In a series of blog posts published throughout 2012, we’ve been highlighting the existence of a vibrant underground market segment, namely, that of ‘hacking for hire’ services, email hacking in particular. Commercially available as a service for years, the practice’s growth was once largely fueled by the release of DIY Web-based popular email provider hacking tools, which once acquired by prospective cybercriminals, quickly became the foundation for a successful business model. How have things changed nowadays, in terms of tactics, techniques and procedures? Profoundly.
Case in point, we’ve been tracking two such ‘hacking for hire’ services, both of which offer a diversified portfolio of malicious services to prospective customers, such as email hacking, Web site hacking, DDoS for hire, DDoS protection, and grade modification. What type of tactics, tools and procedures do they rely on? Let’s find out.
Thanks to the persistent supply of CAPTCHA-solving capable brute-forcing tools, commercially available DIY malware/botnet generating tools, as well as custom coded phishing pages as a service type of underground market propositions, cybercriminals have everything they need at their disposal to monetize their ‘know how’ through this type of service. Among the key success factors for their campaigns, email hacking in particular remains the ‘first hand’ intelligence that they obtain from their prospective customers, in respect to the potential targets, to be later on used in successful social engineering campaigns.
The first ‘hacking for hire’ service charges $50 for a single day of persistent DDoS attack, $300 for a week, and $1000 for a month. Web site hacking is pitched at $500. Email hacking is offered at $200, and $500 for corporate users, followed by $35 for a day worth of DDoS protection, and $150 for a month worth of DDoS protection. The service also offers a free test of its DDoS capabilities. The availability of the rest of the services offered through the portfolio, such as Web site hacking, is largely made possible due to the public/commercial availability of DIY Web site hacking tools like the ones we’ve extensively profiled in the past. In terms of DDoS for hire, the commercial availability is made possible not just due to the ease of ‘generating’ a botnet in 2014, but also through a cost-effective acquisition approach relying on the outsourcing of the botnet generation process, then monetizing the (outsourced) botnet’s infected population through a variety of schemes, all of which result in the cybercriminals’ successfully ‘breaking-even’ out of their initial investment. We expect that these types of services — email hacking in particular due to its volume-based driven business model — will continue proliferating, with the cybercriminals behind them continuing to professionalize, standardize, and ultimately aiming to further streamline the customer acquisition process.
As always, we’re keeping an eye on this market segment, and will be posting updates as soon as new developments emerge.