Stolen Identities Sold Cheap on the Black Market
Recovering from identity theft can take years and cost thousands of dollars. But how much is your identity worth to the thieves who sell it to other fraudsters? Turns out, less than the price of two tickets to the movies.
According to the latest Internet security threat report from Symantec Corp., the going rate for the keys to assuming someone else's identity can be had for between $14 and $18 per victim on underground cyber crime forums. Full identities typically include Social Security numbers, the victim's bank account information (including passwords), as well as personal information such as date of birth and the maiden name of the victim's mother.
Symantec engineers monitored more than 330 different underground Internet servers used by criminals as bazaars for stolen consumer data. During the latter half of 2006, the company observed nearly 5,000 credit cards being traded and sold on the online black market. More than half of the Internet servers monitored by the company were located on computers or networks here in the United States.
Alfred Huger, vice president of Symantec Security Response, said the bad guys are increasingly packaging stolen data about consumers to add value to the data.
"These guys are going to the effort of data warehousing this stuff and will steal or get data from multiple sites and package it at fairly standard underground market rates," Huger said. "Three years ago, this kind of commerce would have been exceptional: If your data was stolen there was maybe a chance it would be sold or battered around on underground networks. Now it's pretty much a certainty."
It's important to note that while Symantec monitored a large number of servers, a great deal more than 5,000 stolen credit card numbers were traded or sold online in the last six months of 2006. In fact, San Diego-based Secure Science Corp., which recovers stolen financial data from online fraud forums all over the Web, found more than 147,000 stolen credit card accounts for sale in online fraud forums last month alone. While the true number of stolen credit cards for sale on the black market at any given time is probably unknowable, Huger's observation is spot on, at least from my own reporting. I have found that criminals often will use stolen credit cards to conduct even more research on victims, by purchasing background reports at sites like Ancestry.com and PublicBackgrounds.com.
Symantec also tracked a fairly significant growth in the number of "bots," or home computers that bad guys have gained control over for use in sending spam, hosting scam Web sites and attacking other Internet users. In the first half of 2006, the company saw about 4.7 million distinct bot-infected computers; in the latter half of the year, Symantec tracked nearly 6,050,000 bots, a 29 percent increase.
Symantec attributed the spike in bots to a rash of "zero-day" security holes discovered in Microsoft Windows software in the last six months of 2006 Also called "0day" flaws, the vulnerabilities refer to software flaws that are being actively exploited by hackers and criminal but for which the vendor has not yet released an official fix or patch.
Still, the vast majority of the malicious software variants that appeared last year did not take advantage of any security flaws whatsoever, except perhaps human nature. Buried in the report was this little gem: Only 23 percent of all malicious software created in 2006 exploited a software security vulnerability. This is a very important stat to consider: By far the most common way that people infect their own computers with malicious software is by opening a virus-laden e-mail attachment or by clicking on a Web link included in an instant message.
According to the latest Internet security threat report from Symantec Corp., the going rate for the keys to assuming someone else's identity can be had for between $14 and $18 per victim on underground cyber crime forums. Full identities typically include Social Security numbers, the victim's bank account information (including passwords), as well as personal information such as date of birth and the maiden name of the victim's mother.
Symantec engineers monitored more than 330 different underground Internet servers used by criminals as bazaars for stolen consumer data. During the latter half of 2006, the company observed nearly 5,000 credit cards being traded and sold on the online black market. More than half of the Internet servers monitored by the company were located on computers or networks here in the United States.
Alfred Huger, vice president of Symantec Security Response, said the bad guys are increasingly packaging stolen data about consumers to add value to the data.
"These guys are going to the effort of data warehousing this stuff and will steal or get data from multiple sites and package it at fairly standard underground market rates," Huger said. "Three years ago, this kind of commerce would have been exceptional: If your data was stolen there was maybe a chance it would be sold or battered around on underground networks. Now it's pretty much a certainty."
It's important to note that while Symantec monitored a large number of servers, a great deal more than 5,000 stolen credit card numbers were traded or sold online in the last six months of 2006. In fact, San Diego-based Secure Science Corp., which recovers stolen financial data from online fraud forums all over the Web, found more than 147,000 stolen credit card accounts for sale in online fraud forums last month alone. While the true number of stolen credit cards for sale on the black market at any given time is probably unknowable, Huger's observation is spot on, at least from my own reporting. I have found that criminals often will use stolen credit cards to conduct even more research on victims, by purchasing background reports at sites like Ancestry.com and PublicBackgrounds.com.
Symantec also tracked a fairly significant growth in the number of "bots," or home computers that bad guys have gained control over for use in sending spam, hosting scam Web sites and attacking other Internet users. In the first half of 2006, the company saw about 4.7 million distinct bot-infected computers; in the latter half of the year, Symantec tracked nearly 6,050,000 bots, a 29 percent increase.
Symantec attributed the spike in bots to a rash of "zero-day" security holes discovered in Microsoft Windows software in the last six months of 2006 Also called "0day" flaws, the vulnerabilities refer to software flaws that are being actively exploited by hackers and criminal but for which the vendor has not yet released an official fix or patch.
Still, the vast majority of the malicious software variants that appeared last year did not take advantage of any security flaws whatsoever, except perhaps human nature. Buried in the report was this little gem: Only 23 percent of all malicious software created in 2006 exploited a software security vulnerability. This is a very important stat to consider: By far the most common way that people infect their own computers with malicious software is by opening a virus-laden e-mail attachment or by clicking on a Web link included in an instant message.
0 Comments:
Post a Comment
<< A1 Blog Home