In the golden age of cybercrime, the hidden data economy continues to boom, according to a recent McAfee report. The report highlighted the growth of this market as having become a place where any conceivable illicit product is for sale or rent — from personal data, cyber tools, botnets and beyond, cyber criminals are increasingly resembling a service industry.
The report addressed the phenomenon in a comprehensive manner, but due to the scope of the hidden data economy, it only scratches the service. A key development has been the growth of a hacking “as a service” business model employed by various groups and individuals. In this model, a criminal sells or rents software or carries out attacks for a fee. Much like many legitimate services, when an attack is successful, the author of software or the entity that carried out the attack receives a percentage of the profit.
The report also mentioned a troubling trend called, “data fatigue.” This refers to the trend of people reacting to data breaches largely with indifference.
“Although disillusionment may be understandable given the steady stream of breach notifications and stories detailing the theft of millions of records, it is important to recognize that this is data about us,” the report stated, noting, “Our information is being openly sold, and the individual repercussions may not be felt for some time.”
The stated goal of the report is to address this “Apathy,” but emphasizing the intention is not to spread fear, but, rather, to “explain why we as a society should be concerned” when data breaches occur. The author stressed some of the examples may not be authentic, as sellers are prone to promoting their “brand” in an effort to gain customers.
The report covers several types of cybercrime: financial data, login access, access to online services and identities.
Financial data
The sale of financial data is an inherently broad topic, as the types of data sold are numerous and the market includes both the standard web and “dark web” venues. Retailers are often the target of such attacks, with major brands such as Home Depot and Target being victims of some of the most prominent attacks.
The sale of this information often includes payment card information, with prices varying depending on multiple factors. These include, along with a credit card’s number, the card verification code (CVV) and a “software-generated” combination of “a primary account number (PAN) and expiration date and a CVV2 number that has been generated by software.” The third factor is “Fullzinfo,” which consists of the full details of the owner of the card such as name and address along with the complete card info. Other options exist, including login info accompanying the card info.
In some cases, the seller will not provide the information after purchase. In this case, the report stated, the logic is generally a case of, “who will they tell.” However, many do provide the information and it is lucrative. US prices for software generated cards range from $5-$8, “With Bank ID Number” and “With Date of Birth” generating prices of about $15. Fullzinfo command a price in the range of $30, and if the card has a balance, the price of a US card can rise as high as $110.
These are generally called “Dump Tracks,” a term that refers to information electronically copied from the card’s magnetic strip. Online payment accounts are also sold, but these are less common and more difficult to use. Yet, depending on the balance they can be worth as much as $300.
Login access
Another type of cyber theft covered by the report is login access to an individual’s account. These include both simple login access and information that requires some technical expertise. The latter can include access to bank and airline systems across the world, including the United States. Even more troubling, the report mentioned an article by cybersecurity expert Idan Aharoni, SCADA Systems Offered for Sale in the Underground Economy, in which he reported a seller advertised having access to a French hydroelectric generator. This underscores both the sophisticated nature of the criminals and the vulnerabilities found in critical infrastructure.
Access to online services
A third type of cyber theft covered by the report is access to online services. This type of sale includes accounts such as “…music, video, loyalty programs and others.” These accounts are generally very inexpensive, but can still pose great problems for the legitimate owners.
Accounts may notice suspicious activity, shutting down the account or freezing it. Stored credit information can be acquired, and perks can be stolen. The report provided an example where an account is advertised for sale at $1 for a lifetime warranty account.
Due to the inexpensive nature of these accounts, they are often very cheap and the sellers attempt to move a massive amount of accounts.
Identities
Identity theft remains one of the most prevalent types of cybercrime. The report took note of the recent collaboraton between Intel and Eurozone law enforcement to attack the “Beebone” botnet, which was a massive botnet system attaching itself to the systems of users, then engaging in invasive data mining.
Through this method a buyer can easily take over anything from a person’s social media accounts and email, and many others.
One of the most frequent identity sales is the sale of stolen medical information. This can be difficult to acquire, but the sellers can be found. The report noted an example where a cybercriminal leaked the complete medical information, including social security numbers, of dozens of physicians from across the United States.
In some cases, this information is released without cost. The report noted an example of medical information being released by the hacker collective Rex Mundi because the company Labio did not pay a 20,000 ransom.
The report covered a very small fraction of the hidden data marketplace, which is a vast and ever-changing venue, but the examples chosen were done so in order to raise awareness about the seriousness of the issue.
The report concluded, saying, “When we read about data breaches, the cybercrime industry may seem so far removed from everyday life that it is tempting to ignore the message. However, cybercrime is merely an evolution of traditional crime. We must conquer our apathy and pay attention to advice for fighting malware and other threats. Otherwise information from our digital lives may appear for resale to anyone with an Internet connection.”
