Network News

X My Profile
View More Activity

Stolen Identities Sold Cheap on the Black Market

Recovering from identity theft can take years and cost thousands of dollars. But how much is your identity worth to the thieves who sell it to other fraudsters? Turns out, less than the price of two tickets to the movies.

According to the latest Internet security threat report from Symantec Corp., the going rate for the keys to assuming someone else's identity can be had for between $14 and $18 per victim on underground cyber crime forums. Full identities typically include Social Security numbers, the victim's bank account information (including passwords), as well as personal information such as date of birth and the maiden name of the victim's mother.

Symantec engineers monitored more than 330 different underground Internet servers used by criminals as bazaars for stolen consumer data. During the latter half of 2006, the company observed nearly 5,000 credit cards being traded and sold on the online black market. More than half of the Internet servers monitored by the company were located on computers or networks here in the United States.

Alfred Huger, vice president of Symantec Security Response, said the bad guys are increasingly packaging stolen data about consumers to add value to the data.

"These guys are going to the effort of data warehousing this stuff and will steal or get data from multiple sites and package it at fairly standard underground market rates," Huger said. "Three years ago, this kind of commerce would have been exceptional: If your data was stolen there was maybe a chance it would be sold or battered around on underground networks. Now it's pretty much a certainty."

It's important to note that while Symantec monitored a large number of servers, a great deal more than 5,000 stolen credit card numbers were traded or sold online in the last six months of 2006. In fact, San Diego-based Secure Science Corp., which recovers stolen financial data from online fraud forums all over the Web, found more than 147,000 stolen credit card accounts for sale in online fraud forums last month alone.

While the true number of stolen credit cards for sale on the black market at any given time is probably unknowable, Huger's observation is spot on, at least from my own reporting. I have found that criminals often will use stolen credit cards to conduct even more research on victims, by purchasing background reports at sites like Ancestry.com and PublicBackgrounds.com.

Symantec also tracked a fairly significant growth in the number of "bots," or home computers that bad guys have gained control over for use in sending spam, hosting scam Web sites and attacking other Internet users. In the first half of 2006, the company saw about 4.7 million distinct bot-infected computers; in the latter half of the year, Symantec tracked nearly 6,050,000 bots, a 29 percent increase.

Symantec attributed the spike in bots to a rash of "zero-day" security holes discovered in Microsoft Windows software in the last six months of 2006 Also called "0day" flaws, the vulnerabilities refer to software flaws that are being actively exploited by hackers and criminal but for which the vendor has not yet released an official fix or patch.

Still, the vast majority of the malicious software variants that appeared last year did not take advantage of any security flaws whatsoever, except perhaps human nature. Buried in the report was this little gem: Only 23 percent of all malicious software created in 2006 exploited a software security vulnerability. This is a very important stat to consider: By far the most common way that people infect their own computers with malicious software is by opening a virus-laden e-mail attachment or by clicking on a Web link included in an instant message.

By Brian Krebs  |  March 19, 2007; 12:01 AM ET
Categories:  Fraud , From the Bunker , Latest Warnings , Safety Tips  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Task Force Shapes ID Theft Policy
Next: New Firefox Version Fixes Flaw

Comments

Posted by: Lawrence | March 19, 2007 12:48 AM | Report abuse

And yet Mastercard/Visa still allow merchants and payment processors to store unencrypted credit card numbers. Consumers need to wake up to the risk. When you purchase something online and the site indicates the data is encrypted, the encryption only applies to the data in transit. The fact is that data at rest is where the real risk is.

Posted by: WP from DC | March 19, 2007 8:48 AM | Report abuse

While it may be sticking a Band Aid to a gunshot wound, did Symantec alert federal or international law enforcement when they discovered these instances?

Posted by: Mike | March 19, 2007 11:22 AM | Report abuse

Hello Brian,

Nice article. However, there is one thing I do not agree:

"By far the most common way that people infect their own computers with malicious software is by opening a virus-laden e-mail attachment or by clicking on a Web link included in an instant message."

Most of the malware is installed via Exploits or via another malware. It is true that many times is the user himself the one that clicks on evertything they receive as an e-mail attachment or a website, but right now most of the malware are bots & Trojan downloaders, both of them are many times installed via exploits, and using the bots and the Trojan downloaders much more malware is installed on each system.

Posted by: Luis Corrons | March 19, 2007 11:48 AM | Report abuse

Well, if Symantec and others (including Bryan - who observe this activity realtime) don't make an effort to report this criminal activity, they position themselves in the same league as the New Yorkers years ago who stood by and did nothing as they watched that woman (can't remember her name) get knifed to death on the sidewalk below, even though they clearly heard her screams and watched her bleed out. Gad, can no one do anything about this scary stuff?

