Criminals in the cloud: Hacking-as-a-Service and Cybercrime-as-a-Service are in high demand. The buying price for stolen financial data, online accounts and health data fluctuates based on supply and demand, as well as based on the expected value to be gleaned from the purloined information.
It may sound macabre, but even cyber-criminals work hard to present themselves as "serious businesspeople" in the dark web. Their intended message: the data they're offering is really worth your hard cash.
In the rich industrial countries of the DACH region, including Germany, Austria and Switzerland, the primary financial crimes involve banking Trojans. Italy, North America, Great Britain and Scandinavia, by contrast, are more frequently plagued by ransomware, which encrypts a device's data and only releases it once a ransom has been paid.
But not in Switzerland, the official Partner Country at CeBIT 2016 – a nation known for secure banking systems. Swiss authorities are primarily on the lookout for sniffer software that spies on login data for banking accounts and credit card numbers as consumers make online purchases, such as during Christmas shopping. All without the buyer noticing it in time.
One complete set (fullz info) of details on a credit card and its owner costs 45 USD on the black market. This includes a complete name, billing address, card number, expiration date, social security number, mother's maiden name (a popular password), date of birth and the CVV2. The CVV2 is the three-digit security code printed on the back of the credit card that must be provided during online purchases. Armed with that complete set of information, cyber-criminals can engage in all manners of malfeasance, draining the bank accounts of their victims significantly.
Discounts are given if some of the information is missing. The cheapest options are software-generated payment data, comprised solely of a valid primary account number, an expiration data and a CVV2. At just five to eight US dollars, they're quite the deal. The reputation of the seller matters as well. Some sellers roll out lavish marketing campaigns, advertising their wares to potential customers on Youtube. Yet it's an unreliable indicator of reliability: you can usually find plenty of customers complaining about never receiving the stolen information they've paid for, writes McAfee in his report "The Secrete Business in Data."
'Dump tracks' from Europe can command 190 dollars on average. These credit card dumps contain information copied electronically off the magnetic strips on the rear of credit and debit cards. Rigged ATMs are one source.
The magnetic strips contain two data tracks. Track 1 contains alphanumeric data such as the name of the customer, while track 2 contains numeric data, including the account number, expiration data, CVV1 and other information from the issuing institution. The stolen data is then transferred onto dummy cards. This allows for money to be withdrawn from any ATM machine.
The prices for this kind of credit card dump are strongly impacted by the amount of money in the account. For accounts containing between 5,000 and 8,000 dollars, buyers will need to offer up between 200 and 300 dollars. Sellers underscore their "reliability" by pointing to social validation, namely positive feedback from previous buyers.
While financial data are the wares of choice in the DACH region, cyber-criminals also peddle access to systems in trusted corporate networks — the key to industrial espionage. McAfee documented a proposed sale of access to bank and airline systems in Europe, Asia and the USA. The crooks offered internal system screenshots to prove that they could deliver on their promises: "This data is real, we've really hacked the system," they claimed.
Hard to believe — but free online accounts are also a favorite for criminals. A hotel 'frequent stayer' account with 100,000 points — all major hotel chains offer loyalty bonuses — costs around 20 dollars. An established account with a good history can cost much more, McAfee writes. It can be used to help a buyer mask a poor reputation, such as due to poor business practices or fraud. As such, a new identity can be worth its weight in gold. At just 20 dollars, it's money well spent.
For less demanding situations, online auction house accounts for various account types are available in bundles of 100. And speaking of identities: health and personal data were the second most frequently purloined data type this past quarter, writes technology provider Trend Micro. The most publicized attack of this type was the hack on the UCLA health system. Data from 4.5 million patients was compromised. Hard as it is to believe, one potential buyer for the stolen data was reportedly the pharma industry itself.