Feeds

Stolen CREDIT CARD details? Nah... crooks desire your PRIVATES

Hackers need to get PERSONAL to score the big bucks - researchers

Build a business case: developing custom apps

Prices on underground cybercrime marketplaces are dropping, with credit card details now in less demand than the personal data of individuals, according to a new study.

And even personal details and bank account credentials are getting cheaper to buy on underground hacker markets, according to a study by Dell SecureWorks’ director of malware research Joe Stewart and independent researcher David Shear.

Compromised US Visa and MasterCard credit card details can be bought for as little as $4, a price that doubles for stolen card details from the UK, Australia or Canada. A US credit card's information, as contained on the magnetic stripe on the reverse side of a card (Track 1 and 2 Data) fetches $12. But a similar card dump, where the holder is based in either the EU or Asia, can be sold for $28.

Complete card details along with the corresponding VBV (Verified by Visa) password command a price of $17-$25 (for card issued in the UK, Australia, Canada, EU and Asia).

A complete personal dossier on a US individual (featuring full name, address, phone numbers, email addresses (with passwords), date of birth, SSN and one or more of: bank account information) would cost $25. Such dossiers - called Fullz in underground forums - would fetch $30-$40 for an intended victim from the UK, Australia, Canada, EU or Asia. Just the date of birth for the same individual might be sold for $15-$25.

Prices are dropping. Two years ago Fullz fetched a price of between $40 to $60, depending on a victim's country of residence.

"There is no shortage of stolen credit cards, personal identities, also known as Fullz, and individual social security numbers for sale," the researchers note.

"However, the hackers have come to realise that merely having a credit card number and corresponding CVV code (Card Verification Value–the 3 or 4 digit number on one’s credit or debit card) is not always enough to meet the security protocols of some retailers."

Miscreants are also able to buy the login and password for a bank account with $70,000 to $150,000 for $300 or less. The preferred payment method for the many and varied services for sale through cybercrime bazaars has switched to either BitCoin or Western Union money transfers.

Underground hacking forums also sell malware and hacking services as well as credit card and personal details. Batches of 1,000 infected computers can be bought for $20, with bulk discount bringing the price of 10,000 infected PCs down to $160.

"Once scammers buy the malware-infected computers, they can do anything they want with the machines," Stewart and Shear explain. "They can harvest them for financial credentials, infect them with ransomware so as to extort money from their owners, or use them to form a spam botnet to send out malicious spam on behalf of other scammers."

Stewart and Shear found that there was a variety of Remote Access Trojans (RATs) for sale ranging from $50 to $250. Most of the RATs were sold with a program to make it Fully Undetectable (FUD) to security software. Sometimes this feature cost an additional $20. Trojan buyers could also pay to have someone set up a command and control server and possibly infect a target for an additional $20 to $50.

For more advanced hacker the Sweet Orange Exploit Kit - a tool for distributing malware through drive-by download attacks from compromised websites - can be rented through underground forums for around $450 per week or $1800 per month.

The hacking of a website can be commissioned at a price of between $100 to $300, depending on the reputation of the hacker. An ad for one hacker-for-hire noticed by the researchers said he would not take commissions to hack into either government or military websites.

A Distributed Denial of Service (DDoS) attack against a targeted website would cost $100 a day, according to the researchers. All of the hackers providing the DDOS attacks guaranteed that the target website would be knocked offline.

"The types of hacker services and stolen data for sell on the hacker underground have changed dramatically in the past several years," Stewart and Shear conclude. "The only noticeable difference is the drop in price for online bank account credentials and the drop in price for Fullz or personal credentials." ®

Endpoint data privacy in the cloud is easier than you think

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
'Things' on the Internet-of-things have 25 vulnerabilities apiece
Leaking sprinklers, overheated thermostats and picked locks all online
iWallet: No BONKING PLEASE, we're Apple
BLE-ding iPhones, not NFC bonkers, will drive trend - marketeers
Multipath TCP speeds up the internet so much that security breaks
Black Hat research says proposed protocol will bork network probes, flummox firewalls
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
Microsoft's Euro cloud darkens: US FEDS can dig into foreign servers
They're not emails, they're business records, says court
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
prev story

Whitepapers

7 Elements of Radically Simple OS Migration
Avoid the typical headaches of OS migration during your next project by learning about 7 elements of radically simple OS migration.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Solving today's distributed Big Data backup challenges
Enable IT efficiency and allow a firm to access and reuse corporate information for competitive advantage, ultimately changing business outcomes.
A new approach to endpoint data protection
What is the best way to ensure comprehensive visibility, management, and control of information on both company-owned and employee-owned devices?