Posted by: Pete from Arlington | March 19, 2007 11:54 AM | Report abuse

Brian,

Excellent work on this issue. Every time a laptop goes missing, a retailer's data storage gets hacked, or a payment processor doesn't provide basic security, that's one more treasure trove for cyberthieves.

The sheer amount of data available, coupled with the low prices for PII, make identity trading an easy bet for the fraud game. The thieves know that banks and retailers will shift blame and costs back and forth, and ultimately to the consumer, so the bad guys win all around.

Full disclosure: I work for an identity theft prevention company and write on these issues on a regular basis, so this is something I take to heart.

Martin Bosworth
www.mypublicinfo.com (MyPublicInfo)
wwww.consumeraffairs.com (ConsumerAffairs.Com)

Posted by: Martin Bosworth | March 19, 2007 12:18 PM | Report abuse

Prosecution of identity thieves cannot adequately address this problem due to the international jurisdiction issue (and the inadequate numbers, authority, and expertise of law officers and other investigators).

Consistent prosecution of companies that fail to protect personal data would probably help, but cannot adequately contain the problem due to the (increasingly) diverse techniques available to the thieves for acquiring your personal information, using both legal and illegal means...and both computer-based and old-fashioned means.

Companies that do business online--especially financial institutions--need to be held liable for protecting the accounts and transactions. Insurance (either by these companies or their customers) might contribute to the solution. But until those companies feel the financial burden to solve the problem, it won't be solved.


Posted by: Alan | March 19, 2007 1:59 PM | Report abuse

The dirty little secret that you don't tell people about is that globalization is chiefly responsible for no just identity theft but for a whole series of other problems. Right now, major corporations, mostly innocuous sounding credit reporting agencies, are assembling recrods on people inclusing medical records for you and your family, driving habits and tickets, education and work details, criminal history, credit history and even pourcasing habits, even letters to the editor and forum postings (if you can be identified) to blogs like this. Much of this is completely illegal to keep in this country, so it is assembled and stored in databases in India, which has flat absolutely no rules whatsoever. That information is completely beyond the reach of U.S. law. Yet, with one telephone call, a U.S. comapny, a health or automobile insurance company, a prospective employer, you name 'em, can get information on you you cannot even imagine. Have a sick child or wife and expensive medical bills - that is very likely THE reason you didn't get that last job. Or, maybe you wrote a letter to the editor supporting unions or you gave money to a politican opposed to globalization. There are literally millions of cases of Indian clerks selling information on Amercian and European consumers. That, all by tself, is *THE* chief cause of identity theft; no some high school hacker or local criminal gang. The "crimianl gang" is you insurance company, your HMO provider, your bank and credit card company, even your state and federal governments. If you really want to end identity theft, becasue it is going to get a lot worse, a whole lot worse, you will do whatever it takes to end this globalization nonsense impossed upon us by the neocons and Bush. End it. Make it illegals to outsource services and information of any kind. Don't tell us we cannot. In the 1800's the corporate crooks of that day told people they couldn't afford to do away with slavery, either. Prices would go way, you'd have 7 pence banana, and no one could afford suger. So the corporate monsters shipped slaves to the new world, wrecked families, and committed every sort of evil under the sun...all in the name of economic necessity. Today, we ship jobs and information and technology overseas, corporations pit desparate workers from one family against desparate workers from another, all in the name of economic necessity. It is evil and wretched beyond comprehension. End it!

Posted by: MikeB | March 19, 2007 2:15 PM | Report abuse

Tech challenged with a question for those who are not... How are "Yahoo Mail cookie exploit" and "Yahoo and Hotmail email cookies" used for identity theft?

Posted by: Rosie Win | March 19, 2007 3:30 PM | Report abuse

Rosie,
Without getting too tech with the reply, a cookie exploit steals your login information that is stored on your own computer. When you click the box 'remember me on this computer' a small data file called a cookie is stored by the site's server on your computer. When you visit the site again, it retrieves this file and uses the information to identify you. A bad guy gets you to visit his specially crafted website and gets your cookie information. Now he can log into your account and mine it for any details that may be worthwhile. One way to avoid this is to enter your username and password each time, while although a pain in the rear and not entirely foolproof, it does make it harder for a thief to get your login info.

