Cybercrime shopping list study points to falling prices
- 17 December 2013
- From the section Technology
Fancy a bank account with $300,000 (£184,000) in it? If you know where to look and you don't mind dealing with cybercriminals then the going rate is just $300, a study of the hacking underworld suggests.
For that you'll get the bank account details, plus online username and password providing you with full access to the money.
For criminal buyers that price is a steal compared with the sums they were paying as little as two years ago. Back in 2011 the most they could have expected to acquire for $300 would have been a compromised bank account with just $7,000 in it, and probably less, the researchers say,
The investigation was carried out by Joe Stewart, director of malware research at Dell SecureWorks, and David Shear, an independent researcher.
The pair have monitored Russian and other criminal forums on the internet in which financial details are traded.
Mr Stewart says that the price of all sorts of stolen financial information has fallen sharply over the past year on hacker black markets, and suggests this is the result of some large scale data breaches that have occurred during the period.
The glut in supply could continue for some time.
"I think that there is a lot further for prices to fall," he says.
Secrets for sale
It's not just the price of online bank account credentials that has fallen, Mr Stewart adds.
For example, a full dossier of financial and other information about an individual that can be used to commit identity theft now costs just $25 for a US victim, or $30-40 for a British one.
Two years ago these full dossiers - known as Fullz in hacker speak - changed hands for as much as $60 each.
A typical Fullz contains a victim's:
- full name and address
- phone numbers and email addresses with passwords
- date of birth
- national insurance, social security or other employee ID
And one or more from the following:
- bank account information
- online banking credentials
- credit card information, including Pin codes
In fact, it now appears there is such a large supply of stolen credit card details that hackers have had to slash their prices and take even more extreme measures to sell them before they expire or are cancelled.
"Hackers used to steal credit card details one at a time, but now they have figured out where to steal large numbers of details in one go," Mr Stewart says.
"Sellers on these black markets will now usually give you a few credit card details for free so you can check them out, and then you can buy them in lots of about a thousand."
The going rate is about $4 per card for US Visa or Mastercard details, and $7-$8 for UK or European ones, he says.
The reason that stolen US information is worth less than UK or European financial information is partly because it is harder and more costly for criminals to transfer stolen funds from the US to where they are - which is usually Eastern Europe or Asia, Mr Stewart says.
This usually involves using middlemen who take a cut to launder the money.
The Fullz packages have only been available for a few years, and their existence indicates that criminals are getting more sophisticated in their offerings, according to Mr Stewart.
"Previously they just offered lists of credit card numbers, but offering Fullz shows that hackers have got smarter and are now able to target places where a wide range of personal data is warehoused," he says.
Cybercriminals have also become more sophisticated in the way they offer stolen financial data to prospective customers.
This includes setting up websites with search facilities that allow them to search for stolen online details for specific banks.
"They set these up as subscription services, and subscribers can then run as many searches as they like for accounts at specific banks that they can get cash out from most conveniently," he says.
Not all prices are falling in the world of cybercrime world, however.
Computer hackers try to identify and then exploit vulnerabilities in programs and operating systems to gain access to credit card details and other data.
Stefan Frei, research director at security consultancy NSS Labs, says that the price that cybercriminals are willing to pay for newly discovered vulnerabilities is rising and the more secure a platform is perceived to be, the more the hack would be worth.
"People are putting more of their life on their computers, so the value to a hacker per computer is much higher than before," he explains.
"An iOS vulnerability may now change hands for $500,000 or even $1m."
Looking ahead, Mr Stewart believes the rise of Bitcoin - a virtual currency - could cause the thieves to change focus. Businesses are attracted to supporting the innovation as an alternative to cash because it is cheap to use, payments are almost instant, and the move gains them publicity.
But the Dell researcher warns that digital wallets - the computer programs used to store bitcoins - make more tempting targets for hackers than real bank accounts.
"Many Bitcoin users don't know much about security, and many protect their digital wallets with a user name and password that criminals can get past easily using malware," he says.
"The beauty for a criminal is that if you steal a Bitcoin wallet you don't have to go through a middleman like you do with a real bank account to move the money. You can just cash it out instantly anywhere in the world."