Selling access to breached networks is big business, and criminal hackers can net thousands of dollars per breach, as long as they keep quiet about their victims.
That's according to a new report from threat intelligence vendor IntSights, which lurked on dark web hacker forums long enough to analyze 40 different sales of access to compromised networks, and the data that comes with them.
The researchers found that prices for hacked data can vary widely. While the median price of the 40 sales was $3,000, the average sale price was $9,640. This reflects just how volatile the market for hacked data can be, and just how much depends on the target of the attack.
"Factors that can influence pricing include: the extent and the privilege level of the access; the size and value of the victim as a source of criminal revenue; the industry and location of the victim; and the sales strategies of the various sellers," said IntSights, which was acquired by Rapid7 last month.
Because of this, wealthy North American companies tend to be the highest priority for breached network access. The study estimated that, of the targets offered, 37.5% were located in North America. Europe and the Middle East were distant seconds, at 17.5% each.
One regional exception, the researchers said, is India, whose outsourcing economy poses an attractive target to hackers because so many companies are proxies to North American businesses.
"Indian organizations are desirable targets for criminals due to the widespread use of English in India, and the outsourcing of many Western business operations to India," the report noted.
Technology and telecoms companies are the most popular targets, accounting for 22% of breached networks. Second place was a three-way tie between healthcare and pharmaceuticals, financial services, and energy and industrials, each registering a 19.5% share.
Part of this, IntSights said, is based on opportunity. Companies in those industries might be easier to breach, but they also tend to yield less money on underground markets than retail and hospitality companies. The high earner of the study was a hacker who managed to get $66,000 for access to an unnamed hospitality and retail vendor that operates customer loyalty programs.
IntSights researchers noted just how tight-lipped many of the sellers have become. Cybercriminals who have breached networks are so secretive about their victims that they will not give the name of the company until a sale has been made, for fear of their victims learning of the breach and closing off access.
It is only in private messages with serious bidders, the researchers said, that the real name of the victim is disclosed.
"Users of criminal forums and dark markets are keenly aware that security researchers and law enforcement monitor their communities. Thus, the sellers usually (but not always) refrain from naming victims in these posts, which are typically viewable by all users, so as to avoid exposing their breaches," the report said.
"The minority of sellers that do disclose the names of their victims in public posts are usually on English-speaking forums, where some users may be less discreet than their Russian-speaking counterparts."
Paul Prudhomme, chief threat analyst with IntSights, told SearchSecurity that when it comes to coughing up the names of victims, the burden of proof is on the recipient, and there is no predictable formula for the transactions.
"Sometimes the seller will share the name of a compromised customer with a prospective buyer, and sometimes they will not," he explained.
"If they do receive the name of the compromised company, that does not necessarily create a commitment to buy at any price. A prospective buyer's track record needs to look good and trustworthy enough to the seller to justify the risk of exposing that information."