Cybercrime , Cybercrime as-a-service , Fraud Management & Cybercrime

Initial Access Brokers: Credential Glut Weakening Prices?

Criminal Services Facilitate Cybercrime Gangs' Rapid Access to Hacked Sites
Initial Access Brokers: Credential Glut Weakening Prices?
Initial access brokers often withhold victims' names to not tip off hacked organizations. (Source: Digital Shadows)

Initial access brokers continue to ply their trade, selling immediate access to hacked sites to make it easier for gangs to steal data and crypto-lock systems. But security researchers say an overabundant supply of access credentials appears to be driving down the prices being commanded on cybercrime forums and markets.

See Also: Live Webinar | Digital Doppelgängers: The Dual Faces of Deepfake Technology

Researchers say criminals, especially those waging ransomware attacks, are relying more than ever on the services of initial access brokers so they can compromise more victims and potentially generate greater profits via ransom payoffs.

Using initial access brokers also helps ransomware-wielding gangs practice big game hunting - taking down larger targets in an attempt to score larger ransoms - by giving them a menu of options from which to choose rather than having to take down victims themselves (see: Ransomware's Helper: Initial Access Brokers Flourish).

"When criminal malware operators purchase access, it eliminates the need to spend time identifying targets and gaining access, allowing for increased and quicker deployments as well as higher potential for monetization," cybersecurity firm CrowdStrike noted in a report issued earlier this year.

Ransomware incident response firm Coveware reports that in Q4 of last year, the average ransom paid by a ransomware attack victim was $154,108. So the investment in paying for access that someone else has already harvested is a fraction of the average payoff a gang receives when a victim does pay a ransom.

Buying Access, For Less

An overabundant supply of access credentials on criminal marketplaces appears to be driving down prices, according to Digital Shadows, which sells digital risk protection solutions.

The firm reports that while it found about 500 initial access listings throughout all of 2020 across cybercrime forums, darknet marketplaces and beyond, in the first quarter of this year, it has already counted 225 such listings. Of those, 45% were for victim organizations in Europe and 29% for those in North America.

Digital Shadows counted 225 access credential listings by 14 brokers in Q1. But not all brokers list every access for sale. (Click to enlarge.)

Meanwhile, Digital Shadows found last year that the average price for buying access credentials to a victim's website, when a listing named a price, was about $7,100 - typically payable in bitcoins. But in Q1 of this year, the average price had plummeted to about $1,900.

"The most surprising piece of data that we observed in the first months of 2021 is the drastic drop of the average price per listing - by 73%," Stefano De Blasi, a threat researcher at Digital Shadows, tells Information Security Media Group.

The type of access being sold by initial access brokers in Q1 2021 (Source: Digital Shadows)

"Why the change? We chalk it up to the laws of supply and demand," De Blasi says in a Tuesday blog post.

Popular access types and their average prices in 2020 (Source: Digital Shadows)

One of the steepest declines came in the average price paid for remote desktop protocol credentials, which Digital Shadows says accounted for 76% of all access being offered in Q1. These were selling for $481 each, which was a fraction of what they typically cost in 2020.

"So it might be that criminals have increasingly noted the business opportunity in just selling access to organizations but have been met with more competition - and hence lower prices - in the market," he says. "However, differences in the geographic location and industry of the targeted companies likely influenced the observed, average price."

The average dollar price for access being sold in Q1 2021 across different industries (Source: Digital Shadows)

Supply Continues to Increase

The apparent rise in Q1 supply mirrors a trend that security firms previously reported: The number of initial access vendors appears to increasing year after year, and the overall number of hacked sites for which access is being sold continues to increase.

In 2018, the sum of all prices for access information being offered by about 37 initial access brokers was about $1.6 million, according to cybersecurity firm Group-IB. But for the first half of 2020, the sum of all such access being sold had increased to $6.2 million.

For Q4 of 2020, threat intelligence firm Kela found that 10 sellers dominated the initial access broker landscape, accounting for more than half of all listings.

Kela says that during Q4 2020, just 10 sellers appeared to account for nearly half of all initial access broker listings across three cybercrime forums.

Also, credential prices vary widely depending on the type of organization involved. "For example, the engineering and construction sector targets consisted mainly of European countries and maintained a relatively low average access price of $193," Digital Shadows' De Blasi says. But access to victims in the technology sector, most of which were U.S.-based, commanded a much higher price - an average of $1,045, he said.

Gangs Seek Partners

Reviewing access brokers' listings doesn't provide a complete picture of how brokers and gangs work together.

Victoria Kivilevich, a threat intelligence analyst at Israeli cyberthreat intelligence monitoring firm Kela, earlier this year reported that crime gangs don't just communicate with initial access brokers via darknet markets, forums and other cybercrime sites. Some also appear to be partnering with gangs to give them first right of refusal on new offerings.

Initial access brokers leave feedback for a buyer in a thread started by the buyer. (Source: Kela)

In addition, much sales activity apparently happens outside of a crime forum. "Brokers often offer a bunch of accesses in one thread and request potential buyers contact them privately to get the whole list," Kivilevich says. "Some of them are looking for one buyer and state that they’re ready to work for a percentage, most likely meaning a share from the amount gained in a successful ransomware attack."

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.