Cyber security concept in dark style
Image: yurich84/Adobe Stock

The Dark Web is a small portion of the Internet, but it concentrates many cybercriminals and threat actors who generally exchange ideas, thoughts, tips, tricks and experience through hidden forums.

Many of these cybercriminals also sell various goods and services; Privacy Affairs has published a new report about the average prices of those services in 2022.

Credit cards and financial services

Credit card data can be bought in several forms: The usual credit card number, together with name, expiration date and CVV code. This stolen information is all that is necessary for cybercriminals to buy products or services online on other websites.

SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)

The credit card information can be bought individually or at scale – the more cards purchased, the lower the price. The last two elements used to determine the price of the data is the bank’s country of origin, and when known, the balance of the account.

Valid credit card data with an account balance up to $5,000 USD are sold at an average of $120 in the Dark Web, though a single credit card can be sold for as low as $15.

In December 2021, according to the report, approximately 4.5 million stolen credit cards were available on the Dark Web.

Stolen financial services accounts are also sold. A stolen PayPal account with a minimum $1,000 balance is worth $20, while 50 hacked PayPal account credentials without a known balance are sold for an average of $150. Some data is more costly: A CashApp verified account may be worth up to $800, and a verified Stripe account with a payment gateway can be worth up to $1,000.

Cryptocurrency services are available too. These types of accounts need detailed information when registering, so some fraudsters make a business of creating accounts with fake IDs, driver’s licenses and passports before selling them. Such accounts vary in price from $90 for a account to $320 for an Xcoins exchange platform account.

Personally identifiable information, social media and forged documents

The business around identity is very important for cybercriminals. They use fake identities for credit fraud, registering for sensitive financial web services and anything else that requires a real identity.

Forged documents can be sold as a physical item or just a convincing scan. Physical passports are highly expensive: A passport from any country in the European Union can be sold at $3,800. Virtual IDs of any kind are much cheaper, sold for around $150.

Social media accounts are sold between $25 for a hacked Twitter account to $45 for a hacked Facebook account.

Malware and DDoS attacks

Malware infections are sold at various prices. Access to 1,000 high quality infected machines in Europe is worth $1,800, while 1,000 low quality infections in Europe are sold for $120.

The difference in these prices can be explained by defining high quality for malware infection: This means the compromised computer is always connected to the Internet at a fast transfer rate.

When it comes to distributed denial-of-service attacks, prices vary depending on the target. An unprotected target website can be hit at 10,000 to 50,000 requests per second for an hour for as low as $10 or $850 for a full month. A protected website can be hit with 20,000 to 50,000 requests per second, using multiple elite proxies, during one full day for $200.

Initial access data

One of the services that has boomed during the last year consists of selling valid accesses to corporate entities online. Initial access brokers have become more and more visible on the Dark Web and sell their services on many cybercriminal marketplaces.

According to Kaspersky, who recently analyzed nearly 200 posts on the Dark Web selling access to corporate networks, access usually ranges between $2,000 to $4,000.

While these amounts may seem modest compared to the tens of millions in profits made by ransomware operators often buying such accesses, they are often perceived as too expensive by skilled criminals who have the capability to penetrate a corporate environment themselves in just a few hours or minutes.

The most common types of access sold for those prices on the Dark Web are valid credentials for RDP access, which enables an attacker to impersonate an organization’s employee and get an initial foothold inside the corporate network (Figure A).

Figure A

Image: Kaspersky. Types of access sold on the Dark Web.

There appears to be no upper limit to these prices. Access data belonging to one company with revenues of $465 million has been witnessed for sale at $50,000, according to Kaspersky (Figure B).

Figure B

Image: Kaspersky. Sale of data for remote access to a corporate environment for $50,000 USD.

How to protect from identity and data theft

Keep every system and software always up to date and patched. Multi-factor authentication also needs to be deployed in every system that accepts connections from the Internet, including RDP, FTP, webmail and web panels administration.

Regular awareness campaigns need to be done for every employee to avoid falling for phishing scams, and employees should be taught not to reveal too much about themselves on social networks.

Information such as credit card numbers or IDs should never be stored unencrypted anywhere on the network.

It is also possible to monitor for leaks on most of the Dark Web’s cybercriminal forums and marketplaces to look for brands and company names. Since that activity is highly time-consuming, some cybersecurity companies do provide such services.

Disclosure: I work for Trend Micro, but the views expressed in this article are mine.

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays