Ranging from distributed-denial-of-service (DDos) used to cripple business websites, through to the insertion of malware used to pilfer sensitive data, the market is growing astronomically.
The black market mimics real-world commerce, with some websites even offering money-back guarantees. Free privacy software makes attacks difficult to attribute and automated tools remove the need for any contact with criminals.
The practice goes as far back as the 1980s, when corporations hired hackers to perform unauthorised intrusions into targets. More recently, it has been suggested that hackers were hired to launch attacks on US banks and government organisations in a bid to steal sensitive information.
In January last year, the FBI arrested five people over ‘hackers-for-hire' websites. Additionally, the Saudi religious police have reportedly used hackers to take down Twitter pornography.
Criminal group the Lizard Squad, which attacked the PlayStation and Xbox networks over Christmas, recently launched a DDoS tool, costing between £4 (US$ 6) and £325 (US$ 500).
Meanwhile, a new service called Hacker's List, based in New Zealand, contains more than 20 pages of projects for bidding, offering the ability to take down site content for £158 (US$ 300), with a social media hack for as little as £5 (US$ 10).
The practice started to become big business 10 years ago, when botnets were offered for hire via Russian websites. However, unlike today's tools, these required some kind of online interaction with a person, according to Andy Crocker, founder of Protect2020. And things have now moved on, he explains: “With an anonymous email address; you can use Bitcoin or PayPal and it's automated. These are one stop shops.”
On the other hand, hiring an actual hacker is more difficult and still requires human interaction, Crocker says. “If you want to hire someone to get information, you have to go onto the Darknet, go into forums, speak to someone, tell them what you want and pay them. You have to know your way around.”
But anonymity has never been easier: concealing the perpetrator's identity is as simple as downloading privacy tool Tor. Once the tool has disguised the user's IP address, a quick search will bring up multiple websites offering hacker services. Hackers can be found in multiple forums among ‘carders' - those who sell stolen credit card details.
Buying the services of a hacker is easy to do: it can be as simple as a Google search, says David Prince, delivery director of IT security at law firm Schillings. “If you log onto Tor - which is very easy to do - there should be things you can use to create malware, participate in money laundering and rent a hacker. You input your email address, pay Bitcoins, and provide a target - it's as simple as that.”
It is increasingly easy to procure products or services to attack computer systems, agrees James Lyne, global head of research at Sophos. “There is a thriving illicit market offering a range of different services and capabilities with groups competing over price and features - the very definition of an active economy.”
Surprisingly, there is nothing illegal about many of the websites offering services such as DDoS for hire for as little as £1.99 (US$ 2.99) for a 100 second attack - although using the tools is a criminal offence. “The site will offer DDoS for hire, but it isn't coming from that site: the infrastructure is elsewhere,” Crocker explains. “You can buy one attack and take someone offline quickly. For a couple of hundred dollars, you can take your competitors down for 30,000 minutes.”
Javvad Malik, senior analyst, Enterprise Security Practice at 451 Research says he has seen similar listings: “For about £100, someone with a botnet of 1,000 computers can take competitors offline,” he adds.
Most commonly, it is DDoS that is used to cripple e-commerce or shut down sites in the name of a hackitivst cause, says Fred Touchette, senior security analyst at AppRiver. “Services can also be purchased to break into networks and steal data among numerous other specific tasks.”
According to Touchette, DDoS can be launched via a simple tool, or it can utilise an online service with a rental botnet at hand.
Lyne says he has seen DDoS capabilities typically available for “tens of dollars” - some of which offered pricing based on volume and money back guarantees. He adds that more “serious” tools, such as those used for exploitation, typically range between £450 (US$ 700) and £2,000 (US$ 3,000).
“At the very high end of the market where zero-day exploit services are being offered, the prices can reportedly range into seven figures,” he says. “This shows how much impact cyber-crime services can have and the value of data that can be collected. By the same measure, it is cheap enough that many could buy it online without really considering the ramifications of their decision.”
Touchette says he has seen DDoS attacks offered for free up to about £330 (US$ 500), while ‘carding' forums charge between £6 (US$ 10) and £60 (US$ 100) per card. Meanwhile, it is also possible to find more complex services such as malware creation, fenced electronics, or underground Bitcoin-enabled sites.
Types of attack also include spying-type operations on random individuals, phishing, and social engineering, says Curt Wilson, senior research analyst at Arbor Networks. “The reality is that any type of commodity attack toolkit or technique is within easy reach. Every type of brute forcing, scanning, or vulnerability assessment tool aimed at any type of target is fair game.”
