Glut In Stolen Identities Forces Price Cut In Cyberunderground

New report unearths what cybercriminals are charging for stolen identities and hacking services, such as DDoS and doxing

Just in time for the holidays, the price of a stolen identity has dropped as much as 37 percent in the cybercrime underground: to $25 for a U.S. identity, and $40 for an overseas identity.

Researcher Joe Stewart of Dell SecureWorks teamed with independent researcher David Shear to get an insider's look at what a plethora of hacking services and stolen data cost these days in the underground. Among their findings: For $300 or less, you can acquire credentials for a bank account with a balance of $70,000 to $150,000, and $400 is all it takes to get a rival or targeted business knocked offline with a distributed denial-of-service (DDoS)-for-hire attack. Meanwhile, ID theft and bank account credentials are getting cheaper because there is just so much inventory (a.k.a. stolen personal information) out there.

"Fullz," or personal identities, went for $40 per U.S. stolen ID and $60 for a stolen overseas ID in 2011 when Dell SecureWorks last studied pricing in the underground marketplace. Now those IDs are 33 to 37 percent cheaper.

With the high volume of data breaches and leaks over the past couple of years, it's no surprise the price of a stolen identity would have declined, says Stewart, who is director of malware research for Dell SecureWorks. "I expected to see the drop," he says. "The best thing we could hope for was for these prices to be very high. It would be a more encouraging trend if the prices increased."

It's also getting easier to cash in on cybercrime. "This report shows that cybercrime is becoming more and more commoditized, turnkey, and the bar to entry had become lower and lower as more people develop kits" that simplify data theft, he says. Competition among the cybergangs also has intensified as more people join in the scams, he says. "It's created a situation where it's getting very easy for anyone to get into that business. I think these numbers confirm it," Stewart says.

Pricing trends are interesting, says Raj Samani, CTO of McAfee. But they also can be misleading, he says, because prices are all over the map. "You can have varying prices depending on the sources you go to."

McAfee in its June cybercrime study found a DDoS-for-hire service for $2 per hour, and another for $3 per hour, for instance, he says.

Dell SecureWorks found DDoS services anywhere from $3- to $5 per hour, $90- to $100 per day, and $400 to $600 a month.

The big takeaway for all of this, Samani says, is that cybercrime-as-a-service has arrived. "It doesn't require any technical knowledge, and you don't even have to own a computer," Samani says. "You just need to pay" and you can outsource anything, he says.

[Criminals have expanded use of the cloud-service model to make their illegal enterprises more efficient and accessible. See Dark-Side Services Continue To Grow And Prosper.]

To gather pricing information, researcher Shear infiltrated 15 different underground forums to gather the pricing information, four of which were Russian forums. Shear concentrated his efforts mainly on well-organized forums, according to SecureWorks.

Stewart and Shear found more cybercriminals selling a cardholder victim's birth date and Social Security Number as well as the card data itself to ensure the stolen card data can be used and the buyer won't get tripped up by any security questions or controls. "The hackers have come to realize that merely having a credit card number and corresponding CVV code (Card Verification Value--the 3 or 4 digit number on one’s credit or debit card) is not always enough to meet the security protocols of some retailers," SecureWorks said in its report. "Hackers are also selling cardholders’ Date of Birth and/or Social Security Number. Having this additional information would allow a hacker to answer additional security questions or produce a fake identification, to go along with a duplicate credit card."

The cost of getting a website hacked runs from $100 to $300, with more experienced black hat hackers charging more for their services. In an interesting twist, the researchers found that these attackers stipulated that they don't hack government or military websites.

Doxing services—where a hacker steals as much information as they can about a victim or target via social media, social engineering, or Trojan infection—ranges from $25 to $100.

Bots are cheap, too: 1,000 bots go for $20, and 15,000, for $250.

Meanwhile, stolen credit cards for U.S. accounts (with CVV numbers) remained about the same since SecureWorks last studied pricing on them in 2011. The ranged from $4 to $8 per account, while European accounts dropped from $21 to $18 today. It's all about inventory of such a commodity item, according to the researchers.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio