Ranging from distributed-denial-of-service (DDos) used to cripple business websites, through to the insertion of malware used to pilfer sensitive data, the market is growing astronomically.
The black market mimics real-world commerce, with some websites even offering money-back guarantees. Free privacy software makes attacks difficult to attribute and automated tools remove the need for any contact with criminals.
The practice goes as far back as the 1980s, when corporations hired hackers to perform unauthorised intrusions into targets. More recently, it has been suggested that hackers were hired to launch attacks on US banks and government organisations in a bid to steal sensitive information.
In January last year, the FBI arrested five people over ‘hackers-for-hire' websites. Additionally, the Saudi religious police have reportedly used hackers to take down Twitter pornography.
Criminal group the Lizard Squad, which attacked the PlayStation and Xbox networks over Christmas, recently launched a DDoS tool, costing between £4 (US$ 6) and £325 (US$ 500).
Meanwhile, a new service called Hacker's List, based in New Zealand, contains more than 20 pages of projects for bidding, offering the ability to take down site content for £158 (US$ 300), with a social media hack for as little as £5 (US$ 10).
The practice started to become big business 10 years ago, when botnets were offered for hire via Russian websites. However, unlike today's tools, these required some kind of online interaction with a person, according to Andy Crocker, founder of Protect2020. And things have now moved on, he explains: “With an anonymous email address; you can use Bitcoin or PayPal and it's automated. These are one stop shops.”
On the other hand, hiring an actual hacker is more difficult and still requires human interaction, Crocker says. “If you want to hire someone to get information, you have to go onto the Darknet, go into forums, speak to someone, tell them what you want and pay them. You have to know your way around.”
But anonymity has never been easier: concealing the perpetrator's identity is as simple as downloading privacy tool Tor. Once the tool has disguised the user's IP address, a quick search will bring up multiple websites offering hacker services. Hackers can be found in multiple forums among ‘carders' - those who sell stolen credit card details.
Buying the services of a hacker is easy to do: it can be as simple as a Google search, says David Prince, delivery director of IT security at law firm Schillings. “If you log onto Tor - which is very easy to do - there should be things you can use to create malware, participate in money laundering and rent a hacker. You input your email address, pay Bitcoins, and provide a target - it's as simple as that.”
It is increasingly easy to procure products or services to attack computer systems, agrees James Lyne, global head of research at Sophos. “There is a thriving illicit market offering a range of different services and capabilities with groups competing over price and features - the very definition of an active economy.”
Surprisingly, there is nothing illegal about many of the websites offering services such as DDoS for hire for as little as £1.99 (US$ 2.99) for a 100 second attack - although using the tools is a criminal offence. “The site will offer DDoS for hire, but it isn't coming from that site: the infrastructure is elsewhere,” Crocker explains. “You can buy one attack and take someone offline quickly. For a couple of hundred dollars, you can take your competitors down for 30,000 minutes.”
Javvad Malik, senior analyst, Enterprise Security Practice at 451 Research says he has seen similar listings: “For about £100, someone with a botnet of 1,000 computers can take competitors offline,” he adds.