Cost of a cybercrime business venture

Whenever someone says something to me about “cyber security” being challenging or being a secure job field I give them a 15 second sound bite about how the bad guys are specializing and becoming experts in their field and then selling their services and/or data to someone else. Example, some bad guys specialize in writing exploit code. Others in delivering the code to target machines and extracting user credentials. Others monetizing the credentials. And it so it goes. The dark web is used to, essentially, openly advertise and sell illicit services and products.

It is with that background I present you a with a much more detailed analysis of the costs these “businesses”.

Dissecting the Costs of Cybercriminal Operations:

The cybercriminal underground is quite verticalized, with threat actors specializing in particular areas of expertise. It is this distribution of expertise that contributes to the underground market’s resiliency. Similar to drug cartels, once you remove one threat actor or forum, rivals will immediately take its place. As a result, to kickstart a campaign and move beyond a concept to the final execution and substantial profit, a puzzle game has to be completed first.

•    A banking trojan license is one of the most expensive elements of a cybercriminal campaign and can be obtained from professional malware developers for $3,000–$5,000.
•    Then to intercept banking credentials, web-injects for each target financial institution have to be acquired separately and can cost anywhere between $150–$1,000 per set. In the past year, we’ve seen a significant increase in the cost of web-injects targeting Canadian institutions, offered at the upper-level of the price spectrum, while the cost of malware targeting U.S.-based banks has remained the same.
•    To maintain consistent visibility into the entire operation and to control an infected network of computers, bulletproof hosting in one of the unfriendly jurisdictions in China, the Middle East, or Eastern Europe is required. Monthly rental of a web-server in a datacenter favorable to criminal activity will usually cost $150–$200.
•    To ensure the consistent payload delivery, and to remain undetected by antivirus products, the executable file must be “cleaned” and obfuscated daily and in the case of a very large-scale operation, several times a day. Such services are available for $20–$50 per single payload obfuscation; however, lower prices can be negotiated for large-volume orders.
•    Steady web traffic redirected to the infected resource or email spam campaign are two primary delivery vehicles of malicious payloads. While it’s going to cost $15–$50 to get a thousand unsuspecting people to visit the infected web page, professional spam operators will charge $400 per million of successfully delivered emails.
•    Once the malware is successfully planted and banking credentials intercepted, the perpetrator has to work with a chain of mule handlers and money-laundering intermediaries to receive a final pay-off. A money launderer with a stellar reputation and is capable of quick turnaround, will charge a hefty 50-60 percent commission from each payment transferred from a victim’s account. In some cases, an additional 5-10 percent commission might be required to launder the funds and deliver it to the main operator via preferred payment method, such as bitcoin, Web Money, or the Western Union.
•    In the case an additional phone confirmation is needed to proceed with a money transfer, it will be facilitated by one of the underground calling services, with prices standing at $10–$15 per each call.
•    If an additional document and phone verification are needed to proceed with the money transfer, various supporting vendors are available. A counterfeit driver’s license may be delivered within several hours for $25 while a more sophisticated video selfie will cost $100.
•    To minimize the chances of an account holder noticing an unauthorized transaction, to intercept SMS confirmation, or to render an owner’s phone entirely unreachable for the duration of the attack, an email/phone “flooding” can be purchased for $20. However, the cost of a cloned SIM card is significantly more expensive at $150–$300.

Aside from funds stolen from compromised bank accounts, persistent access to an extensive network of victims around the world will inevitably generate a significant residual income.


2 thoughts on “Cost of a cybercrime business venture

  1. This level of sophistication makes me wonder how we are able to maintain any amount of assurance that we can control or protect our monetary resources. How can you effectively be “off the grid” but still be able to use your resources without extreme measures that themselves can be sketchy?

    • It’s not just monetary. It’s everything. Think “critical infrastructure” to get a more expansive view of the situation. Think communication, food, energy, water, sewer, transportation/distribution, healthcare, etc. Retail sales are migrating to the Internet and is could soon be considered “critical infrastructure”.

      Some of these people are being hunted and jailed but not nearly enough and I’m not sure the penalties are stiff enough. When it is very difficult to detect and punish criminals in a particular criminal area one of the ways to decrease the tendency for people to engage in the activity is to increase the penalty when they get caught. If the punishment was certain death penalty for conviction of unauthorized access to critical infrastructure it would reduce the incentives for preying on those areas. It would increase the risk to other areas but do you really want it to be a death penalty for someone to do multiple clicks on an ad on their web page to get a few extra dollars in ad revenue?

Comments are closed.