Threat Management

Dark web analysis reveals $20,000 start-up cost for banking trojan botnet campaigns

The upfront cost of building a small banking trojan botnet is roughly $20,000, but the return on investment can be as high as 400 to 600 percent, according to the author of a new cybercrime research report.

Published on Thursday, the report details the average price of malicious tools, data and services sold on the dark web, based on an analysis conducted in the summer and fall of 2017 by Recorded Future's Insikt Group research team.

Using its dark web findings as a starting point, Recorded Future proceeded break down the costs of building a botnet specifically designed to spread a banking trojan. "An average operation will target 10-15 financial institutions, requiring a wide range of credential-intercepting injects," said report author Andrei Barysevich, Recorded Future's director of advanced collection, in an interview with SC Media. "An initial... cost of $20,000 is needed to launch a small botnet of 10,000-20,000 zombie computers. [And] monthly maintenance will cost an additional $5,000."

Still, in many cases, the payoff is ultimately worth it for the threat actor. "Assuming criminals successfully intercept banking credentials from five percent of their victims -- a very conservative number -- we estimate that the direct profit derived when funds are stolen [is] in the range of $100,000-$150,000," said Barysevich. "As we can see, 400-600% return on investment is feasible and likely to exceed our numbers."

According to the report, the first substantial expense in the acquisition of a banking trojan license, which generally costs $3,000-$5,000 -- it can also be rented for around $1,000 per month.

Then, in order to intercept banking credentials, the cybercriminal need web injects for each financial institution he intends to target. This will cost about $150 to $1,000 per set. "In the past year, we've seen a significant increase in the cost of web-injects targeting Canadian institutions, offered at the upper-level of the price spectrum, while the cost of malware targeting U.S.-based banks has remained the same," Barysevich notes in the research report.

But that's not all: A spam campaign to infect unwitting victims with the botnet will cost $15-$50 per thousand people, or $400 for every million emails that are successfully delivered.

Also, finding a bulletproof hosting service in a cybercriminal-friendly region will require renting a webserver for $150-$200 per month, while services that clean and obfuscate malicious executables on a daily basis cost $20-$50 per single payload (although discounts are available for large-volume orders).

Cybercriminals may also want to hire mule handlers and intermediaries, who will typically charge a 50-60 percent commission from each payment transferred, plus an additional five-10 percent to launder and deliver the funds. Other tools that might be used to help push the campaign over the top include underground calling services ($10-15 per call) and email/phone flooding services ($20)

The range of items listed in the report are quite expansive, and not all are relevant to a banking trojan botnet. By and large, malware programs and licenses comprise the most expensive items: For instance, Android malware loaders can set you back around $1,500, while ransomware prices can soar as high $1,000 (and fall as low as $50).

Conversely, other items cost as little as one dollar apiece, including individual, compromised PayPal and e-commerce accounts. For five dollars, cybercriminals can buy a stolen payment card number or banking credentials, and for $25, they can purchase 1 million compromised email account passwords.

Using its price guide as a starting point, Recorded Future next broke down the various costs of this botnet.
Using its price guide as a starting point, Recorded Future next broke down the various costs of this botnet.
Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.