FOR a first-time home buyer, the experience of being handed that set of keys is exhilarating. You’ve jumped through lots of hoops to get to this moment, and now you’re going to reap the reward.
But what if a novice cybercriminal could get the keys to your company’s network for just a few thousand dollars and turn a profit of tens or hundreds of thousands, if not millions?
In 2018, CyberSecurity Malaysia through Malaysia Computer Emergency Response Team (MyCert) reported 62 ransomware incidents involving different kinds of variants from Malaysian and non-Malaysian parties.
According to International Data Corporation (IDC)’s latest survey, more than one third of organisations worldwide have experienced ransomware attacks or breach incidents that blocked access to systems or data within the past 12 months.
The initial break-in has already occurred, and now the focus turns to the monetisation of that unauthorised access via fraud, extortion, or other means.
The criminal-to-criminal marketplace
The “criminal-to-criminal” marketplace is a key driver of criminal threats. Few cybercriminal operations are truly autarchic or self-sufficient, with full “vertical integration.”
Many cybercriminals specialise in specific fields in which they can perform optimally or more cost-effectively.
This specialisation allows the various stages and components of the cybercriminal “kill chain” to function at closer to maximum efficiency.
They turn to other, equally-specialised vendors to acquire other components in areas beyond their own specialty.
There have long been specialised vendors for malware payloads, other malicious tools, hosting infrastructure, and the other components of cybercriminal operations.
This specialisation has now progressed to the point that there are now specialised vendors who provide compromised network access as well.
Cybercriminals no longer need the ability to compromise a network; now they can just buy that access from another criminal.
Like any e-commerce community, underground criminal forums aim to establish a “circle of trust” that enables criminals to do business with each other with a reasonable degree of confidence.
The risk that a buyer or vendor will rip off, cheat, or defraud a vendor or customer is a significant concern for them, as is the risk of unwittingly doing business with undercover law enforcement or security researchers.
Cybercrime forum users can vet prospective vendors or buyers by reviewing their history and status, and the feedback or ratings that they have received from other users, so as to develop confidence in them.
Many of these communities use escrow systems to instil further confidence in large purchases by entrusting funds to website administrators as a transaction proceeds.
The risk of receiving negative feedback or being reported to website administrators serves as an additional deterrent to misconduct.
Bargain basement prices
Pricing varies considerably from one network access sale to another, but most prices are low enough that they do not constitute a significant barrier to entry.
Our statistical analysis for the Selling Breaches white paper found a median price of US$3,000.
Most prices are in the four-figure range, with more expensive offerings in the five-figure range and cheaper ones in the three-figure range.
IntSights found prices as low as US$240 and as high as US$95,000; however, the lower end of this scale – as is reflected in our median figure – is much more common.
Factors that can influence pricing include the extent and privilege level of the access; the size and value of the victim as a source of criminal revenue; the industry and location of the victim; and the sales strategies of the various sellers.
Some offers do not specify a price, allowing prospective buyers to make their own offers and name their own prices, while others take the form of auctions.
Higher privileges and larger networks generally increase the price of the offering.
Victims in wealthy, English-speaking economies are generally more desirable, hence the disproportionate percentage of identified victims in North America (37.5%).
We nonetheless found unauthorised access to North American companies on sale for as little as US$500.
When you compare the immense financial losses that a breached company suffers with the much smaller-scale financial transactions taking place on these criminal forums, the challenge becomes painfully clear.
In Malaysia, the Ministry of Communications and Multimedia are committed to sustaining the country’s cybersecurity ecosystem under the Cyber Security Empowerment Programme (SiberKASA).
This is also in line with the Malaysia Cyber Security Strategy (MCSS) 2020-2024 and Malaysia Digital Economy Blueprint (MyDIGITAL). – Sept 3, 2021
Paul Prudhomme is Head of Threat Intelligence Advisory at IntSights, a Rapid7 Company.
The views expressed are solely of the author and do not necessarily reflect those of Focus Malaysia.
