There was a time when hackers were driven by ideology – opposition to a company or government, for example – or maybe the thrill of vandalism. No more. For the majority of cybercriminals the motivation now is overwhelmingly financial, says Eric Freyssinet, head of the French police’s cybercrime division. According to a recent study by software developer McAfee and the Center for Strategic and International Studies, hacking drains $445 billion a year from the world’s coffers. Highly publicised operations such as the recent one on Sony mask a much more nuanced reality: the cyberworld now conceals a huge network across which anything can be sold and exchanged through a myriad of websites on which anonymity is guaranteed. Some of the most egregious examples:
Credit card data
€8 to €40
The demand for bankcard data exploded last year, according to a report by Secure-Networks, a branch of the Dell group that specialises in cyberdefence. PIN numbers, credit limits – every detail is sought after. “A credit card number can run anywhere from €8 to €40,” says Freyssinet. “The more specific the information, the more profitable the transaction.” Like any ordinary business, professional hackers even offer money-back guarantees. “It’s a form of customer service,” explains Freyssinet. “Some pirates will replace invalid credit-card numbers for free.”
100,000 email addresses
€15 to €180
Cybercrime’s biggest market is email addresses. Lists are sold not only to marketing companies and online retailers but also to impostors who play the numbers game to hook their prey. One hundred thousand addresses will cost anywhere from €15 to €180, depending on their quality. It’s cheap enough to make scams profitable, particularly through the well-worn technique of phishing. With such volumes, the probability of earning back the outlay by hooking just a few users who are convinced they’re dealing with a real bank or government office is high.
Encryption and ransom
$500 to $800,000
Ransomwares, also known as cryptolockers, are viruses that encrypt data from a personal computer. Without the encryption key, a computer’s owner cannot access his own files. These blackmail and extortion tools can cost several thousand dollars to develop, but they are very profitable once they are launched. Ransoms are often astronomical: the city of Detroit (USA) recently paid $800,000 to regain access to its data. The fee is more modest for individuals; some hackers even include a detailed guide on paying the ransom in bitcoins. Not even law enforcement is immune. A sheriff’s office in Tennessee, infected by CryptoWall, had to pay a ransom to regain access to 72,000 autopsy reports, witness depositions and crime-scene photos.
€15 to €40
DarkComet, Cybergate and Dark DDoser are a few of the so-called Remote Administration Tools (RATs) currently on the market. Hackers use these programs to take control of another computer remotely. The price for these Trojan Horses has dropped precipitously, from €40 to €200 in 2013 to a few tens of euros today, largely because source code for the most popular RATs is public. The market adapted quickly: products are now frequently accompanied by encrypters that make a RAT invisible to virus-protection software.
$90 in Asia
$1,000 in U.S.
Hackers can infect entire blocks of computers with a virus, creating so-called “zombies”. Buyers use these computers anonymously, posing as their owners, to overload servers with a barrage of access requests. The hackers then demand payment to cease the attack. Access to 5,000 computers starts at $90, a fee that increases depending on the geographical location of the zombie machines. They’re cheap in Asia and expensive in the U.S., where IP addresses are highly sought after because they provide access to financial sites that serve American clients.
If a criminal lacks computer skills, he can turn to a mercenary for a modest fee. “For $150 and up, you can procure the services of a hacker to sabotage an email or launch a denial-of-services attack on a site,” says Erwan Keraudy, founder of CybelAngel, a French cyberdefence start-up. The Holy Grail is the “zero-day attack”: a program that can exploit previously unknown vulnerabilities in software or operating systems before they can be patched. These viruses can be worth several hundred thousand dollars when they target a widespread software program.
As hacking becomes more mainstream, a newly popular tactic is to post tutorials on discussion boards. Documents with specific instructions are sold for around $1 apiece, and more extensive manuals run about $30. These prices appeal to novice hackers, who then use strategies developed by others to extort hundreds of dollars from individuals or small companies. Although they lack the expertise to become truly dangerous themselves, these hackers are by their sheer numbers a serious threat.