Armor’s Black Market Report Finds Hackers Selling Cash for Pennies on the Dollar, Credentials for RDP Servers (a Popular Entry Point for Ransomware), and Articles of Incorporation

Today, cloud security-as-a-service provider Armor, released its annual Black Market Report.  The report finds that the underground hacker markets and forums, where financial data and personal information is bought and sold and illicit services are for sale, are thriving.  However, as with any successful business, participating merchants have to continually offer up new items and services, and these cybercriminals are doing just that.

From February 2019 through June of 2019, Armor’s Threat Resistance Unit (TRU) research team analyzed and compiled data from twelve different dark markets and forums, both English- and Russian-speaking ones. In addition to finding and chronicling the current prices for popular core items such as bank account credentials, credit card numbers, full identity packets, and DDoS and spamming services, the TRU team discovered cybercriminals peddling some interesting offerings. They include cash for pennies on the dollar, log-in credentials for unhacked Windows servers for use with Remote Desktop Protocol (RDP), and articles of incorporation.

The most interesting new service the TRU team spotted in the dark markets is a scheme where a criminal buyer can pay a criminal seller $800 in Bitcoin and have $10,000 transferred to a bank account of their choice or wired to them via Western Union.  “For those scammers who don’t possess the technical skills and a robust money mule network to monetize online bank account or credit card credentials, this is an offer that can be very attractive,” said Chris Hinkley, head of Armor’s TRU Team. “The threat actors are still selling financial account and credit card credentials outright, but this clever service gives them an additional channel for monetizing the large amounts of financial data available on the underground. Plus, they still reduce their risk because ultimately they are not taking possession of the stolen funds.”

The TRU team also discovered numerous cybercriminals selling credentials for unhacked Windows RDP servers. They are being offered for as little as $20 a piece.  These servers are a common entry point for ransomware threat actors trying get a foothold into an organization’s computer network.  Therefore, it stands to reason that the fraudsters would take advantage of this market opportunity. Considering the rash of successful ransomware attacks that have occurred in 2019 alone (Armor has identified 161 publicly identified ransomware victim organizations in the U.S.), business is likely to be good.

In relation to banking and credit card schemes, it came as no shock to find cybercriminals hawking articles of incorporation and sole proprietorship papers. These documents enable a money mule (a person who transfers illegally acquired money on behalf of or at the direction of another and typically get paid for their services with a small part of the money transferred) to apply for an Employer Identification Number (EIN), which in turn lets them open a business bank account.  A business bank account allows a criminal to move larger amounts of money in and out of the account, making it less likely that the bank’s fraud alerts will be triggered.  The money mule bank accounts are so integral to the success of online financial fraud, such as Business Email Compromise (BEC) and payroll attacks, it makes sense that the TRU team would see these items become a staple in the underground.

Armor’s comprehensive report includes details of the wide-ranging goods and cybercrime-as-a-service offerings and their associated costs, covering everything from DDoS attacks, to spamming, to gift cards, and as becoming a social media influencer continues to grow in popularity – the cost of ‘Likes’ and followers.

The amount of criminal goods and services being peddled in the underground is daunting, however, by continually monitoring these dark markets, security defenders, such as Armor, are able to gain valuable insight into the types of data being targeted, how it is being stolen, and how the data is being used. “Having this intelligence is key in helping us protect our clients from current and emerging cyber threats,” said Hinkley.  “And although it feels like a never-ending battle, it is a fight worth fighting.”

Extracts from one hacker’s price list:

Black Market Services and Goods  Cost
U.S. Visa/Mastercard data (U.S. prices) $15-$20 dollars (plus, an additional  $25-$30 for BIN number or a  DOB)
US Fullz data (Full ID package) $30-$40
Generic Ransomware $225 – $660
Ranion (Ransomware-as-a-service) $120 per month
MegaCortex $1000 or 1000 Euros and 10% of ransom
Unhacked Remote Desk Protocol Servers in multiple countries $20 per RDP server
Amazon gift card with $1000 balance $100
ATM skimmers £500 to $1500
DDoS attack $60 per hour
Money Transfer Services (PayPal, Bank Transfer, Western Union and Skrill) Average of $120 for a balance of $1200
Changes to credit history From $130

For more information on the cyber threats being seen in the dark markets, and how to protect your organization and yourself, view Armor’s 2019 Black Market Report here.

About Armor
Armor is a global cloud security company that takes the complexity out of protecting your data, whether it resides in a private, public, or hybrid cloud—or in an on-premise IT environment. We provide managed security solutions that give you a clear picture of threats facing your organization. This allows us to provide you with the people and security resources to stop attacks before they happen, and to react quickly and effectively when they do, helping to keep your data safe and compliant.  Wherever you are on your cloud journey, Armor can help. We make cybersecurity simple. To learn more, visit or follow @armor on Twitter.

Source: Armor

September 10, 2019

cyber defense awardsWe are in our 11th year, and Global InfoSec Awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.
Cyber Defense Awards

12th Anniversary Top InfoSec Innovator & Black Unicorn Awards for 2024 are now Open! Finalists Notified Before BlackHat USA 2024...