Do you know what the cost is for unauthorised access to your organisation? It’s an interesting question and one that IntSights, a Rapid7 company, has sought to answer. The results of that investigation are contained in a report entitled: “Selling breaches: The transfer of Enterprise Network Access on Criminal Forums” (registration required).
IntSights looked at several underground exchanges where stolen credentials and network compromises are traded. It discovered vibrant marketplaces where cybercriminals can buy what they needed to breach an enterprise and launch a successful attack.
What determines the value of unauthorised access?
Industry, location and business size all play a part in the price an account can command. But they are not the only thing. A big determining factor in the value of stolen credentials is the level of privilege they have. A few weeks ago, Positive Technologies published its report on access-for-sale websites. It found that there had been a surge in stolen credentials, but an increasing number had limited use due to a lack of privileges.
As part of this report, IntSights looked at 46 separate offers to sell access. In the majority of cases (40 out of 46), the location was mentioned. Of those, it found that North America (37.5%) was the most common. Europe, Asia Pacific and Middle East/North Africa accounted for 17.5% each, with Latin America just 10%.
One reason for the locations is the use of the English language. India is one country where this applies because a lot of companies do work outsourced by US companies in particular. It is also about the relative wealth of the local economies.
There are seven industries mentioned in the report. Tech & telecoms (22%) is the top target, followed by Financial Services, Healthcare & Pharma and Energy and Industrials, all on 19.5%. There is no surprise in these numbers. They match industry risk from other reports. What is perhaps a surprise is the emergence of automotive (9%) in fifth place. It will be interesting to see if this increases should IntSights repeats this work.
What sort of prices were being asked?
There is a wide variation in the pricing from sellers, with some willing to speculate on the value of what they were selling. The report cites an offer to sell access to an Argentina-based firm for a payment of US$27,000 in Bitcoin. The seller believed that as this was a financial services organisation, that was more important than location.
Another figure given is that of US$66,000 in Bitcoin. This was for: “access to an organisation supporting hundreds of retail and hospitality businesses. The victim was a third-party operator of customer loyalty and rewards programs.” The seller here even goes as far as highlighting how a buyer can make the most out of this access.
These two payments are among the highest seen. The average payment IntSights recorded for access was $9,640. IntSights also says that number is high because of a small number of very high payments. It suggests a more normal price is $3,000. These are still much higher than the numbers recorded by Positive Technologies who saw 45% of the access on sale priced below $1,000.
Who is selling access?
There is a broad range of people selling access as cybercriminals increasingly specialise in different parts of the attack chain. It has created a subclass of attackers who focus on just compromising and harvesting user credentials. Their only goal is to sell these on and leave others to exploit access. In other cases, it is the malicious insider who harvests customer details and sells those on forums.
In the case of the latter, IntSights calls out the risks to telecoms companies. Previous research has seen: “networks of malicious insiders that advertise on these criminal forums. Some of these services charge anywhere from $200 to $400 USD per phone number.”
Having access to a phone number and other customer details makes it easy for SIM swap attacks to take place. Attackers port a mobile number to a phone they control. It allows them to receive 2FA codes for access to bank accounts and other services.
Enterprise Times: What does this mean?
It is an interesting report for those with little experience of how cybercrime has become more specialised into roles. At just 18 pages, it is also very accessible. It concludes with recommendations on preventing network compromise events and how to mitigate the impact if access to your network is sold.
Ultimately, all organisations are at risk of stolen credentials being used to steal data or install malware. The key is to be aware of the risk and create the right policies to protect the business.