At the lighter end of the cyber-crime services market, there are offerings that might be used to spy on a former partner or to allow a small business to cause some disruption - or monitor a competitor, says Lyne. But he adds that at the “heavier” end, there are tools “designed to compromise tens to hundreds of thousands of systems in a bid to steal massive amounts of financial information”.However, Lyne points out, not all of these services are simple to procure. “Some of the exploit kits used for cyber-crime are not necessarily expensive, but require you to be in the right circles with a specific Russian forum.”
Additionally, low costs reflect the often inexperienced hackers behind these types of attacks. Andrew Conway, research analyst at Cloudmark says: “You get what you pay for - if you want a teenager to launch a DDoS attack that will take a small business website down for an hour or two, it is cheap.”
Experts say it is possible that hacking tactics are regularly employed by businesses and governments. But how often is this approach used? No one knows the answer for sure, but last year, it was reported that Sony Pictures used DDoS attacks on sites containing its stolen data; others do the same say experts.
Crocker is certain that illegal practices are regularly used. “Businesses are using them, countries are using them - and we know there is state sponsored theft of data,” he says.
According to Crocker, Eastern Europeans are typically looking for financial gain - while Chinese hackers are looking to steal secrets.
Prince agrees, saying: “There is no doubt in my mind that some organisations will employ the services of hackers to steal IP.”
Lyne adds: “It is now sufficiently easy that someone with the right inclination, such as business intelligence - and questionable regard for the law - might casually engage in this to get what they need.”
It might be easy to do, but hacking is an illegal practice and in the UK, it can be prosecuted under the Computer Misuse Act. Crocker explains: “To create a botnet you have to hack into a computer - so there are offences you can be prosecuted for.” However he concedes that it is not always easy to track perpetrators down: “Nine out of 10 times, they are not in this country, they are hard to track down and it's very difficult to prosecute.”
Additionally, Prince warns any businesses considering the practice: “You don't know it will be a hacker that you hire; it could be the FBI or someone who wants Bitcoins. And it's completely illegal.”
Although tools such Tor, Bitcoin, and international laws make investigating this more difficult, Crocker says: “There is always a trail.”
Additionally, most laws are national in their implementation where the internet is borderless, Lyne says. “If you are considering use of such tools let's be clear, they are illegal and the chances of you being found out are increasing every day.”
Hiring a hacker
However, hacking is not illegal in all of its forms. It can also be used by businesses to fix security holes in the practice known as ‘ethical hacking'. The key distinction legally between ethical and criminal hacking is consent, says Rachel Atkins, partner at Schillings.
Ethical - or white hat hackers - are frequently hired to test organisations' networks to prevent a potential attack. This process operates within the boundaries of the law, says Prince. “The terms of business will make sure everything is within the boundaries and legit. The skill sets between the ‘rent a hacker' and penetration tester are very similar. Ethical hacking to test your own defences as a business is a great way of finding your weaknesses.”
Cal Leeming is a black hat hacker turned white hat. He now works as a programmer after being caught in 2005 and handed a 15-month jail sentence for buying £750,000 worth of goods with over 10,000 stolen identities.
If the intent is there, it is easy to take down the public websites of governments - and large corporations says Leeming. This makes it integral that businesses keep systems as secure as possible. “And you can't keep every single system secure,” says Leeming. “You need a full time team, 24/7 - and 365 days a year; you need monitoring and a ton of hardware, and very expensive software.”
With expertise that could be used for good, Leeming thinks that young, convicted hackers should be given a chance to turn themselves around as he did - using their skills for ethical hacking and other related legal activities.
The industry is already sitting up and listening. The practice of hiring convicted hackers is actually increasingly common. Research conducted by KPMG in November last year revealed that half of UK companies would consider hiring a hacker with a criminal record to defend against attacks. It is also thought that convicted hackers form part of the UK's cyber-defence, a group of computer experts trained by GCHQ.
But even after hiring an ethical hacker, preventing this type of attack is by no means simple. Experts advise firms to get ahead by preparing for the worst. “First of all, do a serious risk analysis,” says Conway. “How much will it cost you if you get taken down? What if you lose your data?”
He advises firms to look for weak points, such as websites - and separate this from other systems to prevent hackers getting access to important information.
As long as there is demand, the ‘hackers for hire' market will continue to grow. It will see an increase in attacks, and this makes it even more important to build optimal defence.
“Organisations are encouraged to run all the commodity tools against their own infrastructure because the bottom of the barrel rent-a-hackers are going to be using such tools heavily,” warns Wilson. “A sad reality is, that some will have success with such simple methods, due to the challenges and complexity of security.”