Feeds

Stolen CREDIT CARD details? Nah... crooks desire your PRIVATES

Hackers need to get PERSONAL to score the big bucks - researchers

5 things you didn’t know about cloud backup

Prices on underground cybercrime marketplaces are dropping, with credit card details now in less demand than the personal data of individuals, according to a new study.

And even personal details and bank account credentials are getting cheaper to buy on underground hacker markets, according to a study by Dell SecureWorks’ director of malware research Joe Stewart and independent researcher David Shear.

Compromised US Visa and MasterCard credit card details can be bought for as little as $4, a price that doubles for stolen card details from the UK, Australia or Canada. A US credit card's information, as contained on the magnetic stripe on the reverse side of a card (Track 1 and 2 Data) fetches $12. But a similar card dump, where the holder is based in either the EU or Asia, can be sold for $28.

Complete card details along with the corresponding VBV (Verified by Visa) password command a price of $17-$25 (for card issued in the UK, Australia, Canada, EU and Asia).

A complete personal dossier on a US individual (featuring full name, address, phone numbers, email addresses (with passwords), date of birth, SSN and one or more of: bank account information) would cost $25. Such dossiers - called Fullz in underground forums - would fetch $30-$40 for an intended victim from the UK, Australia, Canada, EU or Asia. Just the date of birth for the same individual might be sold for $15-$25.

Prices are dropping. Two years ago Fullz fetched a price of between $40 to $60, depending on a victim's country of residence.

"There is no shortage of stolen credit cards, personal identities, also known as Fullz, and individual social security numbers for sale," the researchers note.

"However, the hackers have come to realise that merely having a credit card number and corresponding CVV code (Card Verification Value–the 3 or 4 digit number on one’s credit or debit card) is not always enough to meet the security protocols of some retailers."

Miscreants are also able to buy the login and password for a bank account with $70,000 to $150,000 for $300 or less. The preferred payment method for the many and varied services for sale through cybercrime bazaars has switched to either BitCoin or Western Union money transfers.

Underground hacking forums also sell malware and hacking services as well as credit card and personal details. Batches of 1,000 infected computers can be bought for $20, with bulk discount bringing the price of 10,000 infected PCs down to $160.

"Once scammers buy the malware-infected computers, they can do anything they want with the machines," Stewart and Shear explain. "They can harvest them for financial credentials, infect them with ransomware so as to extort money from their owners, or use them to form a spam botnet to send out malicious spam on behalf of other scammers."

Stewart and Shear found that there was a variety of Remote Access Trojans (RATs) for sale ranging from $50 to $250. Most of the RATs were sold with a program to make it Fully Undetectable (FUD) to security software. Sometimes this feature cost an additional $20. Trojan buyers could also pay to have someone set up a command and control server and possibly infect a target for an additional $20 to $50.

For more advanced hacker the Sweet Orange Exploit Kit - a tool for distributing malware through drive-by download attacks from compromised websites - can be rented through underground forums for around $450 per week or $1800 per month.

The hacking of a website can be commissioned at a price of between $100 to $300, depending on the reputation of the hacker. An ad for one hacker-for-hire noticed by the researchers said he would not take commissions to hack into either government or military websites.

A Distributed Denial of Service (DDoS) attack against a targeted website would cost $100 a day, according to the researchers. All of the hackers providing the DDOS attacks guaranteed that the target website would be knocked offline.

"The types of hacker services and stolen data for sell on the hacker underground have changed dramatically in the past several years," Stewart and Shear conclude. "The only noticeable difference is the drop in price for online bank account credentials and the drop in price for Fullz or personal credentials." ®

Secure remote control for conventional and virtual desktops

More from The Register

next story
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
JLaw, Kate Upton EXPOSED in celeb nude pics hack
100 women victimised as Apple iCloud accounts reportedly popped
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Researchers camouflage haxxor traps with fake application traffic
Honeypots sweetened to resemble actual workloads, complete with 'secure' logins
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
New Snowden leak: How NSA shared 850-billion-plus metadata records
'Federated search' spaffed info all over Five Eyes chums
Three quarters of South Korea popped in online gaming raids
Records used to plunder game items, sold off to low lifes
Oz fed police in PDF redaction SNAFU
Give us your metadata, we'll publish your data
prev story

Whitepapers

Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Advanced data protection for your virtualized environments
Find a natural fit for optimizing protection for the often resource-constrained data protection process found in virtual environments.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.