McAfee today released The Hidden Data Economy report, which provides examples of how different types of stolen data is being packaged and offering prices for each type of data. McAfee Group’s McAfee Labs organization examined pricing for stolen credit and debit card data, bank account login credentials, stealth bank transfer services, online payment service login credentials, premium-content-service login credentials, enterprise network login credentials, hospitality loyalty account login credentials, and online auction account login credentials.
“Like any unregulated, efficient economy, the cybercrime ecosystem has quickly evolved to deliver many tools and services to anyone aspiring to criminal behavior,” said Raj Samani, CTO for McAfee in Europe, the Middle East, and Africa. “This ‘cybercrime-as-a-service’ marketplace has been a primary driver for the explosion in the size, frequency, and severity of cyberattacks. The same can be said for the proliferation of business models established to sell stolen data and make cybercrime pay.”
Through years of close work with law enforcement, the McAfee Labs team has monitored websites, chat rooms, and other online platforms, communities, and marketplaces where stolen data is bought and sold. McAfee Labs cannot confirm how many of the many examples of stolen data products and services are authentic. But drawing from the organization’s work with law enforcement agencies over the years, its researchers have provided a “state of the cybercrime economy” assessment with an illustration of key types and prices of data.
Payment card data is perhaps the best-known data type stolen and sold. McAfee Labs researchers found a value hierarchy in how this stolen data is packaged, priced, and sold in the dark market. A basic offering includes a software-generated valid number that combines a primary account number (PAN), an expiration date, and a CVV2 number. Sellers refer to a valid number combination as a “Random.” Valid credit card number generators can be purchased or found for free online. Prices rise based on additional information that allows criminals to accomplish more things with the core data.
This includes data such as the bank account ID number, the victim’s date of birth, and information categorized as “Fullzinfo,” including the victim’s billing address, PIN number, social security number, date of birth, mother’s maiden name, and even the username and password used to access, manage, and alter the cardholder’s account online.
The following table illustrates the average credit and debit card account sales prices across regions based on the combination of information made available:
|Basic or “Random”||$5-$8||$20-$25||$20-$25||$21-$25||$25-$30|
|With Bank ID#||$15||$25||$25||$25||$30|
|With Date of Birth||$15||$30||$30||$30||$35|
“A criminal in posession of the digital equivalent of the physical card can make purchases or withdrawals until the victim contacts the card issuer and challenge the charges,” continued Samani. “Provide that criminal with extensive personal information used to verify the identity of a card holder, or even allow him to access the account and change the information, and the potential for extensive financial harm—to the individual and card issuer—goes up dramatically.”
Payment service accounts
Compromised online payment service accounts appear to vary based solely on account balance, given their limited uses and scenarios for exploit. Account login credentials for accounts containing from US$400 to $1,000 have been estimated to cost between $20 and $50, while login credentials for accounts containing from $5,000 to $8,000 range from $200 to $300.
Bank login credentials
Cybercriminals can purchase banking login credentials and services allowing them to stealthily transfer stolen funds across international borders. McAfee Labs found login credentials for a $2,200 balance account selling for $190. Bank login credentials coupled with the ability to stealthily transfer funds to U.S. banks ranged from $500 for a $6,000 account balance, to $1,200 for a $20,000 account balance. United Kingdom transfers ranged from $700 for a $10,000 account balance, to $900 for a $16,000 account balance.
Online premium content services
The report also assesses dark market prices for account login credentials to online content services such as online video streaming($0.55 to $1), premium cable channel streaming services ($7.50), premium comic book services ($0.55), and professional sports streaming ($15). These relatively low price points suggest that cybercriminals have ramped up automated theft operations to make their cybercrime business models profitable.
Loyalty, community accounts
Some online services would appear to be low value targets, but researchers found that login credentials to hotel loyalty programs and online auction accounts are offered for sale on the dark market. Apparently, these allow buyers to conduct online purchases under the guise of their victims. McAfee Labs researchers found a major hotel brand loyalty account with 100,000 points for sale for $20, and an online auction community account with high reputation marks priced at $1,400.
For more information, please read the full report: The Hidden Data Economy.
For guidance on how consumers can better protect themselves from the consequences of data breaches and the fraud and theft that follow, please visit: Consumer Blog.