Exploring The Underground Credentials Market

The beginning of the decade presented the online security community with an interesting news piece entitled “Stolen Twitter Accounts Can Fetch $1,000”. On the face of it, this seemed far-fetched, especially compared to credit card details, which were being fetched during that time for less than $1. Are ill-gotten Twitter credentials 1,000 times more valuable than a pilfered credit card number?

While somewhat exaggerated, this comparison definitively coincides with the latest trend in the stolen data market. The following article gives a quick glimpse into the economics of stolen credentials over the years, trader’s tools and the methods used to monetise them.

The fall of stolen credit cards

At the turn of the century, eCommerce and online services took a steep climb. Taking a ride to the bank in order to transfer funds from one account to another (during normal business hours) was replaced by a click of the mouse within the confines of your home, at the local coffee shop or from the airport on the way to catch a flight (at any time of the day). Application functionality soared, allowing anyone to become their own travel agent, thus avoiding the long summer lines.

As the availability and ease-of-use of the online functions rose, users became accustomed to the purchase of services with their credit card number. The amount of credit card details passed as traffic, stored in online locations with the ability to access them from external sources, was too much bait for criminals to pass on.

The criminal activity on this front sky-rocketed, as shown by research conducted on logs of IRC channels between participants of online black markets, which took place over a 7-month period during 2006. This research showed that from all the (illegally) exchanged data marked as “sensitive”, the vast majority was credit card numbers.

The asking price for a compromised credit card number ranged between $1 and $25 (depending on the size of credit line associated with it). Most of the other “sensitive” data was composed of identifying details such as addresses, names and expiration dates, which all aid in the processing of a credit card transaction. During that time period, different user credentials (account names and passwords) were also shown to have passed in the channels, but these were relatively scarce.

Two years later, a Symantec report showed that stolen credit cards comprise 32 percent of all goods and services available for sale on underground economy servers. Due to massive data breaches, stolen credit cards became widely available and, as a result, the face value of individual credit card records decreased.

Credit card numbers were sold for as little as $0.06 per single card when sold in bulk. Bank account numbers (actually identifying debit cards) followed roughly behind stolen credit cards, fetching as little as $10 per account number. These numbers are easily explainable. Not only were stolen credit card numbers a main “commodity” but monetising credit cards is not as easy as it may sound.

Page: 1 2 3 4

adminuk

Recent Posts

UK’s CMA Readies Cloud Sector “Behavioural” Remedies – Report

Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector

9 hours ago

Former Policy Boss At X Nick Pickles, Joins Sam Altman Venture

Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…

11 hours ago

Bitcoin Rises Above $96,000 Amid Trump Optimism

Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…

12 hours ago

FTX Co-Founder Gary Wang Spared Prison

Judge Kaplan praises former FTX CTO Gary Wang for his co-operation against Sam Bankman-Fried during…

13 hours ago