In a new year-long study, Symantec took a look at the black market for stolen credit cards, banking information and other goods. According to the report, the overall value of the goods observed by Symantec to the traders is around $276 million, but the potential value for cyber-thieves stretches into the billions.
Big bucks are being made in the black market for stolen data, according to a report from Symantec.
Researchers at Symantec turned the spotlight on the underground market for stolen data in a new year-long study
that uncovered black market traders advertising stolen data at prices totaling more than $276 million.
In its "Report on the Underground Economy," Symantec gathered data
from underground economy servers between July 1, 2007 and June 30,
2008. What the company found was a virtual bazaar, where
bartering was commonplace. While Web forums were traditionally the
meeting site for such arrangements, they have been largely scrapped in
favor of Internet Relay Chat (IRC).
"Web forums were initially used, but they are used less now due to
many of these sites requiring static IPs, while IRC, Internet Relay
chatrooms, allow groups to obfuscate themselves through rotating the
meeting channels, making it more difficult for police agencies to track
them down," explained David Cowings, senior manager of operations at
Symantec Security Response.
During the reporting period, Symantec tracked 69,130 distinct
advertisers and 44,321,095 total messages posted to underground forums.
The potential value of the total advertised goods for the top 10 most
active advertisers was $16.3 million for credit cards and $2 million
for bank accounts.
Deals were made largely through trading goods based on their
potential value. Cumulatively, the value of advertised goods - the
amount traders would make if they liquidated their inventory - was more
than $276 million, Symantec officials said.
The information was even more valuable to the fraudsters themselves.
For example, the average limit on the advertised stolen credit cards
observed by Symantec was more than $4,000, bringing their potential
worth to about $5.3 billion.
Credit card information was the most advertised category of goods
and services, accounting for 31 percent of the total. On their own, the
profit for each stolen credit card number was relatively small, with
some selling for as little as 10 cents. The information is also sold to
fraudsters in bulk, with discounts provided for large purchases.
The second most common category of goods and services advertised was
financial accounts, representing 20 percent of the total. In one case,
financial accounts were cashed out online to untraceable locations in
less than 15 minutes, the report states.
Though stolen bank account information sells for between $10 and
$1,000, the average advertised stolen bank account balance is nearly
$40,000, Symantec officials said. Taken together, the average
advertised balance of a bank account together and the average price for
stolen bank account numbers puts the value of the bank accounts
advertised during this period at $1.7 billion.
The report is a first for Symantec, though some of the data has been
included in the company's Internet Security reports. While the report
offers a nice snapshot, Cowings conceded it is only a small piece of
the pie given the international reach of the black market.
"Most of what we monitored was only in English, so...it is only a fraction of what we saw in terms of activity," he said.