Written by Doug Woodburn for CRN:
Cybercriminals can now purchase DDoS attacks for $2 (£1.32) an hour from a rampant online marketplace of tools and services.
That is according to a new white paper analysing the growth of the “as-a-service” nature of cybercrime penned by two senior technical bods at security vendor McAfee.
The study seeks to shatter the perception that all cybercriminals are technical masterminds. Instead, all they need to bring a global corporation of their choosing to its knees is a credit card.
“We are witnessing the emergence of a whole new breed of cybercriminal. As a result, the volume of cyberattacks is likely to increase…” said report authors Raj Samani, vice president and chief technology officer EMEA and Francois Paget, senior threat research engineer at McAfee.
The study highlighted a service offering to launch a DDoS attack on behalf of would-be attackers from as little as $2 per hour, for a one- to four-hour attack. A DDoS attack lasting five to 24 hours was priced at $4 an hour, with a 24- to 72-hour attack costing $5 an hour.
The service simply required attackers to inform it of which site they wish to launch a DDos attack against, decide how much they are willing to pay, and initiate the service. The service also earnestly admitted that it does not offer refunds “due to the nature of our business”.
“What may surprise many of us is the low cost of the service,” Samani and Paget wrote. “This may demystify the sophisticated portrayal of today’s hacker.”
This is just one example of a vast array of services and tools that make up a tumescent online marketplace wannabe cybercriminals can use to gather components of a cyberattack – or outsource the process altogether, the study found.
Prospective attackers can use the marketplace to procure stolen credit card numbers and online banking login information. In the US, the credit card number of a Visa Gold/Premier credit card will fetch $25. This figure rises to $100 if a PIN is supplied and $200 with a PIN and good balance. An AMEX Gold card with the credit card number alone goes for $50.
Stolen bank login information commands a higher price than credit card numbers, with prices ranging from two to 10 per cent of the account’s balance.
Exploits can be purchased to take advantage of vulnerabilities, but they can also be rented. The CritX toolkit, for instance, charges by the day and recently advertised for $150 a day, Mcafee said. Meanwhile, so-called “bulletproof” hosting providers – firms which knowingly provide web or domain hosting to cybercriminals – can charge between $50 and $400 for their services per month.
Troels Oerting, head of EC3 European Cybercrime Centre – who wrote the white paper’s foreword, said: “Today’s cybercriminals do not necessarily require considerable technical expertise to get the job done, nor, in certain cases, do they even need to own a computer. All they need is a credit card.
“A marketplace offering cybercrime tools and services provides would-be criminals with an arsenal that can either be used as a component of a cyberattack or a handy way of outsourcing the process entirely.”