While 2014 was certainly terrible in terms of the number and scope of cyber attacks, the number and audacity of attacks is only going to rise this year, as has been repeated with alarming frequency at the recent World Economic Forum.
While many cybercriminals are out to simply steal our information, satisfied with creating havoc for individuals or businesses, the majority do it for the money.
The underground economy in which hackers operate is laden with forums, chat rooms, websites and other communities designed to facilitate, streamline, and industrialize cybercrime. Taking a look at what gets sold and traded in these communities can give us a pretty good understanding of what’s most valuable to hackers — and what we need to focus on protecting.
Credit card information is the most commonly traded commodity in the hacking economy. This information comes in several flavors, with “CVVs” and “dumps” being the most popular.
- CVV, which you shouldn’t confuse with the three digits on the back of a credit card, is fraudster language for credit card records that may include the cardholder name and address, card number, expiration date, and CVV2 (the three digits on the back of a card). CVVs can only be used with online retailers and are usually available for purchase on one of the underground marketplaces for less than $10 (for U.S. cards).
- Dumps is fraudster language for the raw information on the card’s magnetic strip, and can be obtained in a variety of ways, including the physical skimming of the credit card, capturing the data through a point-of-sale device that has been infected with malware, or hacking into a retailer’s internal network. Dump data can be encoded onto a fake credit card that hackers can then use at a brick and mortar store to make purchases. While prices vary based on specifics such as the type of card and the expiration date, they’re generally more expensive than CVVs because the payoff is bigger — hackers can use them to buy goods of higher value than they can get with a CVV. Dump data for U.S. credit cards costs around $20-80.
On any given day, stolen credit card information in the underground economy is worth millions of dollars and provides cybercriminals with a steady and dependable income stream.
Fullz is fraudster speak for financial information that includes the full information of the victim, including name, address, credit card information, social security number, date of birth, and more. As a rule of thumb, the more information you have on your victim, the more money you can make off of those credentials. Fullz are usually pricier than the standard credit card credential, but still tend to cost less than $100 per record. Fullz can be cashed out (turning credentials into money) in various ways, including performing bank transactions over the phone with the required authentication details in-hand.
Even Dead Fullz, which are Fullz credentials associated with credit cards that are no longer valid, can still be used for numerous purposes, including tax refund scams, ordering credit cards on behalf of the victim, or opening a mule account (an account that will accept a fraudulent money transfer from a compromised account) without the victim’s knowledge. As they are harder to cash out, Dead Fullz usually cost around $1-3 each.
PayPal & eBay accounts
PayPal and eBay account records make for popular commodities on the black market. With its extreme popularity and the fact that its cash-out methods are universal (as opposed to banks in different geographies, which have different guidelines), PayPal is a common target for hackers.
eBay accounts facilitate auction fraud, which has been a popular scam method for many years running. The cost of PayPal and eBay records in the underground economy differ from seller to seller and can go for as low as $2 per account, increasing in value depending on whether or not there are credit cards associated with the account.
Online gamer accounts
In certain underground forums, hackers target online games and cash out by selling the virtual gold and other unique virtual goods obtained by the victim’s character for real-world money. Steam accounts (Steam being the most popular store for PC games) are also sold on the black market and can be used for cash-outs or simply to gain access to games purchased by the victim.
The bottom line
Cybercriminals are always on the lookout for new ways to use stolen credentials for generating income. And because people regularly store sensitive personal information across various online accounts without taking the extra measures needed to protect that information, cybercriminals have plenty to work with. Fighting fraud on a whole is an uphill battle. Plug one hole, one exploit, and fraudsters will focus their efforts on a different one. Unfortunately, as long as cybercriminals continue to steal and then profit from our data, the underground economy will continue to flourish.