While the economy lurches from one day to the next and incidents of real-life piracy increase off the coast of Somalia, Symantec’s “Report on the Underground Economy” illuminates an online underground that has matured into an efficient global marketplace for stolen goods and fraud-related services. Symantec reports that in the yearlong period of observation an estimated $276 million worth of advertised goods was trafficked-a small fraction of the overall underground economy.
Dave Cowings, Symantec senior manager of operations for security response, said that figure represents only a small fraction of this economy that has been uncovered through the survey. “It’s thriving, it’s starting to evolve and as more businesses do online transactions, this economy will grow [too],” he said. “This is an economy without borders, so cyber-criminals can cast a very wide net.”
The report’s data, from Symantec’s STAR (Security Technology and Response) organization, was culled from underground economy servers between July 1, 2007 and June 30, 2008. During this reporting period, North America hosted the largest number of such servers, with 45 percent of the total; Europe/Middle East/Africa hosted 38 percent; followed by Asia/Pacific with 12 percent and Latin America with 5 percent. The geographical locations of underground economy servers are constantly changing to evade detection.
The report cited credit card information as the most advertised category of goods and services circulating through the underground economy, representing nearly one-third of the total. While the price of stolen credit card numbers remains low, with some selling for as little as $0.10 to $25 per card, Symantec observed that the average advertised stolen credit card limit was more than $4,000. The company estimated that the potential worth of all credit cards advertised during the reporting period was $5.3 billion.
These numbers, which are expected to increase, mean a small and midsize business needs to have a multilayered security solution in place, Cowings said. “There are several mitigation techniques that SMBs need to take, starting with database encryption,” he said. “They should also limit access to databases.”
Tighten Endpoint Security Too
Cowlings said he fell victim to data thieves who sold his financial information, as well as other people’s, on the underground economy. “My mortgage company allowed low-level staff to access the database, and all my information was burned onto a disc and sold to the underground economy,” he said.
He recommended that all SMBs employ endpoint security measures as well, such as software that throws up a red flag if someone is copying information to a portable device like a USB drive. “Information that is sensitive should probably remain in an encrypted database,” he said. SMBs should also ensure that employees use strong passwords and change them on a regular basis.
Because many SMBs rely on Web-based transactions and technology to cut costs and stay competitive, Cowings said smaller companies need to broadcast very clearly to their customers the lengths to which they have gone to protect private information, and guide customers toward best practices for avoiding fraud when not on the company’s Web site. “It not enough anymore to see the little padlock on the bottom of your browser window and think you’re on a secure site,” he said.
As the holiday shopping season approaches, Cowings said SMBs that are drawing new business through Web purchasing need to be aware what level of education they are providing the customer. “As more and more people start adapting and making online payments and purchases, there may be some hesitancy with people who are using online store sales,” he said. “I want to make sure I feel secure giving them my information.”