"The marketplace contains many stakeholders, ranging from formal, legitimate organizations selling vulnerabilities to parties that meet their strict eligibility criteria to underground websites that allow individuals to offer illegal services," say McAfee CTO Raj Samani and Senior Threat Research Engineer François Paget in their latest white paper titled Cybercrime Exposed.
Research-as-a-Service offerings are more gray market than black. The offers are made by commercial companies that find and sell zero-day vulnerabilities to buyers of their choosing (often governments), and by brokers who help vulnerability sellers to get as much money as possible for their knowledge, and help buyers to remain anonymous and acquire information about vulnerabilities they might not otherwise be able to get their hands on.
Prices range from $5,000 and more for Adobe Reader zero day vulnerabilities, to $100,000 or even $250,000 for iOS ones.
Another Research-as-a-Service offering is the identification of targets - for example, a list of email addresses for spamming that often belong to users in a specific country or state, of a specific profession or gender, or users of a specific service.
The Crimeware-as-a-Service system includes developers selling exploits, malware, spyware, bots, spamming tools, tools for obfuscating the malicious nature of software (polymorphic builders, crackers, cryptors, and so on), as well as hardware for hacking or stealing (for example card skimmers) and services including checking files against security software
The Cybercrime Infrastructure-as-a-Service model allows wannabe criminals to rent botnets for DDoS attacks or for sending out spam or malware, bulletproof hosting schemes, and so on. The services are tailored to any and every budget.
Finally, the Hacking-as-a-Service option allows budding cyber crooks to skip doing research, building tools, and developing an infrastructure to launch an attack, as there are services out there that outsource the entire process. Examples include password hacking services, DDoS services, and sale of stolen credit card and bank login information.
According to the researchers, bank login information is sold for a higher price than credit card info, and EU bank logins are sold for a higher price (4–6% of the account balance) than American ones (2% of it). Verified PayPal, Moneybookers, Netteier account login info is worth even more (6-20%), and Western Union transfer details cost 10% of the transferred amount.
Prices for credit card info (with or without PIN and a good balance) varies according to bank type and location of its owner (click on the screenshot to enlarge it):
"We are witnessing the emergence of a whole new breed of cybercriminal," the researchers concluded. "All that the modern cybercriminal needs to provide Cybercrime as-a-Service is a means with a payment method. As a result, the volume of cyberattacks is likely to increase, and current trends and data suggest that this is exactly what we are seeing today."