Contributed by Jeffrey Sebranek
Gathering data is the gold rush of the 21st century, with Google/Alphabet Corp and Amazon leading the way in competing to create the largest database in history. These massive subscriber databases are consistently raising the already enormous valuations of these companies. The underground hacking economy has learned to follow suit in their own effort to monetize all manner of personal and economic data. Personal identifying information, credit cards, bank account numbers, social security numbers and almost any kind of personal information can be bought and sold online in the digital cybercrime marketplace. All this occurs nearly anonymously and with little risk, as demonstrated by the low percentage of hackers that are actually caught. Crypto and digital currencies like Bitcoin and the popular Russian services Lesspay and Web Money, are thought to be helpful in keeping unlawful trade under the radar, with some sites also accepting payment from, more traditional Western Union and Moneygram1.
This underground hacking economy tends to follow traditional economic influences and can even offer hacking services and products at a surprising discount. An example offered by McAfee blog2 after the massive Target data breach in late 2013 that saw over 40 million debit and credit card accounts stolen by hackers. After the breach, the price on the underground market for stolen card data plummeted significantly, as this massive supply of new data hit these dark exchanges.
These hacking networks can often be as well-organized as any legitimate business. As the profitability and proliferation of data increases, cyber criminals continue to grow their network of digital marketplaces allowing access to anyone with a computer and the ability to pay. So what kind of information can a potential scammer purchase from these networks? McAfee Labs recently published a report titled, “The Hidden Data Economy”3, which offers a breakdown of the value of our information, once it’s been stolen. According to the report, the more data a hacker can accrue per account, the greater value they can sell it for. Along with credit card information, additionally identifying information can increase the original value. These include, among other things, the card’s expiration dates, and CVV data. Both CVV1 the unique three-digit value encoded on the magnetic stripe, as well as CVV2 the three-digit number written on the back of your card. Some of these digital marketplaces even offer what they call “Fullzinfo. These “Fullzinfo” packages means the seller supplies all details about the card and its owner, including full name, billing address, expiration date, card number, pin number, SSN, DOB, CVVs and mother’s maiden name, a common default security question used by credit card companies.
Most striking perhaps is the very reasonable, fire-sale prices that this pedigree information can sell for. According to McAfee estimates, basic credit card info for Visa, MC, Amex and discover can sell for as little as five dollars, with high-value information such as “Fullzinfo” packages selling for the about $30 in the United States, while in Europe the cost can run to a still very reasonable $50 per card. Credit cards with higher balances exceeding $5000 can cost the shifty buyer $200 or more.
Stolen credit card, bank account information, social media and email while among the most popular of illicit commodities, aren’t the only kind of information available. These underground markets have expanded to include all manner of cybercrime tools and products. A few examples include training lessons in hacker programming, Malware Trojan Horses, even services that provide translation, so that hackers can more easily bilk any intended foreign victims.
Generally it’s the banks and credit card companies that absorb the main losses when an identity breach occurs. This practice appears to leave the population as a whole relatively apathetic about protecting their own data. It may prove costly in the long run if principals of self-defense that are considered normal when dealing with more traditional forms of crime, aren’t eventually adopted into the general mindset of consumers.