Revealed: The Supermarkets That Will Sell You Malware For $50

If you think that organized crime syndicates with master hackers doing the bidding of a “capo dei capi” Mafia figure are the order of the cybercrime day, think again. While there are, no doubt, multiple organized crime organizations involved in everything from phishing and fraud through to hacking and extortion, the day-to-day reality is a lot more mundane.

New research, published today, reveals the real reason why there is so much cybercrime: finding, buying and deploying malware, ransomware and more has never been easier or cheaper. Darknet forums have become the online supermarkets of cybercrime, stacking the criminal tools high and selling them cheap.

The bar for entry into the cybercriminal club has never been so low. In fact, anyone can join; advanced technical knowledge isn’t needed, nor are deep pockets. These darknet cybercrime marketplaces even offer free updates and tech support. Oh, and you can find them with the simplest of Google searches.

Cybercrime supermarket sweep

Researchers from CyberNews explored multiple cybercrime marketplaces in order to analyze the cost and availability of malware tools and the support networks behind them. What they found may well shock some readers: off-the-shelf malware is now easier to find, cheaper to buy, and so easy to use that almost anyone can become a cybercriminal as long as they have their Bitcoin wallet to hand.

The troubling thing is that these marketplaces aren’t tricky to find. Anyone with access to Google can track down hundreds of such markets in a matter of seconds. Link lists of hacking sites and “security boards” exist as categorized directories, indexed by country, that enable the would-be cybercriminal to go shopping in just a couple of clicks.

MORE FROM FORBESHack Attack Takes Down Dark Web Host: 7,595 Websites Confirmed DeletedBy Davey Winder

Although the researchers found plenty of free malware tools being offered, these come with the most risk attached for the user. Anyone serious about becoming a professional cybercriminal is going to give the freebies a very wide berth. The worrying thing is that advanced tools, complete with free updates and technical support, can cost as little as $50 (£40) and be found on forums operating quite openly online. You don’t need to be a programmer to use these tools; they really are off-the-shelf packages.

However, the CyberNews researchers did find that the “quality” of offerings from the easiest to find, open to anyone, marketplaces was very inferior to that of products traded on invite-only forums. The latter, mostly operated by veteran Eastern European criminals, is where the highest-grade malware tools are sold to the most serious of criminal actors.

“It’s safe to say that malware creators can come from many walks of life, but they usually hail from countries and regions where cybercrime legislation is not strictly enforced, while at the same time, talented and tech-inclined people don’t have many opportunities for gainful employment,” a CyberNews spokesperson says. This means that there’s a “constant, abundant supply of people eager to enter this lucrative profession,” the spokesperson concluded.

MORE FROM FORBESHacker Claims Popular Android App Store Breached: Publishes 20 Million User CredentialsBy Davey Winder

How much does it cost to become a cybercriminal?

The real cost of cybercrime is measured not in how much the perpetrators pay for their tools, but rather in the misery caused to victims, both large and small, corporate and personal. However, the financial cost of becoming a cybercrime player is depressingly minimal. The CyberNews research reveals that data-stealing Trojans that can grab passwords, credit card data, and even images from webcams can be bought for as little as $50 (£40) including tech support. Need a platform from where to launch your nefarious payloads? A basic, barebones, modular malware bot can be yours for $400 (£322.50), and remote access Trojans (RATs) that enable the complete takeover of a computer start at $800 (£645) with support.

Although, when it comes to ransomware, most sellers provide this on a Cybercrime-as-a-Service (CaaS) basis for a rental fee. CyberNews researchers found it was possible to buy ransomware building packages designed for attacking large corporates for a monthly $800 (£645) fee. The most expensive items on the cybercrime shopping list were banking Trojans. The type that comes disguised as legitimate software, but which can access online bank account details were on sale for $5,000 (£4,025), including technical support.

MORE FROM FORBESHow This Chinese Google Hack Has Made Working From Home SaferBy Davey Winder

Defending against the cybercrime supermarket economy threat

The return on investment when it comes to cybercrime tools is measured in successful ransom attacks, blackmail, fraud and the sale of intellectual property, according to Ian Thornton-Trump, CISO at Cyjax. “When you see prices for both the malware and the data it’s stolen go down if you apply the law of supply and demand, it means there is an oversupply of CaaS platforms and stolen data in the system,” Thornton-Trump says. But there is an upside, according to Thornton-Trump. “Honestly, I like cheap easy to buy malware because that malware should be able to be scooped up by counter cyber threat intelligence operators, reverse engineered, heuristically examined, indicators of compromise (IOC) and definitions created.”

The CyberNews team told me that “the increasing availability and decentralization of malware tools means that cybersecurity professionals will have to keep up, and proactive cyber intelligence might be an answer. The better we understand how malware is created, traded, and exploited by cybercriminals, the quicker the countermeasures can be deployed.”

Thornton-Trump, a cyber-intelligence specialist, warns that rapid digital transformation without an accompanying IT and security skillset investment, possibly driven by Covid-19 work from home culture, has made things even easier for the criminals. “In the current climate with COVID-19 mass migration to work from home,” he says, “if you don’t have 2FA on VPN or web services and you are open to the world, and your number is going to be punched any day now by cybercriminals.

In other words, apply 2FA to everything, and buy additional licenses to extend security solutions to those working from home. “Sure, it’s going to cost a bit,” Thornton-Trump concludes, “but those are real and easily deployable things IT and security can do to prevent cybercriminals from further success.”