The Price of Stolen Credentials Sold on the Dark Web

HP has published an HP Wolf security report, The Evolution of Cybercrime: Why the Dark Web is Supercharging the Threat Landscape and How to Fight Back. The results show that cybercrime is being fueled through plug-and-play malware kits that make it easier than ever to launch attacks. Organized groups of cybercriminals are collaborating with amateur hackers to attack businesses, putting the online world at risk.

The HP Wolf Security Threat Team worked with Forensic Pathways in a three-month investigation of the Dark Web, tracking and analyzing over 35 million cybercriminal marketplaces and forum posts to understand how cybercriminals operate, earn trust, and build their reputations.

The main conclusions are:

• Malware is cheap and easy to get: More than three-quarters (76%) of malware ads that appear, and 91% of exploits (that is, code that gives attackers control of systems by taking advantage of software flaws), are sold to the retail for less than 10 euros. The average cost of compromised Remote Desktop Protocol credentials is just under $5. Vendors are selling bundled products, with plug-and-play malware kits, malware-as-a-service, tutorials, and mentoring services that reduce the need for technical knowledge and experience to carry out complex, targeted attacks; in fact, only 2-3% of threat authors are expert programmers.
  

• The irony of “honor among cyberthieves”: As in the world of legal online trading, trust and reputation are, ironically, essential parts of cybercriminal trading: 77% of the cybercriminal markets analyzed require a seller’s bond – a license to sell – which can cost up to 3,000 euros. 85% of them use escrow payments, and 92% have a third-party dispute resolution service. All markets offer seller ratings. Cybercriminals also try to stay one step ahead of law enforcement by transferring their reputation between websites, since the half-life of a user or profile (before it is transferred elsewhere) using the “Tor” internet browser is of only 55 days (the Tor internet browser is based on Firefox, but it is the one most used by cybercriminals to “browse” the Dark Web, since it fully guarantees the anonymity of the user, IP address, etc.
  

• Common software is giving cybercriminals a gateway: Cybercriminals are focusing on finding software gaps that allow them to gain a foothold and take control of systems, targeting known bugs and vulnerabilities in common software. Some examples are the Windows operating system, Microsoft Office, web content management systems, and web and mail servers. The kits that take advantage of the vulnerabilities of niche systems are the ones that reach the highest prices (they usually range between 1,000 and 4,000 euros). The Zero Days (vulnerabilities that are not yet publicly known, and therefore the most dangerous) are sold for tens of thousands of euros on the dark web markets.
  

The HP Wolf Security Threat Team worked with Forensic Pathways in a three-month investigation into the Dark Web

“Unfortunately, being a cybercriminal has never been easier. Before, complex attacks required great skills, knowledge and resources. Now technology and training are available for the price of a liter of gasoline. And whether it’s because your business or customer data is exposed, deliveries are delayed, or even a hospital appointment is cancelled, the explosion of cybercrime affects us all. Alex Holland, Principal Malware Analyst at HP.

“At the center of all this is ransomware, which has created a new cybercriminal ecosystem that rewards smaller actors with a cut of the profits. This is creating a cybercrime production line, producing attacks that can be very difficult to defend against and putting the businesses we all depend on under fire,” adds Holland.

HP consulted a group of cybersecurity and research experts, including former hacker Michael ‘Mafia Boy’ Shimand the Dr Mike McGuire, a criminologist by training, to understand how cybercrime has evolved and what businesses can do to better protect themselves against current and future threats. They warned that companies must prepare for destructive data denial attacks, increasingly targeted cyber campaigns, and cybercriminals using emerging technologies such as artificial intelligence to challenge the integrity of organizations’ data.

To protect yourself from current and future threats, the report offers the following advice to businesses:

Master the basics to reduce the chances of cybercriminals: follow best practices, such as multi-factor authentication and patch management; reduce the attack surface of major attack vectors such as email, web browsing, and file downloads; and prioritize self-healing hardware to increase resiliency.

Focus on winning the game: plan for the worst; Limit risk to your workforce and partners by establishing processes to investigate vendor security and train workers on social engineering; and be process-oriented, as well as rehearse responses to attacks so you can identify problems, make improvements, and be better prepared.

Cybercrime is a team sport. Cybersecurity must also be: talk to peers to share information and threat intelligence in real time; use threat intelligence and be proactive in scanning the environment by monitoring open discussions in underground forums; and work with third-party security services to uncover critical vulnerabilities and risks that need to be addressed.

“We all need to do more to fight the growing cybercrime machine,” says Dr. Ian Pratt, Global Director of Security for Personal Systems at HP Inc.. “For individuals, this means cyber awareness. Most attacks start with a mouse click, so thinking before you click is always important. But having a safety net by purchasing technology that can mitigate and recover from the impact of dangerous clicks is even more important.”

“For businesses, it’s important to build resiliency and close off as many common attack paths as possible,” continues Pratt. “For example, cybercriminals study patches at the time they are released and quickly turn around an exploit before organizations have patched it. Therefore, speeding up the installation of patches is key. Grouping and neutralizing the most common categories of threats using techniques such as containment and threat isolation can also eliminate entire types of threats.”