Holding masses of data, cybercriminals face new hurdles to cashing out

Hackers look for new ways to get higher margins on stolen data

Hackers are increasingly looking for new avenues to conduct fraud to increase their margins, and one fresh target is stealing loyalty card points and miles.

Hackers are increasingly looking for new avenues to conduct fraud to increase their margins, and one fresh target is stealing loyalty card points and miles.

After Sony Pictures Entertainment's computer network was breached in late November, it appeared the hackers wanted to blackmail the company.

"We've got great damage by Sony Pictures," read an email sent to Sony executives. "The compensation for it, monetary compensation we want."

Apparently Sony Pictures didn't give the hackers what they wanted, and gigabytes of data were posted online, including a spreadsheet of all of the company's employees and their salaries.

Though the Sony hackers apparently did not get what they wanted, data clearly has a value. But determining its value depends on a variety of factors. And it's not as easy as it used to be to cash out.

Home Depot lost 56 million payment card numbers and 53 million email addresses between April and September in one of the largest data breaches on record. Batches of stolen card numbers soon appeared on underground forums, priced according to the potential cash-out value.

But banks are acting faster than ever to shut down compromised cards, meaning fraudsters have to steal ever-larger batches of numbers to compensate for lower margins.

For example, if 10,000 cards are stolen, as few as 100 may have the potential for a successful cash out and maybe 10 cards will actually be productive, said Alex Holden, founder and chief information security officer for Hold Security, a Wisconsin-based company that specializes in finding stolen data on underground websites.

It's also become more complicated to steal card numbers because of better cybersecurity defenses, he said.

Hackers need email lists of potential victims, spam messages crafted to evade filters and specialized malware that can slip past antivirus software. Similar to the gold rush, where many profited by selling shovels and mining equipment, there's a healthy trade in such lists and tools. But those expenses all ultimately come out of a hacker's bottom line.

"You can no longer do an operation by yourself," said Holden, whose company discovered data breaches affecting Target and Adobe Systems. "Every person in that chain wants to get paid."

One way fraudsters have attempted to expedite cashing out on stolen card data is by creating bogus merchant accounts with payment processors. That way, cards can be charged to fake businesses in transactions that appear real before card companies have a chance to shut down the numbers.

IntelCrawler, a Los Angeles-based security company, found an advertisement for such a system called the "Voxis Platform." The program lets scammers potentially increase the profit from their illegal gains by scheduling amounts to be charged at certain times to the payment processors.

"Cybercriminals don't have enough resources to monetize stolen data in big volumes," said IntelCrawler CEO Andrew Komarov via email. "It really has a small margin, and it is pretty complicated to resell it in big amounts."

Hackers are also diversifying their targets, capitalizing on the weak defenses of corporate systems.

Hackers are no longer just interested in credit card information, said Stephen Cavey, founder and director of corporate development at Ground Labs, which develops tools for organizations to flag spots in their networks where sensitive data may be stored insecurely. "Now it's about stealing as much personal information that they can get their hands on."

Cavey said he's heard of stolen personal information being used to obtain money from a variety of companies that offer quick, so-called payday loans over the Web. The fraudster's goal is to provide the loan company with as much information as possible to look legitimate and evade risk controls.

Trying to blackmail data-theft victims is another way to make cash. But it's unlikely that large companies such as Sony Pictures would pay a group of hackers not to release data. There's no guarantee that the hackers wouldn't come back with more demands later.

One scam that has resulted in payoffs involves encrypting an organization's data and demanding a ransom. Ransomware has been around for as long as a decade, but the fraud continues due to its success. Computers are infected with malware, which sets to work encrypting files on hard drives.

The only real defense against ransomware such as Cryptolocker is to ensure that data is backed up. Otherwise, it could cost around $500 per computer, payable in bitcoin, to get the decryption key from hackers. In some cases, hackers haven't bothered supplying the decryption key after they've been paid, adding to victims' frustration.

Read more: Major US credit union deploys Wynyard Advanced Crime Analytics tool

For the near future, Holden says he's seeing increasing interest in the travel industry, with scammers stealing air miles and other loyalty-oriented rewards.

The travel industry is "very loosely controlled," Holden said. Some fraudsters have already created fake travel agencies, he said. Victims who stumble across those agencies divulge lots of personal information, credit card numbers and loyalty card accounts.

Loyalty miles and points can be cashed out in a variety of ways. The points can be redeemed for items offered through the program, or can be transferred to gift cards, according to a screenshot from a vendor on an underground forum found by IntelCrawler.

Depending on the airline, reward accounts are updated between two to 30 days, the forum posting notes. This gives hackers ample time to redeem stolen points.

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk

Join the CSO newsletter!

Error: Please check your email address.

Tags securitydata breachSony Pictures Entertainmentdata protectionfraud

More about Adobe SystemsGround LabsHome DepotSony

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jeremy Kirk

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place