Exploring The Underground Credentials Market

Due to the difficulties of monetising stolen credit cards, fraudsters are turning to other data sources to gain illicit monetary advantage, says Amichai Shulman

The beginning of the decade presented the online security community with an interesting news piece entitled “Stolen Twitter Accounts Can Fetch $1,000”. On the face of it, this seemed far-fetched, especially compared to credit card details, which were being fetched during that time for less than $1. Are ill-gotten Twitter credentials 1,000 times more valuable than a pilfered credit card number?

While somewhat exaggerated, this comparison definitively coincides with the latest trend in the stolen data market. The following article gives a quick glimpse into the economics of stolen credentials over the years, trader’s tools and the methods used to monetise them.

The fall of stolen credit cards

At the turn of the century, eCommerce and online services took a steep climb. Taking a ride to the bank in order to transfer funds from one account to another (during normal business hours) was replaced by a click of the mouse within the confines of your home, at the local coffee shop or from the airport on the way to catch a flight (at any time of the day). Application functionality soared, allowing anyone to become their own travel agent, thus avoiding the long summer lines.

As the availability and ease-of-use of the online functions rose, users became accustomed to the purchase of services with their credit card number. The amount of credit card details passed as traffic, stored in online locations with the ability to access them from external sources, was too much bait for criminals to pass on.

The criminal activity on this front sky-rocketed, as shown by research conducted on logs of IRC channels between participants of online black markets, which took place over a 7-month period during 2006. This research showed that from all the (illegally) exchanged data marked as “sensitive”, the vast majority was credit card numbers.

The asking price for a compromised credit card number ranged between $1 and $25 (depending on the size of credit line associated with it). Most of the other “sensitive” data was composed of identifying details such as addresses, names and expiration dates, which all aid in the processing of a credit card transaction. During that time period, different user credentials (account names and passwords) were also shown to have passed in the channels, but these were relatively scarce.

Two years later, a Symantec report showed that stolen credit cards comprise 32 percent of all goods and services available for sale on underground economy servers. Due to massive data breaches, stolen credit cards became widely available and, as a result, the face value of individual credit card records decreased.

Credit card numbers were sold for as little as $0.06 per single card when sold in bulk. Bank account numbers (actually identifying debit cards) followed roughly behind stolen credit cards, fetching as little as $10 per account number. These numbers are easily explainable. Not only were stolen credit card numbers a main “commodity” but monetising credit cards is not as easy as it may sound.