Hacking is a business -- and business is good

Price lists, Black Friday discounts, and hacking as a service are all part of the increasingly sophisticated underground economy of cyber crime

Hacking is a business -- and business is good

Parents freaked out when hackers stole millions of records from VTech, a Hong Kong-based toy maker. Because the records included information on at least 200,000 children, those mothers and fathers were probably more worried about kidnappings and child pornography than financial mischief.

But hacks like the attack on VTech are almost never related to violent crimes -- they're about money. Though the hackers' haul didn't include credit card numbers, the data dump was likely a precursor to a serious financial hack enabled by the personal information stolen from VTech, says Amit Ashbel, a cyber security analyst at Checkmarx, an application security firm.

Hacking has become a sophisticated global business, with published price lists, New Year's sales, and an etiquette all its own. The more information a hacker can supply to a potential customer, the more it is worth.

A credit or debit card number with the three-digit code on the back sells for only $5 to $8 in the United States, according to a recent report called "The Hidden Data Economy" by McAfee Labs. But add "fullzinfo" -- details about the card and its owner, such as full name, billing address, payment card number, and expiration date -- the value zooms to $30 in the United States and $45 in the European Union.

In a sense, the dark economy is becoming a funhouse mirror of the above-ground tech economy, with hackers playing the role of service providers. "The growth of the as-a-service economy across all components of an attack (research, cyber crime tools, and infrastructure) continues to grow, and none more so than hacking as a service," write the authors of the McAfee report.

Cyber thieves have sales, too

When hackers penetrated Target's defenses in late 2013, they made off with a trove of financial information belonging to some 40 million customers. Before long, the laws of supply and demand kicked in, and the price of stolen credit card numbers plunged as the supply soared, McAfee's Raj Samani and Jim Walter wrote at the time. Visa cards with big balances lost more than half their value.

Similarly, spammers selling huge numbers of email addresses cut prices from time to time to goose sales. Below is an ad that McAfee discovered. Notice that it includes a shopping cart, exactly like the checkout function you'd see on any e-commerce site. 

florida cyber thief ad McAfee Labs

Not all fraudsters want to spread a net as wide as 10 million people. Some campaigns may target specific users of a service, a particular bank, an Internet service, or even a specific profession -- such as doctors -- for a higher price, as the ad below shows.

cyber thief doctor ad McAfee Labs

How do bad guys pay for stolen stuff? Bitcoin and other hard-to-track payment mechanisms, including Web Money, Lesspay,  Western Union, and MoneyGram are gladly accepted.

Welcome to crimeware as a service

The dark Web is rife with message boards run by hackers, say the McAfee researchers. The boards are a virtual shopping mall for stolen data and credit card numbers -- but like a legitimate marketplace, they sell tools and services.

"It is not uncommon to also be able to acquire specific software tools of the trade or the services of those that will use said tools for you so as to distance yourself (or your customer) from some of the risk," they write.

Hackers advertise lessons in programming needed for specific types of exploits, or purchasers can acquire developed code to conduct their attacks. For example, attackers who want to acquire information can buy a Trojan horse, a malicious program concealed within a legitimate file, say McAfee's researchers.

There is also the opportunity to rent as opposed to buying. The CritX toolkit, for example, charges by the day. It was recently advertised for $150 per day, they note.

Not knowing a language isn't a hindrance. Services provide translations to support non-native speakers in their efforts to communicate with potential victims.

It may be scant comfort for the victims of identity theft, but hackers get ripped off, too. One seller quoted by McAfee refers to this dishonor among thieves in an opening pitch: “ARE YOU FED UP OF BEING SCAMMED, AND RIPPED? ARE YOU TIRED OF SCAMMERS WASTING YOUR TIME, ONLY TO STEAL YOUR HARD-EARNED MONEY?

Hard to feel sorry for them, isn't it?

The series of reports by McAfee do much to explain the prevalence of cyber crime. The business is as well organized as many legitimate businesses, it's superprofitable, and it's relatively low-risk because so few hackers are arrested.

And because the exploits of hackers are growing so common, too many people are becoming numb to the threat, say the researchers. After all, it's the banks, not the credit card holders, who take the hit. That's a mighty shortsighted view, one that the hackers are happy to see us adopt.

Copyright © 2015 IDG Communications, Inc.

InfoWorld Technology of the Year Awards 2023. Now open for entries!