Feeds

Stolen CREDIT CARD details? Nah... crooks desire your PRIVATES

Hackers need to get PERSONAL to score the big bucks - researchers

Top 5 reasons to deploy VMware with Tegile

Prices on underground cybercrime marketplaces are dropping, with credit card details now in less demand than the personal data of individuals, according to a new study.

And even personal details and bank account credentials are getting cheaper to buy on underground hacker markets, according to a study by Dell SecureWorks’ director of malware research Joe Stewart and independent researcher David Shear.

Compromised US Visa and MasterCard credit card details can be bought for as little as $4, a price that doubles for stolen card details from the UK, Australia or Canada. A US credit card's information, as contained on the magnetic stripe on the reverse side of a card (Track 1 and 2 Data) fetches $12. But a similar card dump, where the holder is based in either the EU or Asia, can be sold for $28.

Complete card details along with the corresponding VBV (Verified by Visa) password command a price of $17-$25 (for card issued in the UK, Australia, Canada, EU and Asia).

A complete personal dossier on a US individual (featuring full name, address, phone numbers, email addresses (with passwords), date of birth, SSN and one or more of: bank account information) would cost $25. Such dossiers - called Fullz in underground forums - would fetch $30-$40 for an intended victim from the UK, Australia, Canada, EU or Asia. Just the date of birth for the same individual might be sold for $15-$25.

Prices are dropping. Two years ago Fullz fetched a price of between $40 to $60, depending on a victim's country of residence.

"There is no shortage of stolen credit cards, personal identities, also known as Fullz, and individual social security numbers for sale," the researchers note.

"However, the hackers have come to realise that merely having a credit card number and corresponding CVV code (Card Verification Value–the 3 or 4 digit number on one’s credit or debit card) is not always enough to meet the security protocols of some retailers."

Miscreants are also able to buy the login and password for a bank account with $70,000 to $150,000 for $300 or less. The preferred payment method for the many and varied services for sale through cybercrime bazaars has switched to either BitCoin or Western Union money transfers.

Underground hacking forums also sell malware and hacking services as well as credit card and personal details. Batches of 1,000 infected computers can be bought for $20, with bulk discount bringing the price of 10,000 infected PCs down to $160.

"Once scammers buy the malware-infected computers, they can do anything they want with the machines," Stewart and Shear explain. "They can harvest them for financial credentials, infect them with ransomware so as to extort money from their owners, or use them to form a spam botnet to send out malicious spam on behalf of other scammers."

Stewart and Shear found that there was a variety of Remote Access Trojans (RATs) for sale ranging from $50 to $250. Most of the RATs were sold with a program to make it Fully Undetectable (FUD) to security software. Sometimes this feature cost an additional $20. Trojan buyers could also pay to have someone set up a command and control server and possibly infect a target for an additional $20 to $50.

For more advanced hacker the Sweet Orange Exploit Kit - a tool for distributing malware through drive-by download attacks from compromised websites - can be rented through underground forums for around $450 per week or $1800 per month.

The hacking of a website can be commissioned at a price of between $100 to $300, depending on the reputation of the hacker. An ad for one hacker-for-hire noticed by the researchers said he would not take commissions to hack into either government or military websites.

A Distributed Denial of Service (DDoS) attack against a targeted website would cost $100 a day, according to the researchers. All of the hackers providing the DDOS attacks guaranteed that the target website would be knocked offline.

"The types of hacker services and stolen data for sell on the hacker underground have changed dramatically in the past several years," Stewart and Shear conclude. "The only noticeable difference is the drop in price for online bank account credentials and the drop in price for Fullz or personal credentials." ®

Internet Security Threat Report 2014

More from The Register

next story
'Kim Kardashian snaps naked selfies with a BLACKBERRY'. *Twitterati gasps*
More alleged private, nude celeb pics appear online
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Snowden, Dotcom, throw bombs into NZ election campaign
Claim of tapped undersea cable refuted by Kiwi PM as Kim claims extradition plot
Freenode IRC users told to change passwords after securo-breach
Miscreants probably got in, you guys know the drill by now
THREE QUARTERS of Android mobes open to web page spy bug
Metasploit module gobbles KitKat SOP slop
BitTorrent's peer-to-peer chat app Bleep goes live as public alpha
A good day for privacy as invisble.im also reveals its approach to untraceable chats
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.