Feeds

Stolen CREDIT CARD details? Nah... crooks desire your PRIVATES

Hackers need to get PERSONAL to score the big bucks - researchers

The Essential Guide to IT Transformation

Prices on underground cybercrime marketplaces are dropping, with credit card details now in less demand than the personal data of individuals, according to a new study.

And even personal details and bank account credentials are getting cheaper to buy on underground hacker markets, according to a study by Dell SecureWorks’ director of malware research Joe Stewart and independent researcher David Shear.

Compromised US Visa and MasterCard credit card details can be bought for as little as $4, a price that doubles for stolen card details from the UK, Australia or Canada. A US credit card's information, as contained on the magnetic stripe on the reverse side of a card (Track 1 and 2 Data) fetches $12. But a similar card dump, where the holder is based in either the EU or Asia, can be sold for $28.

Complete card details along with the corresponding VBV (Verified by Visa) password command a price of $17-$25 (for card issued in the UK, Australia, Canada, EU and Asia).

A complete personal dossier on a US individual (featuring full name, address, phone numbers, email addresses (with passwords), date of birth, SSN and one or more of: bank account information) would cost $25. Such dossiers - called Fullz in underground forums - would fetch $30-$40 for an intended victim from the UK, Australia, Canada, EU or Asia. Just the date of birth for the same individual might be sold for $15-$25.

Prices are dropping. Two years ago Fullz fetched a price of between $40 to $60, depending on a victim's country of residence.

"There is no shortage of stolen credit cards, personal identities, also known as Fullz, and individual social security numbers for sale," the researchers note.

"However, the hackers have come to realise that merely having a credit card number and corresponding CVV code (Card Verification Value–the 3 or 4 digit number on one’s credit or debit card) is not always enough to meet the security protocols of some retailers."

Miscreants are also able to buy the login and password for a bank account with $70,000 to $150,000 for $300 or less. The preferred payment method for the many and varied services for sale through cybercrime bazaars has switched to either BitCoin or Western Union money transfers.

Underground hacking forums also sell malware and hacking services as well as credit card and personal details. Batches of 1,000 infected computers can be bought for $20, with bulk discount bringing the price of 10,000 infected PCs down to $160.

"Once scammers buy the malware-infected computers, they can do anything they want with the machines," Stewart and Shear explain. "They can harvest them for financial credentials, infect them with ransomware so as to extort money from their owners, or use them to form a spam botnet to send out malicious spam on behalf of other scammers."

Stewart and Shear found that there was a variety of Remote Access Trojans (RATs) for sale ranging from $50 to $250. Most of the RATs were sold with a program to make it Fully Undetectable (FUD) to security software. Sometimes this feature cost an additional $20. Trojan buyers could also pay to have someone set up a command and control server and possibly infect a target for an additional $20 to $50.

For more advanced hacker the Sweet Orange Exploit Kit - a tool for distributing malware through drive-by download attacks from compromised websites - can be rented through underground forums for around $450 per week or $1800 per month.

The hacking of a website can be commissioned at a price of between $100 to $300, depending on the reputation of the hacker. An ad for one hacker-for-hire noticed by the researchers said he would not take commissions to hack into either government or military websites.

A Distributed Denial of Service (DDoS) attack against a targeted website would cost $100 a day, according to the researchers. All of the hackers providing the DDOS attacks guaranteed that the target website would be knocked offline.

"The types of hacker services and stolen data for sell on the hacker underground have changed dramatically in the past several years," Stewart and Shear conclude. "The only noticeable difference is the drop in price for online bank account credentials and the drop in price for Fullz or personal credentials." ®

Build a business case: developing custom apps

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
'Things' on the Internet-of-things have 25 vulnerabilities apiece
Leaking sprinklers, overheated thermostats and picked locks all online
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.