Diving Into the Dark Web and Understanding the Economy Powering Cyber Attacks

This morning, Armor, a cloud security provider, released a great report into the cyber crime black market. Armor was formerly known as as FireHost – they were one of the leading hosts boasting security first and have dramatically evolved over the years. This report was put together by the Armor Threat Resistance Unit (TRU), whom extrapolated data from a number of dark web sources; focusing specifically on the fourth Quarter of 2017 (2017/Q4).

The report strives to give us a view into an otherwise elusive world, specifically highlighting the economic foundation of cyber crime. Understanding the criminal economy is critical to understanding the ease of use, motivations and behaviors of bad actors.

Effective security takes more than technology; it requires realtime knowledge of the threat landscape and risks to your data. – The Black Market Report

The Economy Supporting Cyber Crimes

My specific interests with this report were in understanding the opportunities criminals have to negatively affect someone’s online presence.

Site note: A few years back Malware-as-a-Service (MaaS) was a prominent business model and I’d personally love to learn what they found on this subject. It was interesting however to see an evolution into Cybercrime-as-a-Service (CaaS), essentially this move to capitalize on the DIFM market. 

Cybercrime-As-A-Service

An example of a service designed to disrupt your online presence we can think of a DDoS attack – an attack designed to disrupt your infrastructure / websites availability (i.e., the site / server is down – not functioning). When you think of the potential impacts of a service like this to the everyday online brand, it can be devastating. Think for a moment the adverse affects of your online store going off line? What would 1 hour, 1 week, 1 month of a down site do to your business?

At Sucuri we built technology specifically designed to help organizations mitigate these types of attacks.  This report highlights specifically the Cybercrime-As-A-Service market, and shares list prices as low $10 / hour for an DDoS attack up to $200 / day. The exceptionally low cost highlights how cost-effective it is for someone to maliciously disrupt your organizations ability to service your audience. The exceptionally low cost is coupled with a Dot It For Me (DIFM) model making it that much easier for a bad actors to effectively implement the tools and techniques perfected over the years, in essence lowering the previously required technical aptitude.

Tools, Services and Associated Costs

Determining list price for tools and services seemed to be tightly coupled with complexity and desire to streamline to make things as simple as possible. Here are some of the things they found designed to directly affect your online presence (and their associated costs). I could probably spend a week diving deeper in this section alone, trying to better gauge what each tool / service really does and if there are subcategories within each (which I’m sure there are). It is interesting however to see WordPress stand out, of all the available CMS’ – but makes sense when you take into consideration it’s popularity.


Tool & Service Pricing Model
Hacked Instagram Accounts in Bulk 1,000 – 10,000 accounts $15 – $60
WordPress Exploit $100
DDoS Attacks Week long attack $500 – $1,200

Being that I am now responsible the GoDaddy Certificate Authority (CA) I was very intrigued by their findings with the abuse of code-signing and extended validation (EV) certificates. They found that pricing for CS certificates start at $400 and $2,500 for EV certificates. I’d love to better understand if they were able to derive who the issuer was so that we as a community can work to get these revoked and workflows updated to avoid future abuse.

Digital Identity

I have been spending a tremendous amount of energy thinking about Digital Identity as of late. Specifically what our role at GoDaddy can be to help curve this, hopefully tackling the Digital Trust problem. That’s a conversation for another day though.

In this stream of thought I’ve been specifically interested in how someone’s online presence extends beyond websites into a wide range of other services (e.g., Facebook, Twitter, Instagram, etc..). Specifically, how an identity is extended across each of these platforms and how it makes up the organizations digital brand. This becomes even more apparent in the behaviors of individuals / organizations in emerging markets, and even young adults that have been raised with these platforms – there world revolves around a closed web, and their actions mirror those experiences.

Coincidently, this report speaks directly to the economy around the value of compromised social media accounts.

One vendor the TRU team spotted offered 1,000 Instagram accounts for a price of $15, 2,500 for $25, 5,000 for $40 and 10,000 for $60. Another seller offered budding cybercriminals a program the seller claimed could hack into accounts for Facebook, Netflix, Twitter and other services for $12.99. – The Black Market Report

One of the very interesting observations as to why these platforms are targeted is the intent to perform some form of reconnaissance for other crimes or even leveraging your account to distribute malicious activity. Ever experience spam messages from your friends from Facebook or Twitter?


If you have time, I encourage you to read the full report. See how it applies to you and your organization. You’ll find other bits of information that you might find insightful – things like value placed on sensitive information like credit cards, reward programs (hadn’t even thought of this), list price associated with bank accounts and more details on the value of other sensitive data like PII.

Here is an example of one such data set around the value of PII: