] Whereas sometimes, in the Russian cyber criminals space especially, trust is very, very, very important in those spaces, and that's probably partially because the Russian speakers don't often use marketplaces. They function primarily just on forums. So there's a tremendous amount of trust that has to go between these two, you know, a buyer and seller, in order for them to start sending money between each other and letting each other, you know, use each other's services, or see the data that they've stolen.
Dave Bittner: [00:13:29] It also strikes me that there's a sort of lack of proportionality, where if I can buy even, you know, pay for a high quality credit card for $80, and potentially have access to thousands of dollars of available credit, the effect that that may have on the person whose credit I'm stealing or bank account I'm draining, is pretty significant for that $80 investment.
Liv Rowley: [00:13:54] Yes, yeah, absolutely. I think that point that you're making is especially highlighted in our section about bank logs or compromised bank accounts, where we talk about one particular vendor who had an account for, a compromised bank account for sale, with over a $1000 in it, and was selling it for $90. And then they also had another account for sale that had $25,000 dollars in it, that they were selling for $390. So for $390, if you're skilled cyber criminal, you have access to a bank account with $25,000 in it, that you can drain and move into accounts that you control.
Dave Bittner: [00:14:32] And how does the actual moving of money take place? Are we talking about most of these transactions happening with bitcoin? What's going on with that?
Liv Rowley: [00:14:41] Yes, most of the transactions happen with bitcoin, though now we're starting to see these other cryptocurrencies gain a lot of popularity. Especially, right now, Monero, because it's such a privacy-minded cryptocurrency, a lot of cyber criminals are starting to push for that to become kind of the standard.
Dave Bittner: [00:15:02] What is your sense in terms of the presence of law enforcement? Are any of these people getting tracked down, or is this a case where crime really does pay?
Liv Rowley: [00:15:11] This is something I can't fully comment on, just because I'm not involved in law enforcement. I'm on the vendor side, we're just looking at this cyber criminal chatter in these marketplaces. Though we definitely have seen, in the past several months, the arrest of some pretty high-profile cyber criminals. One of the admins of the Dream marketplace, which is currently the biggest darknet marketplace, was arrested when he came to the U.S. several months ago. There is some law enforcement effort, but in terms of the scale of it, that's something I'm not super sure about.
Dave Bittner: [00:15:44] So looking at the results of this, I mean, what is your advice? It seems to me like with some of these big breaches your, chances are, at least some of your information is out there. Does the information you've gathered inform the ways that people should take efforts to protect themselves?
Liv Rowley: [00:16:01] Yeah, so especially when looking at the Social Security numbers and that personally identifiable information that's often sold in the form of fullz, there are some things that one can do to at least try to be aware of if they've been compromised. The advice tends to be just to pull your credit report occasionally and take a look at it and see, are there any credit cards on there that you don't know about? Or, you know, is there any loan that somebody is taking out in your name? And just be aware of what financial information is attached to you and your Social Security number, and make sure that's correct.
Liv Rowley: [00:16:38] Another thing that's been suggested, especially after some of the more major breaches, is to put a freeze on your credit report so that nobody can pull it, you've frozen it. And that's because oftentimes cyber criminals will use these free credit report services to get a credit report on one of their victims and understand how to target them better. We've seen this been used by cyber criminals in the past to target people with HSA accounts, health savings accounts, where they could identify that that person had a health savings account, and then go in and drain the money. So, being able to protect that information can be something that can be done here.
Liv Rowley: [00:17:16] Occasionally, you'll find cyber criminals selling these fullz organized by credit scores. So, somebody with a higher credit score, their information would be sold for a steeper price than somebody with a lower credit score. And that's because, if you have a higher credit score, it's easier for you to get approved for, you know, new credit cards or whatever.
Liv Rowley: [00:17:38] So I just thought that was very interesting, that cyber criminals were actually taking the effort to--and this goes back to what I was saying about freezing your credit report--taking the time to find out what all their victims' credit scores were, and organize them, and then commodify that information in different ways.
Dave Bittner: [00:17:57] Putting the effort into, I guess get maximum return on their investment.
Liv Rowley: [00:18:01] Absolutely. Yeah, if you're a buyer of this information, being able to know someone's credit score could be of great interest to you.
Dave Bittner: [00:18:12] Our thanks to Liv Rowley for joining us. You can find the complete report, "Pricing of Goods and Services on the Deep & Dark Web," on the Flashpoint web site in their blog section.
Dave Bittner: [00:18:22] And thanks again to our sponsor, Cybrary, for making this edition of Research Saturday possible. Visit www.cybrary.it/teams, and see what they can do for your organization.
Dave Bittner: [00:18:34] Don't forget to check out our CyberWire Daily News Brief and podcast, along with interviews, our glossary, and more on our Web site, thecyberwire.com. The CyberWire Research Saturday is produced by Pratt Street Media. Our coordinating producer is Jennifer Eiben, editor is John Petrik, technical editor is Chris Russell, executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening.
Copyright © 2019 CyberWire, Inc. All rights reserved. Transcripts are created by the CyberWire Editorial staff. Accuracy may vary. Transcripts can be updated or revised in the future. The authoritative record of this program is the audio record.