LONDON — Prices charged by cybercriminals selling hacked bank and credit card details have fallen sharply as the volume of data on offer has soared, forcing them to look elsewhere to boost profit margins, a new report says.
Researchers for Finjan, a Web security firm, said the high volumes traded had led to bank and credit card information becoming “commoditized” — account details with PIN codes that once fetched $100 or more each might now go for $10 or $20.
In its latest quarterly survey of Web trends, the California-based company said cybercrime had evolved into “a major shadow economy ruled by business rules and logic that closely mimics the legitimate business world.”
Finjan’s Israel-based chief technology officer, Yuval Ben-Itzhak, said in a telephone interview that new types of stolen data were now commanding a premium, such as patient health care information that can be used for insurance fraud or to illicitly acquire and sell medicines.
Other premium data includes business information, company personnel files and intercepted commercial emails.
The Finjan report, partly based on contacts the company established with five groups trading online in stolen data, described a Mafia-type cybercrime hierarchy in which bosses operate as business entrepreneurs and typically leave the actual online attacks to underlings.
An “underboss,” or second-in-command, provides the Trojan infiltration software for launching attacks. The workforce that carries these out is paid according to the rate of infections achieved and the country of origin of the infected computers.
“Resellers” then trade the hacked financial data in the same way that a criminal “fence” disposes of stolen goods.
In online exchanges with resellers, Finjan researchers were offered a menu of stolen data, with platinum, gold and corporate card details commanding the highest prices.
Sellers promised the data was “fresh,” and one even offered a 48-hour guarantee to supply new details if those originally bought were rejected by payment systems as stolen cards.
“It’s like in the regular business world — when you buy a good and it doesn’t work, you go back and you want to replace it,” Ben-Itzhak said.
“It indicates a competitive environment…They need to build reputation, they want to show they’re providing high quality data for your money so you can go back and buy from them rather than go to the other groups.”
Ben-Itzhak predicted banks, which until now have shouldered the burden of compensating people whose data are hacked, would seek to put some of the onus for security on the customer.
“So far the banks are not mandating the end user to have some sort of security on their desktop,” he said. “They’re taking the risk, better to say they’re paying the risk, when your account has been compromised.”
“However, what we noticed recently is the volume increased significantly and the banks are starting to ask the question: Did you install something or do you have something running on your desktop. … The banks will start to ask questions of the end users and put some responsibility at least on them.”