Account Takeover Fraud , Anti-Money Laundering (AML) , ATM / POS Fraud

Cybercrime Black Markets: RDP Access Remains Cheap and Easy

Also Hot: Payment Card Numbers, Identity Packets, DDoS Attacks, Shell Companies
Cybercrime Black Markets: RDP Access Remains Cheap and Easy
Source: Armor

The incidence of cybercrime continues to increase, in part, due to the easy availability inexpensive hacking tools and services on the black market.

See Also: NHS Ransomware Attack: Healthcare Industry Infrastructures Are Critical

Indeed, a thriving cybercrime-as-a-service ecosystem continues to aid criminals every step of the way, from gaining access to infected PCs, using malware to steal data, crypto-locking systems with ransomware, employing money mules to cash out attacks - including physical goods and gift cards - and tapping bitcoin tumbling or mixing and other money laundering services to hide illicit revenue streams and help cash out (see: Why Cybercrime Remains Impossible to Eradicate).

Procuring goods, services and stolen data continues to be disarmingly inexpensive, thus facilitating the business of cybercrime.

A recent review of 12 English- and Russian-language cybercrime markets, for example, found U.S. credit card data with CVV numbers being sold for an average of $5 to $12 each, increasing to up to $25 for records that also included the cardholder's date of birth and their bank's identity number. U.S. cards sold for less than U.K. cards, which retailed for $17 on average.

The research, conducted by the threat resistance unit at cloud security vendor Armor, found the usual array of offerings that remain commonplace on underground cybercrime markets. These include access credentials for bank checking and savings accounts, full identity packets - aka fullz - distributed denial-of-service and spamming services, stolen medical records, as well as remote desktop protocol credentials for as-yet-unhacked Windows servers. Such marketplaces are typically "darknet" sites, meaning they're hosted on the anonymizing Tor network.

Source: Armor

Some tools and services are more expensive than others. While ATM skimmers retail for an average of $500 to $1,500, and the Emotet banking Trojan retails for $1,000, ransomware-as-a-service package Ranion is available for only a $120 monthly subscription, DDoS-on-demand attacks cost just $60 per hour, 51,000 spam emails can be commissioned for $61, and access to unhacked RDP servers costs just $20, Armor reports.

Source: Armor

Over the past year, there have been some shifts in the cybercrime-as-a-service landscape. For example, stolen U.K. payment cards, with CVV, currently sell for an average of $17, compared to $22 one year ago. The firm's security researchers suspect this is due to a supply glut, "after a spate of card-skimming attacks hit hundreds of e-commerce websites, including organizations operating in the U.K. such as British Airways, Marriott, Ticketmaster and others," they write in Armor's second annual Black Market Report (see: Magecart Nightmare Besets E-Commerce Websites).

Bitcoins Fuel Illicit Sales

Despite the dollar signs on those offerings, Armor found that the vast majority of transactions continue to be conducted exclusively in bitcoins. "Bitcoin is also used as the primary payment mechanism in the case of ransomware, although there have been instances of payments being required in monero (Kirk, SpriteCoin ransomware), bitcoin cash (Thanatos ransomware), ethereum (HC7 Planetary ransomware), and Dash (Anatova ransomware)," they write.

The scale of the cybercrime underground is reflected by a December 2018 study by three Sydney, Australia-based researchers, who found $76 billion in illegal activity tied to the use of bitcoins. Their report, "Sex, Drugs, and Bitcoin: How Much Illegal Activity Is Financed Through Cryptocurrencies?" found that 46 percent of all bitcoin transactions involved illegal activity, facilitating the continuing rise of "black e-commerce" markets.

Money Mules Tap Shell Corporations

Money-mule services also continue to thrive because criminals continue to require ways to move large amounts of cash (see: Don't Be a Money Mule for the Holidays).

Many money mule services appear to maintain persistence and avoid having their bank accounts get shut down or seized by using shell corporations, which the cybercrime underground also facilitates, Armor reports.

"There is no shortage of scammers on the underground offering to sell sole proprietorship papers complete with an Employer Identification Number (EIN), also known as Tax Identification Number (TIN)," Armor's researchers write. "An EIN is a unique, nine-digit number assigned by the IRS to business entities operating in the U.S. for the purposes of opening a bank account or filing tax returns."

One seller, Armor found, was offering sole proprietorship papers and an EIN for about $1,600, while another was offering an EIN number and articles of incorporation for about $800. Provided that such information looked or was sufficiently legitimate, "money mules can open business bank accounts, enabling them to move larger amounts of money in and out of the account without drawing unwanted attention to their activities," Armor reports.

Medical Records Fuel ID Theft

Cybercrime forums also continue to sell stolen medical records, which get sold for the express purpose of helping to facilitate identity theft. "Most medical records contain everything one needs for identity theft: full name, address, birth date, phone number, email address, social security number, credit card number or checking account number, and emergency contact - which is often a family member," Armor's researchers write.

Source: Armor's Black Market Report

Even so, the researchers say they found far fewer medical records for sale than they anticipated, given that Privacy Rights Clearinghouse counts 266 medical organizations having been hacked so far this year, resulting in at least 23.5 million medical records having been exposed. They suspect that rather than selling medical records, many sellers first ransack the records for personally identifiable information and then sell this PII directly, without bothering to mention its origin.

Easy Remote Access via RDP

Cybercrime forums also continue to sell access credentials marketed as being for unhacked RDP servers (see: How Much Is That RDP Credential in the Window?).

These retail for about $20 per RDP server in Europe and the U.S., rising to $25 for servers based in Japan and Australia. Remote desktop protocol is a legitimate access technique used by many organizations to provide remote access to networks and endpoints. But unless organizations lock down and carefully monitor RDP access, it can be abused by attackers to gain direct access to corporate infrastructure.

Source: Armor

In February, incident response firm Coveware reported that for the ransomware victims it was assisting, the ones that were able to trace the source of the attacks said that 85 percent of the time, it began with illicit RDP access (see Ransomware Victims Who Pay Cough Up $6,733 (on Average)).

"Gaining access to servers via exposed RDP endpoints continues to be an attractive target for malicious actors," David Stubley, head of incident response firm 7 Elements in Scotland, tells Information Security Media Group.

Some intrusions his company investigates continue to trace to brute-forced or stolen RDP credentials that may result in ransomware infections, but typically only as a final, most visible stage of an attack that may have already been running for weeks or month. Before that, he says, attackers may gain remote access to a targeted environment and ransack it for valuable information, then sell the access credentials to others, unless they simply unleash crypto-locking malware themselves as a final attack-monetization move (see: Cybercrime Markets Sell Access to Hacked Sites, Databases).

As with so many aspects of the cybercrime underground today, criminals have access to a variety of inexpensive hacking options, and attackers don't appear to shy away from putting them to work.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.