In November 2017, Fortune, leveraging data from Recorded Future, ran this sobering graphic on the price of various hacker tools, spanning personal records, attacks, and even services.
In the article, they quoted a statistic from Cybersecurity Ventures stating the global cost of hacking at $3 Trillion (with a T!) in 2015 will increase to $6 Trillion in 2021.Welcome to the era of Hacking-as-a-Service (HaaS).
How does the advent of HaaS impact the average consumer or employee? Why should they be concerned? I personally maintain a credit card virtual ‘go bag’ listing the 10-15 calls or emails I need to make when I receive the semi-annual notification that my primary credit card has been compromised.
Looking at each category in turn –
Personal (PII) data includes everything from credit card numbers and records, cost $10 or below, to social security numbers, unfortunately, just as inexpensive. A step up are ‘excellent’ credit reports and medical records (e-PHI), sold for $100 and above. Not surprising that credits scores of 650 or less have no value. For those interested, email passwords and such are so cheap as to be left in the noise. But how do hackers obtain the above? The easiest are HaaS, available through Tor and other back alleys of the Internet.
An individual hacked email account, social media account, or website will run you anywhere from $100 to $600, a small price to pay for the resulting havoc. Then there are the spam services, with just a 2x difference between simple inconvenience (‘white’ spam) at $200 per million emails sent, and truly malicious emails. But serious hackers don’t stop there.
Attack tools are where one has access to the software, malware, and ransomware that makes it all worthwhile for the hacker. DDoS software runs around $700, RDP forcing tools at $100, and even Ransomware licenses at $50, a 20x decrease in the past year. Licensing a banking Trojan like Zeus or Dridex for under $5K is no more difficult than signing up for Office 365.
Probably the most disturbing part of the infographic was not the variety and cost of the various tools and attacks, but the lack of counterattacks and remediation. Leaves you hanging! In the next blog, I look at potential solutions.
