In digital economy's online pwn shops, Australian credentials command a premium

Stolen Australian credit-card numbers and other credentials are commanding a premium over those from US and UK customers when sold in hidden online marketplaces, new research has found.

Intel Security's Hidden Data Economy Report – compiled by its McAfee Labs research team – found that online sellers of credit-card details were offering Australian payment card numbers, complete with CVV2 confirmation codes, for $US21 to $US25 each. This was comparable to just $US5 to $US8 per US credit-card number but less than the $US25 to $US30 charged for similar details of European cardholders.

Buyers could pay more for card numbers paired with corroborating personal details, with the cardholder's date of birth pushing prices to $US30 – twice the $US15 charged for US customers but less than the $US35 for EU credentials.

Provision of so-called 'Fullzinfo' – including full name, billing address, payment card number, expiration date, PIN number, social security number, mother's maiden name, date of birth, and CVV2 – pushed the price per Australian card record to an average of $US40, on par with Canada but ahead of the $US30 for US records and $US35 for UK records.

“Like any unregulated, efficient economy, the cybercrime ecosystem has quickly evolved to deliver many tools and services to anyone aspiring to criminal behaviour,” Intel Security EMEA CEO Raj Samani said in a statement.

“This 'cybercrime-as-a-service' marketplace has been a primary driver for the explosion in the size, frequency and severity of cyber attacks. The same can be said for the proliferation of business models established to sell stolen data and make cybercrime pay.”

So-called 'dump tracks' – containing the information encoded on the card's magnetic stripe, including the PIN – commanded $US170 for Australian cards, compared with $US110 for US cards, $US160 for UK cards, $US180 for Canadian cards and $US190 for EU cards.

The analysis – which also weighed the cost of PayPal account credentials, bank-account details, full identity-theft credentials and login details for NetFlix and other content services – noted a range of approaches to the marketing of such information online. With prices for Hulu accounts as low as $US0.55, “criminals must move a lot of Netflix or Hulu accounts to make their efforts worthwhile,” the report's authors note.

Scammers were common but some organisations have gone so far as to offer replacement policies on accounts that are found to be different than advertised.

Read more: Cybersecurity, Meet SAM

Even more chilling for corporate security professionals is the availability of login credentials for accessing a range of corporate information systems at banks, airlines, universities, and even SCADA systems running at various infrastructure operators. This segment of the market, which feeds directly off of the massive surge in privileged-account hacking – represents a “very worrying trend”, the authors pointed out.

“Cataloging the available offers is impossible because the field is growing at a tremendous rate,” they continued. “The cybercrime industry may seem so far removed from everyday life that it is tempting to ignore the message. However, cybercrime is merely an evolution of traditional crime.”

“We must conquer our apathy and pay attention to advice for fighting malware and other threats. Otherwise, information from our digital lives may appear for resale to anyone with an Internet connection.”

The figures add new gravitas to ongoing reports of theft of credit-card and other personal details, which have become prime targets in the wake of the massive Target hack as criminals display their predilection for hacking major retailers. Kmart Australia and David Jones this month both confirmed having been hacked, while Russian hackers are said to be targeting Australian banking apps. Other recent financial-related targets include Samsung Pay, crowdsourcing site Patreon.

Join the CSO newsletter!

Error: Please check your email address.

Tags cyber attackspwn shopscredit-cardCVV2AustraliaCSO Australia

More about David JonesEUIntelIntel SecurityKmart AustraliaNetflixPayPalProvisionSamsung

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts