Image: wildpixel, Getty Images/iStockphoto

Cybercriminals who aren’t savvy or skilled enough to create their own malware need look no further than the Dark Web. Up for sale on underground storefronts and forums are many of the tools any attacker needs to mount their own malicious campaign. Though some of these tools are pricey, others can be had at relatively bargain basement prices. A report released Saturday by Privacy Affairs looks at the average prices for different types of malware.

SEE: Cybersecurity: Let’s get tactical (free PDF) (TechRepublic)

For its “Dark Web Price Index 2020,” Privacy Affairs scanned an array of Dark Web marketplaces, forums, and websites to devise an index of average prices for a range of products. The site looked at different types of content, including malicious tools, Distributed Denial of Service (DDoS) campaigns, personal data, stolen account credentials, and forged documents.

For malware, Privacy Affairs examined malicious tools installed on operating systems such as Windows and Android designed to give attackers access to the system. These tools are often installed via fake online casinos, social networks such as Facebook, and warez websites that offer pirated or copyrighted software.

In some cases, these malicious tools may be used to steal your credentials for a certain website; in other cases, they can use your computer for cryptocurrency and other activities. Privacy Affairs categorized these tools based on their quality, success rate, target region, and number of installs. All of the tools listed by the site are designed for 1,000 installs.

At the low end of the list, malware tools aimed at a global audience sell on average for as little as $70. However, this particular batch is sold as low quality, slow speed, and a low success rate. Further up the line, a set of tools that target the US with medium quality and a 70% success rate goes for $900 on average.

Scaling higher, a set considered high quality aimed at Canada sells for $1,500, while a high-quality batch aimed at the UK goes for $2,000. Tools aimed at Europe that are deemed high quality but aged sell for $1,400, while another set that targets Europe and is considered high quality but promoted as fresh sells for $2,300. Finally, at the high end is a set of premium malware tools that go for $6,000.

For its research, Privacy Affairs also analyzed DDoS campaigns. As listed for sale on the Dark Web, these types of attacks can help anyone easily take down a website by flooding it with more requests than it can handle.

In this area, a product designed to overwhelm an unprotected website with 10,000-50,000 requests per second for one hour sells for just $10. The same type of attack that lasts for a whole week goes for $400, while one that runs for a month sells for $800. A DDoS campaign aimed at a premium protected website with multiple elite proxies deploying 20,000-50,000 requests per second for 24 hours can be had for just $200.

Of course, the Dark Web being a shady underground, many of the sellers are scammers themselves, so the actual, verified prices are tough to determine without actually ordering a product. Buyers may not necessarily get a product at the advertised price, or they may not get a product at all in return for their money.

Beyond malware tools and DDoS campaigns, the Dark Web is brimming with stolen and hacked account credentials, personal financial data, forged documents, and counterfeit money, among other content. To protect your own accounts from theft, compromise, and identity fraud, Privacy Affairs offers the following advice:

  1. When answering your phone, make sure to never give sensitive information (such as your SSN, your debit card number, passwords) to anyone regardless of whether this is a requirement for some process. If it’s that important, do it in person.
  2. Whenever you visit an ATM, make sure the card reader doesn’t have a skimmer. Skimmers read a card before it’s inserted into an ATM, providing a criminal with a clone of your card’s magnetic strip. Skimmers are often made to imitate the material around the ports, but they’re delicately mounted so they’ll move when pressed with a small amount of pressure. Press around the sides of the card port and see if anything feels loose. Check for glue around the edges or tape. If you see any glue material, stay away from that ATM and call the bank. Similarly, if you have difficulty putting your card into the machine, stop trying and stay away from it.
  3. Check an ATM’s keypad by slightly lifting around its edges. Fake keypads are sometimes placed over the legitimate one to record your PIN. They’re often very loosely mounted. If it jiggles around a bit, or you notice the keypad is off-center, avoid using it.
  4. Check often for malware on your computer to ensure that your data isn’t being recorded as you input it. Use an anti-malware tool and make sure it’s set to automatically update.
  5. Avoid public or unsecured Wi-Fi. If you must log into an account on a network you don’t trust 100%, use a VPN to encrypt all communications. Even bank websites can be forged to be almost undetectable if an attacker has administrative access to the network you’re using.
  6. Delete accounts you don’t think you’ll use anymore. Old accounts can be compromised, and this leads to problems in the future. This is especially an issue if you use the same password for multiple accounts.
  7. Never use the same password for multiple accounts. This is the easiest way for an attacker to gain access. When a major list of account details is dumped on the Dark Web, your own details can be checked against other services such as email or banking.
  8. Use a password manager, and you’ll always have strong security for all your accounts but need remember only one master password.

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered Tuesdays and Thursdays