Oct 21, 2015

Sale! Your personal info, cheap | InfoWorld

Data rules the digital economy. Nowhere is that more evident than in the underground economy, where criminals traffic in data stolen through breaches, compromised accounts, and various vulnerabilities.

Based on ongoing work with law enforcement authorities -- and close monitoring of online marketplaces where stolen data is sold -- the Hidden Data Economy report from Intel Security paints a clear picture of how cheap it is to obtain stolen information.

[ Deep Dive: How to rethink security for the new world of IT. | Discover how to secure your systems with InfoWorld's Security newsletter. ]

“As the commercial value of personal data grows, cyber criminals have long since built an economy selling stolen data to anybody with a computer browser and the means to pay,” Intel Security wrote in the report.

To no one’s surprise, there's plenty of payment card information on sale, with the basic packages including the account number, CV2 code printed on the card, and the expiration date selling for between $5 and $8 in the United States. Prices go up for extras that let buyers attempt different types of scams, such as $15 for packages including the bank account number and dates of birth. Buyers can also buy “Fullzinfo” packages, which include the victim’s billing address, PIN, Social Security number, date of birth, mother’s maiden name, and online banking credentials, for a mere $30.

Prices also vary by region: Stolen credit and debit cards sell for between $20 and $35 in the United Kingdom, $20 and $40 in Canada, $21 and $40 in Australia, and $25 and $45 in the European Union. Prices are even higher for "dump tracks," or account information stored on the card’s magnetic stripe; they go for between $110 for U.S. cards and $190 for European Union cards.

Login credentials for online banking sites and payment services are available for sale as well. Prices depend on a number of factors, such as the online payment service’s account balance. For example, an account with a balance between $400 and $1,000 can cost between $20 and $50, but a balance of $2,500 to $5,000 would cost between $120 and $200.

Stolen bank accounts and payment cards are only the starting point. “This underground marketplace has evolved to include almost every conceivable cyber crime product for sale or rent,” the researchers wrote in the report.

Not only financial data

Whole identities are available online, including account credentials for social media and email. Some sellers make it easier for buyers to look at available identities by providing a graphical interface. Medical records, which generally include health-related information, Social Security numbers, and insurance details, are available, although they aren’t as easy to buy as payment card data, the researchers said.

Think of the underground forums and markets as the digital equivalent of Home Depot: Attackers can find whatever they need to launch cyber attacks against large corporations and critical infrastructure systems. There's no need to craft phishing campaigns to steal network credentials when, odds are, they're already on sale.

The report showed an example of network credentials from a university offered for sale. Researchers also found vulnerabilities that allow potential buyers access to bank and airline systems located in Europe, Asia, and the United States.

“This ‘cyber crime as a service’ marketplace has been a primary driver for the explosion in the size, frequency, and severity of cyber attacks,” said Raj Samani, CTO for Intel Security EMEA. Recent data breaches have been so huge, numbering in millions of records, because the individual per-record prices are so low. Sellers need more inventory to stay in business.

What was surprising was the demand for login credentials for online streaming services. Since the services themselves aren’t expensive, it would make sense to assume the accounts wouldn’t be worth much on the marketplace. The report found otherwise. While account information for video streaming services and premium comic book services are available for pennies, with prices starting at 55 cents, premium cable channel streaming services such as HBO Now and HBO Go sell for $7.50. Professional sports get the big bucks in the underground economy, too: Login credentials for professional sports streaming cost $15.

Even loyalty accounts are available for sale. Buyers can get 100,000 points in a hotel loyalty account for only $20. “Customers legitimately open these accounts at no cost, and yet there is a market for them, resulting in the loss of accumulated perks that sometimes take years to accrue,” the report said.

Like the legitimate economy, but underground

The criminal underground functions according to the same basic economic principles as the regular economy. Sellers slash prices on inventory to undercut other sellers and attract buyers. Some employ “sophisticated sales and marketing efforts” and advertise their wares to potential customers on YouTube.

“The videos often attempt to provide some degree of visual confirmation for prospective buyers that they can be trusted, although such approaches can backfire through comments associated with the videos,” the researchers wrote.

There's no real way to verify whether or not a seller will actually deliver on the advertised goods, since buyers can’t exactly file complaints through the usual channels. Some sellers offer guarantees, however, with replacement policies for unsatisfied customers. The marketplaces provide forums and other methods for social feedback to name and shame disreputable sellers, as well as rank sellers who are good to work with.

To access the underground, you don’t need to dig around anonymized networks with Tor. Many markets are easy to find and often a search query away. “It certainly does not require prior knowledge of a secret public house and its hidden courtyard,” Intel Security wrote in the report.

The breadth, depth, and open nature of the criminal underground suggests a mature, nearly glutted market whose participants have little fear of reprisal. With law enforcement far behind the curve, the real hope of mitigation remains better enterprise security -- and greater vigilance by individuals. Either that, or expect to find your credentials on sale somewhere.

No comments: