How Hackers Make Money With Your Personal Information - The Free Market At Work!

Ever wonder how hackers make money with your stolen personal information?  It’s not always how you think and their methods may surprise you. 

Dell SecureWorks recently published a report on the underground hacker market and you’d be surprised how the process mimics the traditional retail world.   A high percentage of the stolen data is sold on the open market on the DarkNet ¹.  These guys actually run sales and sometimes even offer guarantees on the information sold.   

Competition in this market has some of these vendors emphasizing customer service, with some offering 100% guarantees on the stolen information they're selling. One seller even promises to replace all "dead" stolen credit cards.  He can afford to do this because there is such a huge glut of stolen credit card info out there.

Premium credit cards -- platinum and gold cards, for example -- can be purchased in bulk. One vendor offers a package of 10 cards at $13 apiece and up to 2,000 cards at $9 apiece. A single premium payment card can go for as much as $35.   A standard VISA or Mastercard can sell for as little as $4.  Doesn’t sound like a very high price for your credit card, does it?  Consider this.  That same site says it has 14 million US credit cards for sale, plus hundreds of thousands more from other countries.  It’s all about volume!

Counterfeit identities are the new hot product to support fraud -- new fake identity kits, passports, Social Security numbers, utility bills, and driver's licenses.   A complete new identity, including a working SSN, name, and address, goes for about $250, and for an extra $100, they’ll even throw in a utility bill for ID verification purposes.

Some bad guys also are offering new services to their customers, such as tutorials on how to hack and commit fraud. Among these services are basic “carding”, cashing out fullz ², ATM hacking, and successful online banking fraud.  Tutorial manuals can cost anywhere from $1 to $30.

Ever thought about taking up a life of crime?  The price of a remote access Trojan (RAT) has dropped dramatically this year, from $50-$250 in 2013 to only $20-$50 this year. Why the major price drop?  Researchers believe it's due to the number of free RATs available in the wake of RAT source code leaks, which has driven prices down.

To start a business providing Distributed Denial Of Server attacks (DDOS), bad guys can buy bots with a package of 5,000 compromised machines in the US for between $600 and $1,000.

The credentials for a "high-value" bank account with a balance of $70,000 to $150,000 can be purchased for about 6% of the balance amount.  So for $4,200 they can have access to a $70,000 bank account.

It was recently reported that organized crime based in Russia and Ukraine raked in about $2 Billion last year so we’re not talking chump change here.  Cyber-criminals are in this for the long haul so don’t expect the threat to do anything but get bigger and more aggressive.  Just like them, you’ve got to improve every aspect of your defenses from firewalls, servers, computers and especially your portable devices like tablets and smartphones.  Remember, hacking is BIG business!  It’s not a matter of IF you’ll be breached, it’s only a matter of when and how well and how fast you react.

1 - A darknet is a private network where connections are made only between trusted peers — sometimes called "friends" using non-standard protocols and ports.  Hackers, among others, use this technique to privatize their own little corner of the Internet.

2 - “Fullz” is a slang term used by hackers meaning full packages of individuals' identifying information. "Fullz" usually contain an individuals name, Social Security number, birth date, account numbers and other data. Fullz are sold to identity thieves, who use them in credit fraud schemes.

Jeff Hoffman is a network security and information protection consultant with ACT Network Solutions.  He can be reached at jhoffman@act4networks.com