Illustration by top10vpn.com
It’s becoming easier than ever for wannabe cybercriminals to snag a share of the billions of dollars lost through fraud in the US each year.
All you need is some Bitcoin, some free software and no ethical objections to stealing from your fellow humans.
My latest research into dark web market pricing shows that powerful malware, readymade phishing pages and password crackers for popular brands, and an incredible array of other hacking tools are being sold on the dark markets for just a few dollars apiece.
These illicit items might be cheap and easy to buy anonymously but at least rookie fraudsters won’t have a clue about how to use them effectively and without getting caught, right? Wrong.
Technical know-how that was once the mark of years of experience and a badge of honor among the black-hat fraternity is now available as a series of step-by-step PDF guides for as little as 99¢.
The Research
My research team recently analyzed tens of thousands of listings across the five biggest dark web markets (Dream; Point; Wall Street Market; Berlusconi Market; and Empire) to create the latest update to our Dark Web Market Price Index and it’s clear that this dark economy has democratized cybercrime by effectively removing all previous barriers of entry.
Screencap from Dream Market listing
These encrypted websites, which can only be reached using the Tor browser, allow criminals to anonymously sell hacking tools, along with all sorts of other contraband, such as illicit drugs, stolen info and weapons.
What We Found
Malware
Some of the most powerful items we found for sale on the markets were remote access trojans (RAT) with an average asking price of just $9.74.
This unpleasant strain of malware allows scammers to take full remote control of their victim’s computer. Not only can they log all keystrokes and access private files in order to commit identity theft and defraud the device owner, but it’s also disturbingly common for voyeurs to use these RATs for webcam spying.
We found listings for the notorious Blackshades RAT thought to have infected over half a million devices, which landed its creator in jail. This trojan also allows hackers to include infected computers in a botnet.
We also discovered RATs for use on the Android operating system, along with others written in Python and Visual Basic.
Branded Phishing
With phishing by far the dominant cyberattack vector, it’s little surprise that enterprising hackers are selling readymade spoof pages for hundreds of popular brands, ranging from Apple and Netflix to Walmart and Dunkin’ Donuts by way of Minecraft and League of Legends.
These typically go for about $2 each — except for outlier Apple, which will set you back $5 on average, showing just how much of a target their customers are for identity thieves looking for “fullz”, or the full package of identifying information that enables identity theft.
And the manual to tell you how to do it? Just $2.49.
Password cracking
A wannabe hacker doesn’t even need to bother to learn how to configure their password cracking tool to attack their target site.
Readymade configuration files for an endless list of sites also proliferate on the dark web markets for $2 each. All you need is a tool like SNIPR or Sentry MBA and a handful of these files and you can get started.
We actually found a huge list posted online of valid Spotify logins harvested using these tools.
Super-cheap hacking
Other pocket-change hacking tools that we found included keyloggers ($2.07), WiFi hacking software ($3), Bluetooth hacking tools ($3.48) and malware for draining Bitcoin wallets ($6.07).
What’s fascinating, if alarming, is a notable shift towards a service model in this dark economy. Competition is fierce and some of these cheaper tools are available on the clearnet (normal web), so vendors promise try to get an edge by offering customer support, lifetime guarantees and free guide resources to sweeten the deal. We’ve even seen money-off coupons offered on next purchases.
End-to-end cybercrime solutions
Wannabe fraudsters with a bit more to spend can begin forging official documents by purchasing templates that are listed for less than $14 on average.
Screencap of fake passport scan template on Dream Market
These Photoshop files come with highly detailed guides on how to make fake ID scans look as convincing as possible. All the buyer has to do is insert the personal information into the templates, which cover the full range of official documents, from passports and driver’s licenses to utility bills and pay stubs.
Combined with fullz procured through hacking tools bought elsewhere on the dark web markets, this is all that’s necessary to fraudulently apply for credit.
The dark web markets effectively offer an end-to-end solution for anyone wanting to learn how to commit identity theft and subsequent online fraud and then acquire the tools to carry it out.
Case in point, you can even buy access to anonymous postal lockers should you want to make fraudulent purchases for resale or refund. Sure, it might set you back $150 but that’s a snip for a secure drop.
Of course, there’s a choice of guides telling you all you need to know about stealthy use of the postal system ($3.35).
So what do we do about it?
So what does this mean? Well, we can’t put the genie back into the bottle. Two new marketplaces seem to spring up as soon as one is shut down. The lure of the $16.8 billion reportedly lost to fraud in 2017 in the US alone is only going to get stronger as the pot gets bigger.
As consumers, we have to take protecting our personal data seriously. Ignorance is no excuse. Good password hygiene, two-factor authentication, limiting the personal and payment information we allow online, using privacy tools, all that good stuff.
We have to be more mindful of the priority apps and sites places on security and take our business elsewhere if we aren’t satisfied.
As developers, we have to prioritize security over convenience and enforce those standards on our users, whether they like it or not, ideally making that security a selling point for our products.
And if that idealistic aim isn’t convincing enough, there’s now also the specter of GDPR, whose lower tier fines are up to €10 million or 2% of global turnover for failing to integrate data protection “by design and default” into services and products.
Cybersecurity — and digital privacy for that matter — must be baked in from the very start of every product development process.
If we can succeed making those values ingrained in our culture then these tools being sold so cheaply on the dark markets become all but worthless in the hands of anyone but the most skilled hackers.