According to The Aegenis Group, the black market value of a payment card account number was estimated to be between $4 and $6 in the 2007–2008 period. Magnetic stripe data for a payment card carries a price tag between $25 and $35, depending upon the credit limit and type of card. Full information sufficient to open a bank account, including birthday, address, and Social Security number, goes for approximately $200 to $300.
Other personal data, such as driver license numbers, Social Security cards, and PayPal or eBay accounts, are often seen for sale on the black market. Drivers’ licenses and birth certificates go for about $100. A PayPal or eBay account goes for $5 to $10.
Thus, a piece of malware that exploits an unpatched vulnerability can fetch anywhere between $20,000 and $40,000 a pop, depending on the consequences. Bot army building software (e.g., the exploits and bot agent code) goes for approximately $5,000–$10,000 on the black market.
The rising black market value of personal data and data-stealing malware has created a cottage industry of criminals (the information dealers mentioned earlier) that focus on trading financial information. The incidents at TJX and Hannaford Brothers illustrate just the tip of the iceberg; the magnitude of the problem is not yet well understood by the general public. In the next few sections, we explore the data-gathering game of the cyber underground and how they’ve turned it into a massively profitable business.
The following is a fragment of a captured IRC conversation between an information dealer and a consumer:
<A> selling adminpassword of online store with hundreds of cvv2 and Bank account # and Routing #. I receive the payment 1st (WU/E-Gold). Also trade cvv2 for [WEBSITE] account.
This information dealer obtained credit card and checking account information by hacking an online store, or more likely bought the information from somebody who actually hacked the store. Buying and selling financial information remains the number one activity in the underground market. Compromised information is often dealt multiple times before the information is put to use.
It’s alarming how much “full” personal information is out there for sale. A package of such information includes almost every vital aspect of one’s identity: everything you’d need to apply for an account, pass simple web authentication, and buy goods online. The following is a captured advertisement (actual details obfuscated) from one of the underground trading channels:
<A> Full info for sale <A> Name: John Smith <A> Address 1: XXX S Middlefield Road. <A> City: XXX <A> State: CA <A> Zip: XXXXX <A> Country: usa <A> Date Of Birth: 04/07/19XX <A> Social Security Number: XXX-XX-5398 <A> Mothers Maiden Name: Jones <A> Drivers License Number: XXXX24766 <A> Drivers License State: CA <A> Credit Card Number: XXXXXXXXXXXX2134 <A> Credit Card Brand: Visa <A> EXP Date: 10/2010 <A> CVV Number: 178 <A> Card Bank Name: Citibank <A> Secret Question 1: What is the model and make of your first car? <A> Secret Question 1 Answer: Geo, Prism <A> Secret Question 2: What is your first Pet's name? <A> Secret Question 2 Answer: Sabrina
As you can see, whoever possesses this information can easily assume the identity of the person to whom this information belongs. Mechanisms such as knowledge-based authentication (KBA) using secret questions are useless against this wealth of stolen information.
So where do the information dealers get this data? From a number of sources, including:
- Financial institutions
These are attractive targets because they house all the information a fraudster needs to commit financial crimes. For that reason, online banking sites are constantly under attack; criminals are looking for “way-in” loopholes to take them through the web server to the backend customer data.
- Merchant stores
Many retailers, whether online or physical, have poor security and data privacy practices, and thus remain a popular source for those with a prying eye for private financial data. The data breaches at both TJX and Hannaford Brothers were due to insufficient security procedures.
- Individual cardholders
Spyware, key loggers, and pharmware on a user’s desktop are other conduits through which private data is gathered.
- Phishing
Phishing sites masquerading as legitimate businesses can lure users into giving up private information such as login IDs and passwords. Phishing is still a widespread threat, especially for less computer-savvy users.
The cyber underground players of today use many attack methods for data gathering. I’ll list a few prominent ones here. But many other, more esoteric methods have been observed in the wild that are beyond the scope of this study.
A vulnerable website, particularly that of a financial institution or an online e-commerce site, is often the most direct route to valuable data. Because the web server runs software that issues SQL commands to retrieve and modify the internal database (e.g., sensitive customer information), a successful SQL injection attack that fools the web server into passing arbitrary SQL commands to the database can fetch whatever data it chooses.
