We dug a little deeper into the black market for cybercrime to pit the prices in RAND Corporation's most recent report against different sources — ones who agreed to speak with us only on condition of anonymity.
We found that not everyone agreed with the legend of the million dollar zero day.
RAND admitted it had difficulty accessing street values and verifying cost of exploit kits and zero days due to the nature of the illicit market — as well as its law enforcement sources' reluctance to divulge sensitive information.
As RAND explained, the black market for cybercrime, once a "varied landscape of discrete, ad hoc networks of individuals motivated by ego and notoriety, has now become a burgeoning powerhouse of highly organized groups, often connected with traditional crime groups (e.g., drug cartels, mafias, terrorist cells) and nation-states."
Perhaps the drug trade analogy works in some aspects of RAND's report, published three weeks ago.
According to BBC, access to a woman's webcam was priced last year at $1 each girl, whereas computer webcams belonging to men were 100/$1. (This is one reason why I want you to tape over your webcams right now.)
RAND explained that depending on the reach and credentials that can be accessed by an individual Twitter account, hacking into accounts can cost anywhere from $16 to more than $325, depending on the account type.
The cost for data records or credit cards varies, naturally — certain cards and accounts are more expensive than others.
The experts at RAND stated, "Prices for credit card data may start at $20–$45/record if supply is limited or the cards are freshly acquired, or $10–$12 if there is an influx."
RAND's sources talked brass tacks, and told us your fancy Amex Black is a hot little target.
Experts note that high or no-limit cards (e.g., the American Express Black card), or cards with chip and personal identification number (PIN) are more valuable, and can command a higher price, and when the data begin to get stale, it may be “on clearance” for something like $2–$7/record.
But not as much if you're an American — in large part because our reputation for security is somewhat in the crapper. "Stolen credit card data from Europe and the United Kingdom are more valuable than data from US cards for several reasons."
There is typically a delay when a card is processed in a foreign bank, so more can be charged before the bank figures it out.
European cards often have higher credit limits.
Many European cards (with their chip and PIN with signature system) are normally thought to be more secure that their US counterparts (signature only) and are correspondingly more valuable if they can be broken and put on the black market.
Your PayPal is only worth to the black market what you have in it — stealing it would be the real-world equivalent of having your wallet pickpocketed.
Though in cybercrime practice, it's actually more like a whole packed subway train at rush hour in which everyone has their wallets stolen all at once.
RAND said the returns on e-commerce purse-snatching are diminishing. "eCommerce accounts (e.g., PayPal or Amazon) can be sold for a fixed price, or based on the percentage of the remaining balance."
But I heard there were million dollar oh-days
The idea of the million dollar zero day may be a cherished Hollywood film fantasy, but doesn't traffic well in the real world.
According to RAND, the hacker market has changed from a less formal space to "a playground of financially driven, highly organized, and sophisticated groups."
The groups RAND is talking about appear to trade more often in botnets than zero-days.
While RAND acknowledged the black market for zero days had gained in notoriety, RAND didn't think this necessarily translates into zero days being the most popular item.
Instead, one zero day release meant a subsequent flurry of new malware kits (for that zero day) would hit the market shortly afterward.
Exploit kit prices vary based on whether they are purchased outright or rented for intervals of varied length, what exploits are included, and the quality of services and products offered rather than the quantity of exploits bundled together.
Brand-name recognition also plays a role. Services can involve leasing servers, finding traffic, creating a personalized payload (or “cleaning”/obfuscating an already existing payload to avoid antivirus signatures) and setting up infrastructure.
The money RAND was following led to botnet commerce, and competition to tailor botnets for customer needs.
The report emphasized that botnet service models have grown increasingly sophisticated; naturally, this would make them more valuable. "Some higher-order service models sell limited-time access to botnets, or allow customers to create their own botnets based on certain targets (e.g., Bank of America accounts worth at least $10,000)."
Botnet rental prices vary greatly across the large range of products available. For example, the price for a 24-hour DDoS attack in 2009 ranged from $50 to thousands of dollars, based on the size of the botnet needed to perform the attack.
The report didn't go into hard numbers beyond that.
The service is currently offering access to malware-infected hosts based in Russia ($200 for 1,000 hosts), United Kingdom ($240 for 1,000 hosts), United States ($180 for 1,000 hosts), France ($200 for 1,000 hosts), Canada ($270 for 1,000 hosts) and an International mix ($35 for 1,000 hosts), with a daily supply limit of 20,000 hosts, indicating an an ongoing legitimate/hijacked-traffic-to-malware-infected hosts conversion.
When it came to zero-days, it was interesting to see where RAND's experts, and the experts I spoke with, agreed and disagreed.
Like with RAND's report, I spoke with a range of experts in various positions in the field — and everyone I interviewed only spoke on condition of anonymity.
These anonymous sources each agreed that RAND's report, which they said was surprisingly accurate, only seemed to cite information from a limited circle of sources. One called it a "bubble."
On the topic of zero days, Markets For Cybercrime Tools said "Little data are available on price ranges for zero-days; more is available about those on the gray market than those on the black market."
The report appeared to miss the white market altogether — namely the marketplace for non-zero day exploits, such as the example of ExploitHub.
ExploitHub explained its role in the marketplace to ZDNet:
ExploitHub is a marketplace for exploits for non-0day vulnerabilities only, so we reject submitted exploits unless the vulnerability information has been disclosed publicly or provably (via reference ID) to the vendor.
The sources we spoke with who were willing to comment on ExploitHub's rates agreed that its pricing paints an accurate picture of general rates-to-effort pricing.
For instance, in ExploitHub's Q4 2013 report (the same time period as the RAND report), ExploitHub's marketplace moved 149 Metasploit Exploit Modules, 10 Metasploit Auxiliary Modules, 41 "other exploits" and more, all with an average price of $284.06.
The lowest price for an ExploitHub product was $1.46 and the highest price $1,500 — which was likely their $1,500 hardware product.
One source explained, "When the price is too low, it's just not worth it. Like, if you can make $500 in two hours that's one thing but if it's going to take two hours to make less than that, no one bothers."
The biggest disagreements between our sources and RAND's report were around zero-days.
RAND's experts concluded, "Zero-day prices range from a few thousand dollars to $200,000–$300,000, depending on the severity of the vulnerability, complexity of the exploit, how long the vulnerability remains undisclosed, the vendor product involved, and the buyer."
One anonymous source — with nearly a decade of market experience — told ZDnet this pricing is typically just not done. Only once in almost ten years had they seen something approach $300K. The most common pricing for zero-days, we were told, is in the five-figure range. Namely, around $80K.
RAND's report said, "Some [zero-day] estimates even go up to $1 million, but are often thought to be exaggerated."
Our sources have their money on the "exaggerated" part.