Exploring The Underground Credentials Market
Due to the difficulties of monetising stolen credit cards, fraudsters are turning to other data sources to gain illicit monetary advantage, says Amichai Shulman
Monetising on credit cards
In order to monetise credit cards, different factors must be taken into consideration. First, additional identifying information, for example, name and expiration date, are required to complete a transaction. Furthermore, CVV2 numbers are mainly requested during an online purchase. According to PCI regulations CVV2 values are not allowed to be stored at consumer sites, leading to these values being sold separately from the credit card numbers. Finally, a real purchase needs to be performed by the criminal and the real goods should be sold in order to cash-out.
Alternatively, monetising credit cards could be performed by manufacturing real plastic cards with the stolen number. The manufacturing and distribution of these stolen cards entail additional hardware expense, complexities and risks.
As anti-fraud mechanisms are set up to detect illegal activities, and given that many purchases leave a digital-trail, criminals seek to find other creative ways to cash-in on credit cards. One such way is for a criminal to enter a gambling site, such as Poker, under two accounts. The first account is attached to the illegal credit card, while the second is attached to a legal card that can be directly cashed by the culprit.
Both accounts, under the same user, play at the same table – one against the other- while the “illegal” account loses to the “legal” account. The credit card company sees that the illegal card was used at a gambling site but cannot track the criminal who, in the meantime, received the funds. Other alternatives include stock manipulation through online trading sites (that allow registration with credit cards) or generating fake transactions between two parties controlled by the culprit in applications such as Paypal, eBay and the like.
Although bank account numbers are sold for a relatively high sum, monetising on bank account numbers is not as simple either. Either an individual is required to come in person to the bank and show other identifying details. Or, given an ATM PIN, a plastic card needs to be manufactured whilst the criminal needs to avert security criminals.
Whether using the stolen cards physically or over the Internet, criminals take cautionary steps to avoid detection of their fraudulent activity. These steps require purchasing or transferring sums, only in small amounts, over a long period of time, and attackers attempt to find alternative methods to seek more profitable data.
The rise of online credentials
As opposed to 2006, 2008’s report already showed the incredible black market shift where email accounts were the third most available virtual product for sale. Furthermore, at the low end, the online credentials were going for $0.10 a credential – already higher than that of a credit card!
Online credentials are composed of username/ password combinations in order to gain access to different Internet applications, whether it is a social networking application, a bank account or a health-provider service.
Credentials to an online banking service allow the attacker to transfer funds from the victim’s account to accounts controlled by the criminal (or most often to a mule account that collaborates with the attacker). However, such transfers require a higher level of sophistication in order to avoid being detected by anti-fraud mechanisms deployed at banks.