If someone wants to bring down a website, alter their school attendance record or hijack an ex-employer’s Twitter account, there are plenty of illicit ‘hacking handyman’ services to turn to.
Researchers have recently been delving into the dark web to find out how much hiring a black hat hacking specialist will set you back. Note: StationX does not condone malicious hacking or paying for these services. However, for anyone serious about cyber security, a good understanding of threat vectors is always useful, including hackers-for-hire and ransomware-as-a-service (RaaS).
With this in mind, here’s a closer look at the research findings and the current black hat hacking marketplace.
How do you hire a hacker on the dark web?
The most popular way to do it is via a darknet market. These are basically shopping sites for illegal and semi-legal goods and services that are accessed through privacy networks such as Tor and I2P. You can learn more about how darknet markets work and the risks involved in using them in our guide here.
Malicious hacking services come in two basic flavors:
Hackers-for-hire. This type of business usually comprises a group of hackers working together. Using encrypted email or a secure chat app, you let the business know what specific site, social media account or other asset you want to target. One of their hackers gets back in touch to tell you if it’s do-able and gives you a price. You almost always have to pay up front with bitcoin or other crypto. The hacker then takes care of everything for you.
Ransomware-as-a-service. A subscription model that gives you access to ready-made ransomware programs and other types of malware. Armed with your ransomware bundle, you can tweak it to your desired requirements and launch your attack, with minimal technical knowledge needed. Well-known RaaS kits that have popped up over recent years include Locky, Goliath and Jokeroo.
How much do hackers-for-hire charge?
Comparitech collected listings from 12 dark web hacking services in September 2021 to see what was on offer and the average advertised prices. These were as follows:
Social media hacking $230
Social media hacking was the most frequently touted service, making up 29% of all listings. Groups claimed to be able to get passwords for WhatsApp, Facebook, Twitter, Instagram, Skype, Telegram, TikTok, Snapchat and reddit, enabling spying, hijacking and access to privileged groups.
Website hacking $394
This category comprised attacks on specific websites and other services hosted on the web. Sub-services offered under this category included accessing underlying web servers and administrative control panels. At least one group claimed that it could gain access to databases and admin user credentials.
Changing school records $526
The range of school and college-related services on offer included hacking into systems to change grades and attendance records. Some also claimed to be able to gain access to exams.
Custom malware $318
If you don’t want to go down the self-service ransomware route, you could always hire a hacker to handle everything for you, including custom development and actually instigating the attack.
Personal attacks $551
Examples here include financial sabotage and planting “kompromat” on an individual’s computer or a company’s system to cause legal trouble and ruin reputations. Comparitech also identified a few businesses offering ‘scammer revenge’ services. So if you’ve been hit by a hacker in the past, they will track them down and make life difficult for them.
Location tracking $195
For this, hackers will usually monitor the intended target’s phone location.
Computer and phone hacking $343
This involves gaining access to specific devices to steal information and plant spyware or other types of malware. These services were offered across all major operating systems.
Email hacking $241
Hackers typically promise to obtain the target account holder’s authentication details, giving their customer general access to the account. Alternatively, if there’s some specific information you want to steal from an inbox, you can hire a hacker to retrieve it for you. They can also set up a covert email forwarding process, so everything sent or received by your victim is forwarded on to you.
Fixing bad credit records $251
Some hackers claim to be able to hack into account management systems, locate the records relating to your account and clear any digital record of your debt. Several of these services charge customers in a similar way to debt collection agencies: i.e. they charge a percentage commission based on the value of debt they manage to wipe. Hackers also claim to be able to wipe your name from credit blacklists.
DDoS $26 per-hour
If your competitor’s website is down even just for a few hours, it’s likely that some of those customers will find their way to you. This is usually the reason behind unscrupulous businesses hiring someone to mount a distributed denial-of-service (DDoS) attack. Using a botnet, hackers will flood their target’s servers with traffic, temporarily destroying its capacity to process traffic from legitimate users. The more you pay them, the longer they’ll sustain the attack.
How much does ransomware-as-a-service cost?
According to Crowdstrike, access to ransomware kits can cost you anything from around $40 per-month up to several thousand dollars.
Taking inspiration from legitimate software-as-a-service businesses, these guys are often quite sophisticated with their charging models. For example, some offer corporate affiliate programs, where customers opt for a lower monthly subscription but with a percentage of any ransoms received going to the ransomware providers.
The lesson: think about your attack vectors…
Why would someone go to the effort of hacking my system? For a start, these findings should serve as a reminder that it isn’t just big corporates who are at real risk of being targeted. It’s also worth remembering that 43% of cyber attacks are specifically aimed at smaller organisations.
If a competitor, a disgruntled previous employee or an ex-boyfriend wants to harm you or your business, it has never been easier (or cheaper) to get it done.