What's your life worth to an ID thief?


Prices are hugely variable, as David Emm, senior technology consultant with Kaspersky Lab UK explains. "Prices for stolen confidential data in the 'dark market' vary depending on the conditions at play in the market," he says.

"In this respect, cybercrime markets are like any other - prices vary depending on supply and demand, the activities of law enforcement agencies and anti-malware vendors, and so on. For example, the prices for stolen online games characters and virtual assets have been falling as the market becomes more saturated."

The more you do, the more your identity is worth. "Overall, my 'value' in the dark market will also depend on the size of my overall online footprint," Emm says. "Do I just bank online? Or do I also shop online frequently? Or do I also socialise using Facebook, Twitter and so on? Even if I do none of these things, I still have value for cybercriminals - they can use my computer to deliver spam, or as part of a distributed denial of service attack on an online organisation."

The rate for that? Just $15 for 10,000 infected PCs. If price is a reflection of supply and demand, the news that the price of off-the-shelf attack kits is falling is deeply worrying.

McAfee's latest Underground Economy report found that some exploit packs - collections of tools that can be used to inject code into websites to intercept data or reroute browsers - were changing hands online for as little as $25. Most tools are more expensive than that, but not by much: most off-the-shelf tools go for a few hundred dollars.

Those tools aren't just affordable - they're very effective. Kevin Bocek is product director with IronKey. "The proliferation of tools available to criminals like Zeus, SpyEye, OddJob, Sunspot and many more to directly harvest details is enabling criminals to immediately monetise their stolen information," he says.

"They may then look to resell this information to other criminals, but the tools have made sophisticated and successful attacks much easier for individual gangs to perpetrate their crimes."

Bulk buys

Data for sale

Most of our information is traded in bulk, with discounts for big purchases and regular customers. McAfee found that 500 Twitter accounts will net $65, while $100 gets you 1,000 MySpace logins and $160 pays for 10,000 AOL logins.

The biggest market is for email addresses, where accounts are traded for tiny sums. One hundred unverified Gmail logins are worth $20, rising to $120 for 1,000 accounts, while verified accounts are worth slightly more: $30 for 100 or $190 for 1,000.

Hotmail accounts are worth considerably less - $150 will net you 10,000 verified Hotmail addresses - and you can pick up 100 Yahoo email addresses for as little as $3. If you're not fussed about which email provider your addresses come from, Eddy Willems suggests that "one million verified email addresses range from around €30 to €250."

McAfee agrees, reporting figures of around $100 for one million addresses, and $1,500 for 32 million addresses. You can pick up email addresses for next to nothing because the amount of information they offer for exploitation is fairly basic.

When it comes to sharing our online information, the real money's in money.

Cloning cards

Cloning cards

Your credit card is worth less than you might think. As David Emm explains, "Credit cards could fetch as little as $2 or as much as $50, depending on accompanying data like the CVV number, the available balance on the card and so on."

Prices vary from territory to territory too, so a UK card will command a higher price than a US one, and a central European card will command more still. "The higher the protection, the higher the possibility that you can use the details to gain money and the more it costs," Willems says.

Another reason for the disparity in prices is wealth. "The UK has a lot of wealthy people, and if you compare that with the US there's a real difference."

Credit card details are known online as 'dumps', which means the information copied from the magnetic strip on the back of your card. A UK dump including your card number, your full name, address, postcode, expiry date and CVV code costs around $4.

McAfee found that US cards with the same accompanying data are sold for $2, Canadian ones $4, Australian ones $7 and European and Asian cards $8. The more information is supplied, the more it costs.

The same card details with associated PayPal logins, bank details, dates of birth and so on command $25 for UK cards, $30 for German and Italian ones and $15 for American ones. A PIN code can treble the value of a card, while the combination of a PIN and a good available balance increases the price of a European Gold credit card from around $45 to $250.

A standard credit card with 'fullz' and 'COB' - that is, a card with all the associated information you need to use that card online and a login you can use to change the shipping/billing address - is around $200 for a US card.

Stolen to order

You can even buy custom data, like logins for a specific bank. That will cost you a $1,000 up-front payment and another $4,000 when the project is ready to go, and the price is already falling.

"Recent advertisements on underground forums are offering $2,000 per bank attack," Kevin Bocek says. "Hundreds or thousands of bank customers can be attacked easily, so the value of individual records is being driven down."

Gerhard Eschelbeck is Chief Technical Officer with Webroot. "Similar to a market economy, prices of online identities are a reflection of supply and demand, and vary from pennies to hundreds of pounds per unit," he explains. "Quality factors like verified-as-still-valid accounts, as well as accessible content (monetary or information) also drive pricing of online identities. The popularity of the application or account is also driving the cost of such stolen identities."

Where things get dangerous is when one account can be used as a key to unlock several others. "Sometimes a low priced identity can also yield access to multiple high priced accounts," Eschelbeck says, "especially if users are using the same password for different services."

It's a similar story with physical documents, as David Emm explains. "Higher prices are fetched for bundles of stolen IDs," he says, describing one market for stolen ID where "a UK passport was offered for €750. With a driving licence the price was €850, and with a licence and a photo ID card it was €950."

Who's sharing your stuff?

"Cybercrime is now a part of global organised crime," Kevin Bocek explains. "Cyber gangs are multi-tier, multi-national organisations."

Eddy Willems agrees. "You'll always have kids trying to steal or create malware, but most ID sharing is big business. You'll have programmers, people actually selling the information - two or three guys selling whatever their malware has intercepted, and even creating websites to sell it. It's a pretty well-organised business, because you can only make money if you're organised."

Thanks to the internet, criminals have a global reach - but they tend to be concentrated in specific areas. "It's more or less the same marketplace where you'll find back-door trojans and things like that," Willems says. "South America is big, and a lot of business is done in Asia now. Selling is mainly done on sites you can find in the USA."

You'll also find significant levels of activity emanating from Russia and Eastern Europe. The latest Symantec Internet Security Threat Report found that the average number of identities exposed in a corporate data breach is a massive 260,000, but even that's tiny compared to the millions of accounts exposed when Sony's PlayStation Network (PSN) was compromised earlier this year.

As Eddy Willems points out, "if you look at the big Sony hack, not only do you have the email addresses, you also have the passwords. If you have enough people, they can try these logins on other sites - Facebook and so on."

Such tactics will continue to be effective as long as most people don't take the security of their online accounts seriously.

"Most people just use one or two passwords," Willems says "That's the problem - if you look at it carefully, you could try a specific attack on a specific company. We have been very lucky. So far, the people behind the attacks are not too clever, and they haven't gained access to more data. It could be much more dramatic."


First published in PC Plus Issue 311. Read PC Plus on PC, Mac and iPad

Liked this? Then check out Hacking tools you can use to protect your PC

Sign up for the free weekly TechRadar newsletter
Get tech news delivered straight to your inbox. Register for the free TechRadar newsletter and stay on top of the week's biggest stories and product releases. Sign up at http://www.techradar.com/register

Follow TechRadar on Twitter* Find us on Facebook