Cybercrime shopping list study points to falling prices

Digital people The price of a hacking victim's personal details are becoming cheaper to buy, says a study

Related Stories

Fancy a bank account with $300,000 (£184,000) in it? If you know where to look and you don't mind dealing with cybercriminals then the going rate is just $300, a study of the hacking underworld suggests.

For that you'll get the bank account details, plus online username and password providing you with full access to the money.

For criminal buyers that price is a steal compared with the sums they were paying as little as two years ago. Back in 2011 the most they could have expected to acquire for $300 would have been a compromised bank account with just $7,000 in it, and probably less, the researchers say,

The investigation was carried out by Joe Stewart, director of malware research at Dell SecureWorks, and David Shear, an independent researcher.

Start Quote

Hackers have got smarter and are now able to target places where a wide range of personal data is warehoused”

End Quote Joe Stewart Dell SecureWorks

The pair have monitored Russian and other criminal forums on the internet in which financial details are traded.

Mr Stewart says that the price of all sorts of stolen financial information has fallen sharply over the past year on hacker black markets, and suggests this is the result of some large scale data breaches that have occurred during the period.

The glut in supply could continue for some time.

"I think that there is a lot further for prices to fall," he says.

Secrets for sale

It's not just the price of online bank account credentials that has fallen, Mr Stewart adds.

Pin Machine Credit card details are only the start for today's breed of cyber-thieves

For example, a full dossier of financial and other information about an individual that can be used to commit identity theft now costs just $25 for a US victim, or $30-40 for a British one.

Two years ago these full dossiers - known as Fullz in hacker speak - changed hands for as much as $60 each.

A typical Fullz contains a victim's:

  • full name and address
  • phone numbers and email addresses with passwords
  • date of birth
  • national insurance, social security or other employee ID

And one or more from the following:

  • bank account information
  • online banking credentials
  • credit card information, including Pin codes

In fact, it now appears there is such a large supply of stolen credit card details that hackers have had to slash their prices and take even more extreme measures to sell them before they expire or are cancelled.

Hacker Hackers try to identify flaws in computer programs to help them steal personal details

"Hackers used to steal credit card details one at a time, but now they have figured out where to steal large numbers of details in one go," Mr Stewart says.

"Sellers on these black markets will now usually give you a few credit card details for free so you can check them out, and then you can buy them in lots of about a thousand."

The going rate is about $4 per card for US Visa or Mastercard details, and $7-$8 for UK or European ones, he says.

Sophisticated scams

The reason that stolen US information is worth less than UK or European financial information is partly because it is harder and more costly for criminals to transfer stolen funds from the US to where they are - which is usually Eastern Europe or Asia, Mr Stewart says.

This usually involves using middlemen who take a cut to launder the money.

Credit cards UK Mastercard and Visa card details sell for about $7-$8, according to the study

The Fullz packages have only been available for a few years, and their existence indicates that criminals are getting more sophisticated in their offerings, according to Mr Stewart.

"Previously they just offered lists of credit card numbers, but offering Fullz shows that hackers have got smarter and are now able to target places where a wide range of personal data is warehoused," he says.

Cybercriminals have also become more sophisticated in the way they offer stolen financial data to prospective customers.

This includes setting up websites with search facilities that allow them to search for stolen online details for specific banks.

Christmas shopping Experts warn that several types of financial cybercrime tend to become more frequent in the run-up to Christmas

"They set these up as subscription services, and subscribers can then run as many searches as they like for accounts at specific banks that they can get cash out from most conveniently," he says.

Not all prices are falling in the world of cybercrime world, however.

Computer hackers try to identify and then exploit vulnerabilities in programs and operating systems to gain access to credit card details and other data.

Bitcoin burglars

Stefan Frei, research director at security consultancy NSS Labs, says that the price that cybercriminals are willing to pay for newly discovered vulnerabilities is rising and the more secure a platform is perceived to be, the more the hack would be worth.

"People are putting more of their life on their computers, so the value to a hacker per computer is much higher than before," he explains.

Bitcoin logo on shop door The growing popularity of Bitcoin could cause hackers to change tack

"An iOS vulnerability may now change hands for $500,000 or even $1m."

Looking ahead, Mr Stewart believes the rise of Bitcoin - a virtual currency - could cause the thieves to change focus. Businesses are attracted to supporting the innovation as an alternative to cash because it is cheap to use, payments are almost instant, and the move gains them publicity.

But the Dell researcher warns that digital wallets - the computer programs used to store bitcoins - make more tempting targets for hackers than real bank accounts.

"Many Bitcoin users don't know much about security, and many protect their digital wallets with a user name and password that criminals can get past easily using malware," he says.

"The beauty for a criminal is that if you steal a Bitcoin wallet you don't have to go through a middleman like you do with a real bank account to move the money. You can just cash it out instantly anywhere in the world."

More on This Story

Related Stories

The BBC is not responsible for the content of external Internet sites

More Technology stories

RSS

Features & Analysis

BBC Future

(Thinkstock)

Ideas that will change the world

How to take part in our first live event Read more...

Programmes

  • Islamic StateClick Watch

    Can the location of Islamic State militants be found with open source data?

BBC © 2014 The BBC is not responsible for the content of external sites. Read more.

This page is best viewed in an up-to-date web browser with style sheets (CSS) enabled. While you will be able to view the content of this page in your current browser, you will not be able to get the full visual experience. Please consider upgrading your browser software or enabling style sheets (CSS) if you are able to do so.