A complete bundle of personal information hackers require to steal identities is available on the underground for as little as $25.
The data, known as Fullz in underground parlance, includes name, address, phone number, date of birth, Social Security or EIN numbers, email address with password and possibly bank account or payment card information with credentials. The information has slightly more value if you are from Europe, the United Kingdom, Canada, Australia or Asia, pushing the price up to around $40.
These facts and many more are among the findings of a report aptly titled, “The Underground Hacking Economy is Alive and Well.” Published by Dell, the report, orchestrated by Joe Stewart, director of malware research for SecureWorks’ Counter Threat Unit (CTU), and independent researcher David Shear, investigates the online marketplace for stolen data, paying particular attention to what is being sold, and for what cost.
As if the $40 Fullz price tag isn’t deflating enough, the going rate for the username-password combination for a bank account with between $75,000 and $150,000 is $300 or less, depending on which bank. For the most part, the report did not show a significant rise or fall in prices for stolen data. However, the cost for Fullz and online bank account credentials did drop slightly.
“In 2011, the CTU saw hackers selling US bank account credentials with balances of $7,000 for $300,” wrote Dell’s Elizabeth Clarke on SecureWorks’ website. “Now, we see accounts with balances ranging from $70,000 to $150,000 go for $300 and less, depending on the banking institution where the account is located. In 2011, we also saw hackers selling Fullz for anywhere from $40 to $60, depending on the victim’s country of residence. Fullz are now selling between $25 and only go up to $40, depending on the victim’s location.”
The report also examined the cost for other hacking services such as DDoS attacks, exploit kits, and bundles of malware-infected machines (bots). Hacking into a website for example, would cost you somewhere between $100 and $300, depending on the site and the reputation of the hacker-for-hire. The cost for doxing – gathering the information that constitutes Fullz–is between $25 and $100.
With bots, buying in bulk saves. A bundle of 1,000 zombie machines costs $20, while 5,000 costs $90, 10,000 costs $160, and 15,000 costs $250.
“Infected computers in Asia tend to sell for less,” Clarke wrote. “It is thought that infected computers in the U.S. are probably more valuable than those in Asia, because they have a faster and more reliable Internet connection.”
Exploit kits are expensive. Stewart and Shear discovered an array of remote access Trojans selling for anywhere between $50 and $250, mostly advertised as “fully undetectable” or – coincidentally – FUD, meaning the kit would not be detected by antivirus products. These products could also have additional costs depending on how much work with command and control servers and configuration the buyer was interested in doing.
Buyers could reportedly rent the Sweet Orange Exploit Kit for $450 per week or $1800 per month, which is more expensive than the Blackhole Kit, which went for $700 per three months, $1,000 for six months, and $1,500 per year.