Posted by: BryanP | March 19, 2007 4:23 PM | Report abuse

You know, the threat of overseas data collection may be real, but why oh why did MikeP have to launch into a knee-jerk tirade against globalization?

I'm as suspicious of it as the next guy, but it is a massive force and we can't get anywhere by getting hysterical and losing credibility.

Posted by: JamesH | March 19, 2007 5:43 PM | Report abuse

Thank you, Bryan. Very clear. I know (and avoid cookies) but did not think about other sites reading them. Of course, another choice is to avoid Yahoo and Hotmail altogether. I use Foxfire so I can control my cookies so most of those I permit are for the session only (and close the browser to end the session if I am spending quite a while online. I also routinely check and clear out cookies. Vigilance in everything. I hate what has happened to the web, it is making me paranoid.

Posted by: Rosie Win | March 19, 2007 10:19 PM | Report abuse

Looks like most threats are originating in the US, for those worried about 'Globalization'...

http://news.yahoo.com/s/ap/20070319/ap_on_hi_te/internet_security_threats;_ylt=Akcv6EwVEsrHApSSHBY69mrMWM0F

Posted by: DBH | March 20, 2007 12:27 AM | Report abuse

if you set your browser to delite cookies and personal information after closing those this help? using firefox browser.

Posted by: victor | March 20, 2007 1:03 PM | Report abuse

I know that this happens there is just too many security breaches to believe the informations isn't going to be abused. What's chilling is the volume these must be sold in. For them to make money selling an identitiy for 20 bucks or less they must be working on so many identities.

Posted by: MichaelD | March 20, 2007 1:46 PM | Report abuse

>>Only 23 percent of all malicious software created in 2006 exploited a software security vulnerability. This is a very important stat to consider: By far the most common way that people infect their own computers with malicious software is by opening a virus-laden e-mail attachment or by clicking on a Web link included in an instant message.

Um, pardon me very much, but the default ability to open an executable e-mail attachment (virus-laden or otherwise), or to automatically convert a text URL to a hyperlink, or to visit a Web site (no matter the provenance of the URL) and have the browser run whatever unknown script or object code it finds there -- due to its default zone-security settings being set too low -- IS a software security vulnerability, falling into the category of "mistaken default-policy decision", or perhaps even "design flaw", rather than "bug".

@Luis Corrons:
>>It is true that many times is the user himself the one that clicks on evertything they receive as an e-mail attachment or a website,

But who is it that set the default policy to permit all unknown, untrusted code to run when the user does this?

@Pete from Arlington:
>>they position themselves in the same league as the New Yorkers years ago who stood by and did nothing as they watched that woman (can't remember her name) get knifed to death on the sidewalk below, even though they clearly heard her screams and watched her bleed out.

http://en.wikipedia.org/wiki/Kitty_Genovese

Posted by: Mark Odell | March 20, 2007 3:56 PM | Report abuse

I may be naive but it seems to me that two ways to counter this would be (1)to financially hurt the purchasers by creating fake "identities" and then offer them for sale. Any buyer could hardly complain of fraud when the purchased identities didn't work (could also be used for law enforcement tracking) and (2) to follow the payment stream and have the federal reserve cancel foreign banks exchange privileges if they are used to make payment for US identities

Posted by: pasco | March 20, 2007 4:33 PM | Report abuse

What aggravates me is that banks, insurance companies, and many other businesses state how safe online payment is, and how long a time it takes for a consumer ro be notified. I run virus checks every single day, but I do not feel totally protected. I often feel that the Internet industry will implode because crooks can just walk away. Thankfully, I have never been a victim of identity theft, and I certainly hope that I never am.

Posted by: Susan Dawson | March 21, 2007 7:33 AM | Report abuse

How do we get the Credit Card Companies to start taking some responsibility, there card is stolen they don't care how much was charged and take the hit, so r they letting the bad guys go. The Credit Card Companies do not take any responsibility for their card they would much rather take the loss then help catch the bad guys

Posted by: Concerned Citizen | March 21, 2007 10:12 AM | Report abuse

We had this kind of job movement within the U.S. before globalization. Jobs in the Northeast went to the South. Then then went to Mexico. Then they went all over the world. MikeP, you need to get off of your fat ass and learn how to compete. Nobody owes you a job.

Posted by: Fred | March 21, 2007 2:15 PM | Report abuse

How about law enforcement and Judges being held accountable for allowing identity theft to take place?

31 fake numbers and a million dollars no prosecution, no arrest with the judges permission.

southdakotagov.info

Posted by: Jason | March 30, 2007 5:38 PM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company