Getting more for your (cybercriminal) dollar

A couple of years ago $300 might have bought you, if you’re a cybercriminal, the online credentials to access a bank account with maybe $7,000 in it.  Today $300 can get you access (username and password) to an account with well over $100,000 in it according to research from Dell SecureWorks. Prices are dropping.  Which means that more bad guys can get it.

Speculation for the price drop is that a glut exists in the market subsequent to several large scale data breaches over the past year. This condition is expected to last for some time.

Personal identities comprised of information such as name, SSN, date of birth, etc are known as ‘fullz’.  European fullz seem to sell for more than US citizen fullz.  Maybe there is less availability of European stolen identities?

I was Googling ‘fullz’ to find a couple of different definitions, but I kept coming across advertisements to sell fullz, complete with price lists. At first, I thought I had stumbled across some secret cybercriminal stash of online identities, but they’re everywhere.  Here are snippets of some of the ones that I ran across (ie 1st page of a Google search — I didn’t have to dig for these).

fullz4

[click to enlarge]

fullz1 fullz2 fullz3

Joe Stewart with Dell SecureWorks and independent researcher David Shear also report these prices for purchasing botnets (networks of pre-compromised computers from which the buyer can deliver a wide variety of malware options):

  • 1,000 bots = $20
  • 5,000 bots= $90
  • 10,000 bots = $160
  • 15,000 bots = $250

Customers shopping for Distributed Denial of Service Attacks can expect rates similar to these:

  • DDoS Attacks Per hour = $3-$5
  • DDoS Attacks Per Day = $90-$100
  • DDoS Attacks per Week = $400-600

These prices kind of bum me out because they are llloowww.

We hear all of the time that cybercrime and cyberattacks are terrible and getting worse.  These numbers, though, drive that point home — it’s just not hard to buy into this game.

Leave a Reply

Your email address will not be published. Required fields are marked *