The identity underworld: How criminals sell your data on the Dark Web
When Target was breached in 2013, it didn鈥檛 take long for credit and debit card data stolen from its systems to start flooding the underground forums听and storefronts that trade in such merchandise.
One was Rescator 鈥 a black market outpost that former Washington Post reporter-turned-cybersleuth听听discovered was selling more than 1 million of the stolen cards at prices ranging from $20 to $100.
Unlike the hundreds of other forums and shops selling stolen payment card data in the digital underworld,听Rescator听was different. Apart from the sheer quality of its 鈥渄umps,鈥 or data from the magnetic stripe of cards, Mr. Krebs found Rescator鈥檚 website to be remarkably efficient and customer friendly.
The site offered potential buyers an opportunity to search for cards by the banks that issued them, by card type, expiration date, country, and by the type of data stored in different tracks in the magnetic stripe on the back of credit and debit cards. It offered buyers a way to check the validity of the stolen cards and claim refunds on cards that didn鈥檛 work.
Rescator even included a search feature by ZIP code and location of the stores from which the cards were stolen, a feature that Krebs found especially fascinating. It meant that Rescator was offering buyers a way to make same-state purchases using stolen cards without tripping typical fraud defenses where a financial institution might block transactions made from unfamiliar locations, especially after a major breach.
Rescator is one of many hundreds of increasingly sophisticated sites and forums where people can hawk stolen听cards听and other illegally obtained goods to those who want it. There are others, as well, with names such as the Republic of Lampeduza, McDumpals, and Blackstuff. These are the places where your听stolen Social Security Numbers, bank account information, credit card data, and personal identity information are听sold so thieves听can use the data on your behalf 鈥 and leave you holding the bag.
听of the market for cybercrime tools shows that such markets are growing in size and complexity. A market that was once characterized by small networks of individuals fueled mostly by ego and notoriety has transformed into a playground for financially driven, highly organized cyber criminals, according to RAND. The profits to be made from these markets are potentially greater than the illegal drug trade with little of the associated risks.
The sheer number of players, their geographic spread, and the increasing use of encryption technologies and anonymizing services such as Tor make it hard to get a handle on the true size and scope of the market. But what is evident is that they pose a growing threat to governments, businesses, and average Internet users.
鈥淭hese markets are rapidly growing and maturing,鈥 says Lillian Ablon, coauthor of the RAND report. 鈥淭hey are continuously innovating and are full of increasingly sophisticated people largely tied to traditional crime organizations.鈥
The merchandise听
What you can get in these markets depends on what you want to do with it 鈥撎齛nd how much exactly you are willing to pay for it.
Here, stolen credit cards are a commodity.听Everyone sells them. They are available on carding forums, bulletin boards, and via storefronts where you can conduct business like you would at any Web store. Often all it takes to get started is a simple Web search.听There are sites that tell you how to purchase stolen cards safely and there are sites that explain how to use them.
All you need to do to find them is plug in search terms such as 鈥渃arder sites鈥 or 鈥渃arding sites.鈥
Carder sites are the barely underground places where the tens of millions of cards stolen from data heists such as those at Target and Home Depot end up being bought and sold. A lot of the supply also comes from countries such as Canada, Britain, Brazil, Argentina, and the country of Georgia, security researchers at Dell鈥檚 SecureWorks discovered when scoping out the underground market last year.听
Individual cards used to be somewhat more valuable once. These days there are so many of them floating around that prices have come down a bit. Still there鈥檚 plenty of money to be made selling stolen debit and credit cards so long as you have enough of them. Prices start at less than $5 per card and go up to around $40 for the premium cards with听high credit limits.
Priced to sell
Dell鈥檚 SecureWorks team, which has been tracking these markets for about three years, has a sampling of current prices. The typical US Visa and MasterCard currently retails in these markets for about $4 a card, which was what they used to fetch a year ago as well. But prices for US-issued Discover and American Express cards have come down by 25 percent and 15 percent, respectively. Last year you would have had to pay $7 for a stolen American Express and $8 for a Discover card. Now you can get them both for $6.
Cards issued outside the US cost substantially more. Dell pegs the price of the average Visa and MasterCard from the EU and Asia at between $18 and $20 per card, up from $15 a year ago. That鈥檚 a 15 to 25 percent hike in just a year. Underground markets are clearly not immune to inflation.
