Feeds

Stolen CREDIT CARD details? Nah... crooks desire your PRIVATES

Hackers need to get PERSONAL to score the big bucks - researchers

Build a business case: developing custom apps

Prices on underground cybercrime marketplaces are dropping, with credit card details now in less demand than the personal data of individuals, according to a new study.

And even personal details and bank account credentials are getting cheaper to buy on underground hacker markets, according to a study by Dell SecureWorks’ director of malware research Joe Stewart and independent researcher David Shear.

Compromised US Visa and MasterCard credit card details can be bought for as little as $4, a price that doubles for stolen card details from the UK, Australia or Canada. A US credit card's information, as contained on the magnetic stripe on the reverse side of a card (Track 1 and 2 Data) fetches $12. But a similar card dump, where the holder is based in either the EU or Asia, can be sold for $28.

Complete card details along with the corresponding VBV (Verified by Visa) password command a price of $17-$25 (for card issued in the UK, Australia, Canada, EU and Asia).

A complete personal dossier on a US individual (featuring full name, address, phone numbers, email addresses (with passwords), date of birth, SSN and one or more of: bank account information) would cost $25. Such dossiers - called Fullz in underground forums - would fetch $30-$40 for an intended victim from the UK, Australia, Canada, EU or Asia. Just the date of birth for the same individual might be sold for $15-$25.

Prices are dropping. Two years ago Fullz fetched a price of between $40 to $60, depending on a victim's country of residence.

"There is no shortage of stolen credit cards, personal identities, also known as Fullz, and individual social security numbers for sale," the researchers note.

"However, the hackers have come to realise that merely having a credit card number and corresponding CVV code (Card Verification Value–the 3 or 4 digit number on one’s credit or debit card) is not always enough to meet the security protocols of some retailers."

Miscreants are also able to buy the login and password for a bank account with $70,000 to $150,000 for $300 or less. The preferred payment method for the many and varied services for sale through cybercrime bazaars has switched to either BitCoin or Western Union money transfers.

Underground hacking forums also sell malware and hacking services as well as credit card and personal details. Batches of 1,000 infected computers can be bought for $20, with bulk discount bringing the price of 10,000 infected PCs down to $160.

"Once scammers buy the malware-infected computers, they can do anything they want with the machines," Stewart and Shear explain. "They can harvest them for financial credentials, infect them with ransomware so as to extort money from their owners, or use them to form a spam botnet to send out malicious spam on behalf of other scammers."

Stewart and Shear found that there was a variety of Remote Access Trojans (RATs) for sale ranging from $50 to $250. Most of the RATs were sold with a program to make it Fully Undetectable (FUD) to security software. Sometimes this feature cost an additional $20. Trojan buyers could also pay to have someone set up a command and control server and possibly infect a target for an additional $20 to $50.

For more advanced hacker the Sweet Orange Exploit Kit - a tool for distributing malware through drive-by download attacks from compromised websites - can be rented through underground forums for around $450 per week or $1800 per month.

The hacking of a website can be commissioned at a price of between $100 to $300, depending on the reputation of the hacker. An ad for one hacker-for-hire noticed by the researchers said he would not take commissions to hack into either government or military websites.

A Distributed Denial of Service (DDoS) attack against a targeted website would cost $100 a day, according to the researchers. All of the hackers providing the DDOS attacks guaranteed that the target website would be knocked offline.

"The types of hacker services and stolen data for sell on the hacker underground have changed dramatically in the past several years," Stewart and Shear conclude. "The only noticeable difference is the drop in price for online bank account credentials and the drop in price for Fullz or personal credentials." ®

The essential guide to IT transformation

More from The Register

next story
Rupert Murdoch says Google is worse than the NSA
Mr Burns vs. The Chocolate Factory, round three!
Microsoft cries UNINSTALL in the wake of Blue Screens of Death™
Cache crash causes contained choloric calamity
Germany 'accidentally' snooped on John Kerry and Hillary Clinton
Dragnet surveillance picks up EVERYTHING, USA, m'kay?
Know what Ferguson city needs right now? It's not Anonymous doxing random people
U-turn on vow to identify killer cop after fingering wrong bloke
Snowden on NSA's MonsterMind TERROR: It may trigger cyberwar
Plus: Syria's internet going down? That was a US cock-up
Who needs hackers? 'Password1' opens a third of all biz doors
GPU-powered pen test yields more bad news about defences and passwords
e-Borders fiasco: Brits stung for £224m after US IT giant sues UK govt
Defeat to Raytheon branded 'catastrophic result'
prev story

Whitepapers

Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Solving today's distributed Big Data backup challenges
Enable IT efficiency and allow a firm to access and reuse corporate information for competitive advantage, ultimately changing business outcomes.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.