A Look at the Pricing of Cybercrime Goods, Services

By Ian Gray

It should matter to security and risk professionals how much a digital stack of credit card numbers sells for within cybercrime communities. Tracking pricing trends within illicit marketplaces is an important barometer that can inform decision makers about threats and the risk they present to private-sector organizations, public-sector agencies, and law enforcement. An understanding of these fluctuations not only illustrates new developments within the cybercrime landscape, but can help dictate response efforts.

Therefore, Flashpoint analysts have decided to revisit a 2017 survey of prices for a number of offerings available across a representative sample of deep & dark web (DDW) markets. The findings are available today in a new research paper called, “Pricing Analysis of Goods in Cybercrime Communities,” (PDF download). One conclusion that stands out: unlike the hardly static pace of activity, pricing for products and services for sale on underground sites has remained relatively constant.

Download our new research paper, “Pricing Analysis of Goods in Cybercrime Communities.”

Since 2017, there have been modest price bumps for some long-standing offerings related to fraud and cyberattacks. But these shifts are miniscule compared to the dramatic innovation happening in other depths of the cybercrime ecosystem—specifically with respect to targeted ransomware and SIM swapping, to name two.

Another constant from 2017: It’s still unclear what the determinants are for pricing trends within the cybercrime economy. Prices can vary drastically across the DDW, and the reasons for the discrepancies remain largely unexplained.

Our survey looks at prices for numerous illicit products, and our analysts assess with moderate confidence that prices vary drastically across the DDW. We evaluated changes in pricing for “fullz” (full packages of personally identifiable information [PII]), passports, distributed denial-of-service (DDoS)-for-hire attack services, exploit kits, remote desktop protocol (RDP) servers, payment card data, and bank logs.

A few highlights:

• The range of prices for fullz is up slightly, and can shoot up dramatically if that full package of personal information is accompanied by the victim’s financial information including credit scores.

• Physical passports are the crown jewel of underground documents because they are difficult to produce and subsequently bypass anti-fraud measures present in the document.

• DDoS-for-hire pricing has noticeably gone up, in parallel with advances made in protections implemented by content distribution networks and high-value websites.

• Exploit kits continue to lag after peaking earlier this decade as a primary distribution model for web-based compromises.

• RDP access continues to be in demand, but the availability of access to RDP servers took a hit with the demise of the xDedic market in January.

• Payment card data remains a sought-after commodity, and pricing fluctuates depending on the freshness of the data and whether they’re sourced from card-not-present transactions, or from dumps directly from compromised devices and websites.

• Bank logs can command a high price, dependent on the balance of the account and where it’s located.

Flashpoint analysts conclude that with the fluctuations in the availability of marketplaces during the last few years, the price consistency may be an attempt to maintain stability without affecting the demand of fraud-related products and services.

However, monitoring product and price listings should provide a temperature check for the cybercrime climate because a number of listings are catered to the entry-level threat actor. Understanding price listings and future changes should inform how the cybercrime landscape is developing, and how businesses should respond to this threat.

To learn more, download our latest research paper, “Pricing Analysis of Goods in Cybercrime Communities.”