Hackers now offer '100% satisfaction guaranteed'
The underground hacker market has become so commercialised that cyber-criminals are offering "100% satisfaction" guarantees on stolen credit cards, or they will be replaced.
An investigation by Dell SecureWorks has also found that, like legitimate businesses, the criminals are selling ‘Hacker Tutorials' which make it easier for ‘newbies' to start planting malware and stealing financial data.
The market is also awash with stolen credit card details, the company says. But it notes some restraint; with hackers they contacted refusing to try to breach government or military websites.
In the report, Joe Stewart, director of malware research in Dell SecureWorks' Counter Threat Unit (CTU), and network security analyst David Shear highlight the growing focus among hackers on “excellent customer service”.
The say: “Like any market which is crowded with multiple vendors selling many of the same products and services, the reputation of the vendor becomes critical to running a successful business.
“It looks like more hackers on the underground have realised this and are trying to distinguish themselves by offering prompt customer service and ‘100% guarantees' on the stolen data they are selling.”
Hacker manuals are another surprise, the researchers said: “A manual containing a handful of tutorials explaining a variety of cyber activities can be purchased for US$ 30 (approximately £19), while individual training tutorials can run as low as US$ 1 (£0.63). Tutorials on exploit kits, crypters, DDoS attacks, spam attacks and phishing are also available.”
But the biggest new trend, they say, is the number of fake credentials for sale: “The markets are booming with counterfeit documents to further enable fraud, including new identity kits, passports, utility bills, social security cards and driver's licences.”
They add: “With so many cyber-breaches this year, reportedly involving the compromise of millions of credit and debit cards, it is not surprising to see premium credit cards so abundant in these dark markets.”
Stolen cards from the US, Canada, UK and Europe “appear to be especially plentiful”, they say, with one underground site offering 14 million US credit cards for sale and 75,992 from the UK.
Platinum and Gold Master Cards were on sale for just US$ 35 (£22) each and Premium Visa cards for US$ 23 (£15)
Meanwhile the price of Remote Access Trojans (RATs) has fallen considerably compared to a similar investigation last year, from US$ 50-250 (£32-159) to now $20-50 (£13-32)
In a blog post about the report - which gives more details of the cost of the tools, services and stolen credentials available - Dell SecureWorks adds: “The cost to hire a hacker to break into an organisation's website runs between US$ 100-$300 (£63-190). When investigating these services, the particular hackers we dealt with made it clear that they would not hack into a government or military website.”
The scale of hacking services and stolen data available has led to warnings from UK cyber-security experts that businesses could become fatalistic about being hacked, and less motivated to fight back.
Sarb Sembhi, consulting services director at Storm Guidance and a leading light in the ISACA security professionals' organisation, told SCMagazineUK.com: “There are businesses today who don't take security seriously because it seems so hard and expensive to do.
“And because we've started to accept the chances are our banking details are going to be compromised, it's become a norm. That inevitably becomes in some people's mind – well, there's nothing I can do, there's no point in spending money on it, they're going to get in anyway.”
Sembhi said the security industry had to respond by matching the ‘value' offered by hackers.
“Hacker tools have got better and cheaper while security tools have got more complex and more expensive. It's the totally opposite trend to the hacker and criminal community.
“There needs to be more commoditisation by the security vendors, to make things cheaper to secure.”
Amar Singh, chair of the ISACA UK Security Advisory Group, highlighted the growing commercialisation of hacking, and told SC: “It's always interesting to see is the level of professionalism and pride that the underground takes in its products and services!”
And he warned that the hacker training available “worryingly appears to be coming from the doers and costs considerably less than the more commercial white-hat training material”.
Singh said this “should be a wake-up call to the long-term strategic planning for companies and governments alike”.
He suggested: “One of the defence mechanisms to discourage the lure of these types of setups should surely be making the same technology skills and information available to the young minds and encouraging a more positive and socially beneficial use of such skills.”
Meanwhile Dell SecureWorks technology director Don Smith told SC via email: “The underground network of hackers is continuing to grow, creating a very sophisticated and potentially lucrative market. Unlike common belief, this market now functions like any professional retail organisation, even offering satisfaction guarantees.
“With this in mind, it's no wonder that the techniques exploited by hackers are becoming more complex and difficult to detect – and that there's even a budding market for hacking tutorials.”
Smith added: “For this reason, it is essential that consumers and businesses alike remain vigilant in order to mitigate risks and that they remember that personal information of any kind could fetch an attractive sum for a criminal.”
Dell's report follows a similar study last week by Symantec that found the underground market still booming, with the price of stolen credit cards staying stable, but the value of email account data dropping substantially in recent years.