Honor among cyber thieves, the professional side of the dark web
Much like the legitimate eCommerce world, trust and reputation have become essential parts of the cybercriminal trade. New research by HP Wolf Security finds 77 percent of cybercriminal marketplaces analyzed require a vendor bond -- a license to sell -- which can cost up to $3,000.
In other evidence of a professional approach, 85 percent of these sites use escrow payments, and 92 percent have a third-party dispute resolution service. Every marketplace provides vendor feedback scores too. Cybercriminals also try to stay a step ahead of law enforcement by transferring reputations between websites -- as the average lifespan of a dark net website is only 55 days.
The HP Wolf Security threat team worked with Forensic Pathways, a leading group of global forensic professionals, on a three-month dark web investigation, scraping and analyzing over 35 million cybercriminal marketplaces and forum posts in a bid to understand how cybercriminals operate, gain trust, and build reputation.
The findings show that malware is easily available and cheap. Over three quarters (76 percent) of malware advertisements listed, and 91 percent of exploits retail for under $10, while the average cost of compromised Remote Desktop Protocol credentials is just $5.
"Unfortunately, it's never been easier to be a cybercriminal. Complex attacks previously required serious skills, knowledge and resource. Now the technology and training is available for the price of a gallon of gas. And whether it's having your company ad customer data exposed, deliveries delayed or even a hospital appointment cancelled, the explosion in cybercrime affects us all," says report author Alex Holland, senior malware analyst at HP.
Cybercriminals are focusing on finding gaps in software that will allow them to get a foothold and take control of systems by targeting known bugs and vulnerabilities in popular software. Examples include the Windows OS, Microsoft Office, web content management systems, and web and mail servers. Kits that exploit vulnerabilities in niche systems command the highest prices (typically ranging from $1,000-$4,000). Zero days can retail at 10s of thousands of dollars on dark web markets.
The report warns that businesses should prepare for destructive data denial attacks, increasingly targeted cyber campaigns, and cybercriminals using emerging technologies like artificial intelligence to challenge organizations’ data integrity.
"We all need to do more to fight the growing cybercrime machine," says Dr. Ian Pratt, global head of security for personal systems at HP. "For individuals, this means becoming cyber aware. Most attacks start with a click of a mouse, so thinking before you click is always important. But giving yourself a safety net by buying technology that can mitigate and recover from the impact of bad clicks is even better."
The full report is available from the HP site.
Image credit: cristovao/depositphotos.com