The reason that American-issued cards are cheaper is because there鈥檚 a lot more of them than are Chip and PIN cards used abroad, says David Shear, security researcher at SecureWorks. Data stored on the small microchips embedded in Chip and PIN cards is harder to steal and use fraudulently than data contained in magnetic stripe cards.
Thieves can also buy in bulk. Buy 10 cards and get them for $13 a piece. Buy 2,000 and get them for $9 a card. Some even throw in a free hacking tutorials for bulk buyers.听
Then there are the options for those who really want to live on someone else鈥檚 dime. For between $4,200 and $9,000, blackmarket buyers can purchase credentials that give them access to high quality account with a verified balances of between $70,000 and $150,000. Then, it鈥檚 up to the crook to figure out how to siphon the money off without getting caught. And there鈥檚 even training for that. Tutorials are available for everything from basic carding to figuring out how to clean out a bank account. A full听carder听how-to manual costs around just $30, according to SecureWorks.
听
The motherlode
Then there鈥檚 the 鈥渇ullz.鈥 This is a record that gives a criminal everything you need to assume someone鈥檚 identity 鈥 their full name, date of birth, address, bank account information, and banking credentials. It costs just $30 for an American fullz and between $40 and $45 for a similar record from other parts of the world, according to Dell. That鈥檚 cheaper even than what a premium EU credit card would cost.听
But that鈥檚 only because using fullz is riskier than using stolen credit cards, says Shear of SecureWorks. 鈥淚t becomes a lot more personal, and the payoff is not as quick as you have to apply for a credit card, a loan, do other types of more complicated fraud,鈥 he says. With one premium card you have the chance to make at least $1,000, usually by buying high-value items and then fencing them for 75 percent of the market value.
In recent months, many more types of counterfeit documents that have started becoming available in the underground market, Shear and fellow researcher Joe Stewart discovered. Examples include complete identity kits, passports, fake driver licenses, and counterfeit utility bills. Anyone who wants to assume a new identify can buy a scan of a Social Security Number with name and address for $250. For an additional $100, they can get a fake utility bill as a second form of authentication.
The documents enable someone to apply for a fake bank loan, commit check fraud, file fraudulent tax returns, and other kinds of nefarious activity, the researchers say.听
Because of the many breaches in the past two years, retailers and banks have become stricter about IDs. So there鈥檚 growing demand for hard credentials such as a driver鈥檚 license, passport, and Social Security cards, Shear says.
The mall of malware
The larger storefronts and forums don鈥檛 just sell credit card data and identity credentials. They also offer malware or hackers for hire. The RAND survey found a staggering list of tools available in the black market, including security flaws for which there are no fixes available, ready-to-launch attack kits, and software for concealing and encrypting malicious software so they can鈥檛 be easily detected by security tools.
You can get pretty much everything you need to conduct a malware campaign without knowing a single thing about how the products work, says Ablon of RAND. 鈥淚t鈥檚 easy for anyone to get involved. All you need is an Internet connection. It鈥檚 like going to Amazon and clicking and putting the items you want into your shopping cart.鈥
Prices for malware depend on a variety of factors, she says. Credentials for a Twitter account, for instance, can sometimes garner a better price than a stolen credit card because of the access it provides to the account owner鈥檚 contact list and the potential it offers for phishing them. Similarly, credit cards that are fresh off a large breach typically command a higher price because those are likely still active and can be used for fraudulent purchases.
In the same way, prices for exploit or attack kits can vary based on whether the kit is purchased or leased, what exploits are included and what kind of support services are provided, the RAND report noted.
SecureWorks pegs the current prices for tools that allow hackers to remotely control a compromised computer at between $20 and $50. Just a year ago, these same tools sold for听 $50 to $250. The surplus is driving down the price.听
But exploit packs continue to be profitable. The Sweet Orange Exploit Pack, which is used to distribute various malicious tools that target browsers, costs $450 to lease for a week or $1,800 for a full month鈥檚 use. That鈥檚 peanuts compared to the Cool Exploit Kit from 2013, which together with encryption software and malicious payload cost buyers $10,000 per month to rent, according to RAND.