A well-known women’s clothing store was recently informed by their web application firewall vendor that an SQL injection error in their web application could lead to the compromise of their entire customer database, including credit card numbers, PINs, and addresses.
It is almost routine now for security vendors who engage in web application scanning to discover not one, not two, but many SQL injection attack vulnerabilities in existing web applications. With the advent of Web 2.0 and its still-esoteric secure code development practices, we should not be surprised that many web applications are vulnerable to data theft attacks.
Organized crime groups have long realized that digital data theft represents a gold mine for them. It is known that some of these groups have both automated and manual means to scan the Internet continuously, looking for vulnerable sites.
Many Internet crimes today can be traced back to some form of malware. For example, spyware, installed on a user’s machine, can steal private information on the hard disk, such as Social Security numbers, credit card information, and bank account information. Injected iFrames, a form of malware that typically lives on the server, can capture user login information and other proprietary communications between the browser and the server. Bot-building malware, once installed on a user’s machine, wakes up once every so often to participate in botnet activities unbeknownst to the user.
The most popular means of malware distribution today is via the Web. Users browsing the Web who come in contact with a malware distribution or hosting site may subject their computers to a malware infection. Many such infections produce no visual clues and therefore are not easily identifiable without special detection tools.
A disturbing trend is that we are seeing more and more legitimate websites unwittingly participating in malware distribution. Malware injected on the website (e.g., the injected iFrames mentioned earlier) can transparently redirect a user’s browser to a third-party site that hosts malware. Google reports that 6,000 out of the top one million ranked websites (according to Google’s page rank algorithm) have been listed as “malicious” at some point. Many are legitimate sites that are compromised at one point or another. Social networking sites and high-volume e-commerce sites have all been hot targets for malware distribution.
Symantec reports that in 2007, 1,950 new malware instances were discovered every day! Figure 4-1 shows the normalized growth of new malware from 2005 to 2007, according to the numbers reported by Sophos, Symantec, and Panda Labs. In this figure, the most conservative of the three vendors, Sophos, reported a greater than 100% growth in new malware for the last two years. Panda Labs reported a whopping 800% increase in malware from 2006 to 2007.
Much of the increase springs from increasing variations of the same malware; that is, polymorphic malware that is written once but can take on many forms to evade signature detection. Indeed, the rate at which malware producers today release malware and the way in which malware morphs itself has rendered signature-based detection all but useless.
Email spam propels more phishing threats on the Web. Instead of carrying actual malware, spam today tends to promote phishing or malware-laden websites.
Another visible trend is the increase in targeted spam attacks that deliver specially engineered spam messages to a special interest group of recipients; for instance, it is not uncommon to see prescription drug savings messages targeting senior citizens and hot stock tip messages targeting active traders. Such targeted spam has a much higher success rate, which helps to sustain phishing as a viable attack method.
Antispam technologies have seen significant advances in the past a few years. However, the absolute volume of spam on the Internet has almost doubled since 2005. This has significantly strained the limit of many antispam systems.
A significant step toward greater viability by the cyber underground economy is the ability to turn financial frauds into actual, usable cash. This is a nontrivial step that involves extracting cash from legitimate financial institutions.
One of the most valuable assets in the cyber underground is so-called “drop” accounts where money can be routed and withdrawn safely. These are often legitimate accounts owned by parties that are willing to play the cashier role discussed earlier in exchange for a cut of the take.
Let’s say Johnny the hacker has full account information for 20 Bank of America customers. Johnny could set up a bank transfer from these compromised accounts (to which he has access) to another Bank of America account owned by Betty, the cashier acting on his behalf. Betty then goes to her local bank and cashes out her entire account. She wires 50% of Johnny’s deposit to a predetermined location, which will be picked up by Johnny, and keeps the remaining 50%.
Being a cashier carries a nontrivial level of risk. Experienced cashiers rarely stay put, often having at their disposal a number of different accounts opened with fraudulent credentials. A good cashier can often demand a market premium. Without the drop accounts and the cashiers, the underground economy would be nothing more than an academic study.
Get Beautiful Security now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
