HP Wolf Security Investigation Reveals Plague of Cheap Malware Kits

A three-month dark web investigation exposes 'honour among thieves' as cybercriminals rely on dispute resolution services, vendor bonds and escrow payments to ensure fair dealings.

The HP Wolf Security Team has uncovered the widespread use of inexpensive “plug-and-play” malware kits which can make it easier to launch cybercrime attacks.

The new report from HP, called ‘The Evolution of Cybercrime: Why the Dark Web is Supercharging the Threat Landscape and How to Fight Back’, shows how these kits can be used to harm businesses, government institutions and other organisations.

The HP Wolf Security threat team worked with Forensic Pathways on a three-month dark web investigation, scraping and analysing over 35 million cybercriminal marketplaces and forum posts to understand how cybercriminals operate, gain trust and build reputation.

Along with that forensics firm, HP had the help of ex-hacker Michael “MafiaBoy” Calce (who hacked the FBI when he was in high school) and cyber criminologist Dr. Mike McGuire.

The report reveals that some of these plug-and-play malware kits were being sold for £8.50, roughly the average cost of a pint in London according to a June 2022 article by The Guardian.

What’s Happening?

The report offers up three major findings:

Malware is cheap and readily available – 76% of malware advertisements listed, and 91% of exploits, such as code that takes advantage of software bugs to give attackers access to vital systems, retail for under $10 (£8.50).

The existence of ‘honour amongst cyber-thieves’ – Online cybercrime retailers live and die off their reputation and consumer trust, just as legitimate online retailers do. 77% of cybercriminal marketplaces analysed in the report require a vendor bond, a licence to sell, which can cost up to $3,000 (£2,500). In addition, 85% of retailers used escrow payments, and 92% even had a third-party dispute resolution service. Vendor feedback stores were also provided by every marketplace analysed.

Popular software is giving cybercriminals a foot in the door – Cybercriminals are focusing on finding gaps in software that will allow them to get a foothold and take control of systems by targeting known bugs and vulnerabilities in popular software. Examples include the Windows operating system, Microsoft Office, web content management systems, and web and mail servers.

The most surprising part of this report is the cheapness of the malware. Such free and easily-available malware makes it incredibly easy to “get in the game”, so to speak. You could buy a round of pints for the lads or what is essentially a cybercrime starter kit.

It also means attacks on systems from multiple points are easier to pull off, if all exploits being purchased are in that £8.50 range. Whether malware in these quantities makes them more effective was not mentioned in the report.

In the report, this ‘honour among cyber-thieves’ concept is referred to as an “irony”. The assumption being that crime is inherently dishonourable compared to the innately noble rule of law. Without (hopefully) getting too philosophical, this isn’t quite as ironic as the report seems to imply.

While illegal, the cybercrime marketplace is still a capitalistic endeavour, and capitalist endeavours are, in many ways, built on consumer and vendors’ navigation of their mutual trust and distrust. In a scenario where legal recourse isn’t viable (such as in a criminal endeavour) trust and reputation are all these retailers have to retain customers.

The note about popular software, while interesting, isn’t exactly news. A common refrain has been that Macs are less vulnerable to cybercrime attacks than PCs running Windows. This has only ever been true in that hackers operate off supply and demand just as any legitimate business does.

Macs’ cybersecurity measures aren’t any more or less effective than your average Windows PC’s, but they come under attack less frequently because fewer people use Macs. Hackers, like many companies, look for the widest audience they can possibly find for their business. It’s basic economic theory.

How Does This Affect Businesses in the UK?

Like any major economy, businesses in the UK are going to inevitably run afoul of hackers and cybercriminals. Whether it’s malware or phishing or some other method of attack, the question for many organisations is “when” not “if”.

In the last 13 months alone, over 32,000 cybercrimes were reported in the UK, resulting in over £10 million in losses, according to the NFIB Fraud and Cyber Crime Dashboard. Of these, over 16,000 of them were caused by hacking via social media and email.

However, there are methods to protect yourself and your employees. In its report, HP offers three basic pieces of advice:

Master the basics to reduce cybercriminals’ chances: Follow best practices, such as multi-factor authentication and patch management; reduce your attack surface from top attack vectors like email, web browsing and file downloads; and prioritise self-healing hardware to boost resilience.

Focus on winning the game: Plan for the worst; limit risk posed by your people and partners by putting processes in place to vet supplier security and educate workforces on social engineering; and be process-oriented and rehearse responses to attacks, so you can identify problems, make improvements and be better prepared.

Cybercrime is a team sport: Cybersecurity must be too: talk to your peers to share threat information and intelligence in real-time; use threat intelligence and be proactive in horizon scanning by monitoring open discussions on underground forums; and work with third-party security services to uncover weak spots and critical risks that need addressing.

These pieces of advice are a good start, but not the only advice out there. For example, check out the eWeek UK article on how SMBs can optimise their disaster recovery capabilities. You might not be able to completely avoid the attention of plug-and-play cyber criminals, but with the right precautions and security measures in place, you can dramatically reduce the impact these bad actors have on your business.

Do you want to learn more about cybersecurity? Check out these courses from TechRepublic Academy.

Zephin Livingston
Zephin Livingston
Zephin Livingston is a content writer for eWeek, eWeek UK, IT Business Edge, and SoftwarePundit with years of experience in multiple fields including cybersecurity, tech, cultural criticism, and media literacy. They're currently based out of Seattle.

Popular Articles