Underground Economy for Stolen Data Thriving, Symantec Says

In a new year-long study, Symantec took a look at the black market for stolen credit cards, banking information and other goods. According to the report, the overall value of the goods observed by Symantec to the traders is around $276 million, but the potential value for cyber-thieves stretches into the billions.

Big bucks are being made in the black market for stolen data, according to a report from Symantec.

Researchers at Symantec turned the spotlight on the underground market for stolen data in a new year-long study that uncovered black market traders advertising stolen data at prices totaling more than $276 million.

In its "Report on the Underground Economy," Symantec gathered data from underground economy servers between July 1, 2007 and June 30, 2008. What the company found was a virtual bazaar, where bartering was commonplace. While Web forums were traditionally the meeting site for such arrangements, they have been largely scrapped in favor of Internet Relay Chat (IRC).

"Web forums were initially used, but they are used less now due to many of these sites requiring static IPs, while IRC, Internet Relay chatrooms, allow groups to obfuscate themselves through rotating the meeting channels, making it more difficult for police agencies to track them down," explained David Cowings, senior manager of operations at Symantec Security Response.

During the reporting period, Symantec tracked 69,130 distinct advertisers and 44,321,095 total messages posted to underground forums. The potential value of the total advertised goods for the top 10 most active advertisers was $16.3 million for credit cards and $2 million for bank accounts.

Deals were made largely through trading goods based on their potential value. Cumulatively, the value of advertised goods - the amount traders would make if they liquidated their inventory - was more than $276 million, Symantec officials said.

The information was even more valuable to the fraudsters themselves. For example, the average limit on the advertised stolen credit cards observed by Symantec was more than $4,000, bringing their potential worth to about $5.3 billion.

Credit card information was the most advertised category of goods and services, accounting for 31 percent of the total. On their own, the profit for each stolen credit card number was relatively small, with some selling for as little as 10 cents. The information is also sold to fraudsters in bulk, with discounts provided for large purchases.

The second most common category of goods and services advertised was financial accounts, representing 20 percent of the total. In one case, financial accounts were cashed out online to untraceable locations in less than 15 minutes, the report states.

Though stolen bank account information sells for between $10 and $1,000, the average advertised stolen bank account balance is nearly $40,000, Symantec officials said. Taken together, the average advertised balance of a bank account together and the average price for stolen bank account numbers puts the value of the bank accounts advertised during this period at $1.7 billion.

The report is a first for Symantec, though some of the data has been included in the company's Internet Security reports. While the report offers a nice snapshot, Cowings conceded it is only a small piece of the pie given the international reach of the black market.

"Most of what we monitored was only in English, so...it is only a fraction of what we saw in terms of activity," he said.