Somewhat surprisingly, there鈥檚 not a whole lot of protected health information on these sites 鈥 yet. Despite spiraling fears of medical identity theft and insurance fraud, that information continues to be a rare commodity in underground stores, says Ablon. But that could change. The recent massive breaches at Anthem and Premera Blue Cross suggest that attackers have turned their attention to healthcare data in a big way.
Evolving marketplace
The marketplace itself is fast evolving. There are stores dedicated to a single product or service while others offer a full gamut of stolen identity information, malware and hacking services. Many are online forums where individuals gather to either buy or sell stolen identity and card data or just talk shop. Quite a bit of selling takes place on forums. But听usually they are more about exchanging tips, meeting other like-minded people, asking questions and networking with others, Shear says.
Some of these marketplaces have an enormous footprint and can reach tens of thousands of buyers from around the world. Finding them is often just a single Google search away. But breaking in can be tricky. Many require newcomers to have someone vouch for them, or they are limited in what they can do at least until they establish their credibility.
Slick organizations听
What鈥檚 remarkable about the black markets are their meticulous organization. RAND found that site and forum administrators are at the top of the pecking order and are responsible for ensuring that business is conducted in a professional and discreet manner between buyer and seller.听
Some of the bigger stores have intermediaries who act like an escrow service in holding buyers鈥 money until the buyer receives the promised product and has had an opportunity to test it. In other places, administrators hold the money till the buyer approves the transaction.听
But these are still criminal forums and, well, run by crooks. Shear recounts a recent incident where the administrators of the Evolution Market, one of the largest and best organized carding site, suddenly closed shop and disappeared with over $10 million in customer money.
Rippers and the feedback loop
Because there鈥檚 little way to enforce contractual guarantees and promises, the cyber underground is infested with so-called 鈥渞ippers鈥 who promise buyers goods and services that they never end up delivering.
But feedback mechanisms on forums and stores ensure that such fraudsters are quickly removed from the marketplace. Though there are no formal dispute resolution services for buyers, the forums allow buyers plenty of opportunity to provide feedback about their experience with a seller, says Thomas Holt, associate professor at the School of Criminal Justice at Michigan State University.
Holt was the coauthor of a 2014听report听funded by the Department of Justice on the structure and organization of the international market for stolen data.听Negative feedback, he says is an effective mechanism in the cyber underground for keeping rippers somewhat at bay.
A large proportion of the forums and websites appear to be operated by East European gangs including those from countries like Ukraine, Romania, and Russia. Close to 20 percent appear to be operated by US-based groups.
Generally, the forums that are conducted in English tend to have a much greater proportion of negative feedback compared to Russian forums, indicating lower quality products and buying experience, Mr. Holt said.
Establishing a reputation can take time. Often, new sellers have to provide samples of their wares so buyers can test them before negotiating a purchase. Word of mouth validation and personal introductions are huge.
Forum members typically use e-mail, private Twitter accounts, Internet Relay Chat, and services such as Jabber to communicate and transact business. Stores give buyers an opportunity to browse through the store鈥檚 catalog of goods, choose what they want and pay using digital currency like bitcoins all without interacting with anyone.
Taking on the Dark Web
Law enforcement has had its share of successes in taking down some of these sites in recent years. The best known example is the taking out of Silk Road, a massive operation that dealt in narcotics trafficking, money laundering, and stolen documents.听
But the fallout from these takedowns has been transitory at best, according to RAND. For instance, the 2013 takeout of Liberty Reserve, the digital currency service used widely in the underground, only spawned other currencies. Similarly, the shuttering of various carder forums resulted in others quickly moving in to take their space.
From a law enforcement standpoint, carding forums are hard to stop, Holt says. 鈥淚f you were to take out a single person, that individual can easily be replaced by other vendors.鈥
But the payment mechanism present an opportunity for law enforcement, he says. The goal should be to make it harder for criminals to pay or receive money for stolen merchandize, he said.
Holt and others say that law enforcement can be effective if they can are sly enough about trapping criminals by seeing up their own forums or infiltrating existing ones. That approach has worked before. In 2004 the Secret Service successfully infiltrate an operation called ShadowCrew and nabbed its leaders.听
鈥淪omething like that is extremely effective,鈥 says Holt. 鈥淚t creates a great degree of distrust between buyers and sellers.鈥
Passcode produced this package of stories听for听the conference听on the identity economy, hosted by the University of Texas at Austin's Center for Identity.听
听
