chat
expand_more

The Price of Secrets: How Initial Access Brokers Value Corporate Access Credentials

Explore the ways in which corporate network access is valued by initial access brokers (IABs) according to access type, company revenue, and country tier.
August 13, 2024

By offering access to compromised networks and systems, initial access brokers (IABs) are key players in the cybercrime ecosystem. A number of factors influence the cost of these access credentials, the most important being the type of access, company revenue, and the country tier. Understanding the interplay between these variables can offer valuable insights into the cybercrime black market.

Assess Country Tier

Countries are categorized into different tiers based on various factors, including economic strength, and the general level of digital infrastructure. Typically, higher-tier countries command higher prices for access credentials. Here's a breakdown of how country tiers impact pricing:

Tier 1 Countries: These include economically strong nations such as the United States, Canada, and Western European countries. Access to companies in these countries is generally more expensive due to the potential for higher returns and the increased difficulty of breaching their systems.

Tier 2 Countries: These are countries with moderate economic strength and cybersecurity defenses, such as Eastern European countries and some Asian nations. Prices for access in these countries are generally lower than tier 1 but still significant.

Tier 3 Countries: These include economically weaker nations with less stringent cybersecurity measures. Access to companies in these countries is typically the least expensive.

Evaluate Company Revenue

Company revenue is another factor in determining the price of access credentials. Higher revenue companies usually have more valuable data and resources, making them more attractive targets for cybercriminals. Brokers often use tools like ZoomInfo to estimate a company's revenue. Here’s how revenue impacts pricing:

High Revenue Companies: Large enterprises with substantial revenue are prime targets. Access to these companies can be sold at a premium due to the potential for significant financial gain from ransomware, data theft, or other malicious activities.

Mid-Sized Companies: Medium-sized businesses represent a middle ground. They have valuable data and resources but may not have the same level of cybersecurity defenses as large enterprises. Prices for access are moderate.

Small Companies: Small businesses typically have lower revenue and may not be as lucrative for cybercriminals. As a result, access credentials for these companies are generally sold at lower prices.

Identify Type of Access

The type of access being sold is perhaps the most direct determinant of pricing. Different types of access credentials provide varying levels of control and potential for exploitation. Here are the main types of access and their relative pricing:

Domain Access: This type of access allows logging into a company's internal domain network. It offers significant control and potential for lateral movement within the network, making it highly valuable and expensive.

SMTP Access: Email credentials that control a company email account can be used for phishing, spamming, and other malicious activities. While valuable, it is typically less expensive than domain access.

VPN Access: Virtual private network credentials allow remote access to a company's internal network. This type of access provides considerable control and is priced accordingly.

Database Access: Direct login credentials for accessing sensitive databases are highly valuable due to the potential for data theft or manipulation. Prices for database access are generally high.

How IABs Use Cybercrime Forums

Looking at the examples below, you will see that buyers and sellers all follow a common format that specifies the type of access, revenue, and geolocation (sometimes tier) of the country. This is a normal format when dealing with IABs, and as mentioned above, these variables usually determine the price of specific offerings.

Credential Price 1

An example of a buyer mentioning the variables that determine pricing.

In most cases, transactions are conducted through a forum escrow system until trust is established between both the seller and buyer. Once trust is established, transactions are often taken off-platform and dealt with directly.

Credential Price 2

An example of a seller mentioning the variables that determine pricing.

The same sellers will usually broker access for a long period of time, developing a reputation as trustworthy IABs and gaining a stream of continuous access to different types of organizations.

Credential Price 3

An example of a trusted IAB.

If you take a look above, you will see a thread posted by a user called Nick Diesel. By browsing their profile, you can see that they have a continuous thread of offerings and post almost daily updates on what they have access to and what they’re selling.

Credential Price 4

An example of daily postings.

While access to specific applications like Slack, Zoom, or Discord might seem valuable, the IAB landscape primarily focuses on broader access that grants control over infrastructure or databases.

This allows malicious actors to pivot within a compromised network and gain access to various applications and data stores. Selling individual application accounts is less common and usually limited to consumer-level accounts sold in bulk.

Protect Your Organization from IABs by Denying Entry to Access Brokers

IABs often gain access to corporate networks through phishing and spear phishing attacks. Modern threat actors are creating increasingly sophisticated phishing attacks that often leverage advanced social engineering techniques, making them harder to detect and mitigate. To stay ahead of these threats, organizations need an AI-powered solution that can analyze vast amounts of data in real time, identify subtle signs of phishing, and adapt to emerging threats. Implementing such advanced technology ensures a more robust defense against these ever-more complex attacks.

Abnormal’s API-based solution utilizes behavioral data to understand the communication patterns and processes of every employee and vendor across your organization. By applying computer vision and natural language processing (NLP) to analyze email content, we can identify anomalous activity and detect potential threats before they reach employee inboxes.

Experience the protection Abnormal AI provides against email-based attacks that exploit human behavior. Schedule a demo today to see our solution in action.

Schedule a Demo
The Price of Secrets: How Initial Access Brokers Value Corporate Access Credentials

See Abnormal in Action

Get a Demo

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.

Get AI Protection for Your Human Interactions

Protect your organization from socially-engineered email attacks that target human behavior.
Request a Demo
Request a Demo

Related Posts

B Proofpoint Customer Story F500 Insurance Provider
A Fortune 500 insurance provider blocked 6,454 missed attacks and saved 341 SOC hours per month by adding Abnormal to address gaps left by Proofpoint.
Read More
B Malicious AI Platforms Blog
What happened to WormGPT? Discover how AI tools like WormGPT changed cybercrime, why they vanished, and what cybercriminals are using now.
Read More
B MKT748 Open Graph Images for Cyber Savvy 7
Explore insights from Brian Markham, CISO at EAB, as he discusses cybersecurity challenges, building trust in education, adapting to AI threats, and his goals for the future. Learn how he and his team are working to make education smarter while prioritizing data security.
Read More
B Manufacturing Industry Attack Trends Blog
New data shows a surge in advanced email attacks on manufacturing organizations. Explore our research on this alarming trend.
Read More
B Dropbox Open Enrollment Attack Blog
Discover how Dropbox was exploited in a sophisticated phishing attack that leveraged AiTM tactics to steal credentials during the open enrollment period.
Read More
B AISOC
Discover how AI is transforming security operation centers by reducing noise, enhancing clarity, and empowering analysts with enriched data for faster threat detection and response.
Read More