Stolen Australian credit-card numbers and other credentials are commanding a premium over those from US and UK customers when sold in hidden online marketplaces, new research has found.
Intel Security's Hidden Data Economy Report – compiled by its McAfee Labs research team – found that online sellers of credit-card details were offering Australian payment card numbers, complete with CVV2 confirmation codes, for $US21 to $US25 each. This was comparable to just $US5 to $US8 per US credit-card number but less than the $US25 to $US30 charged for similar details of European cardholders.
Buyers could pay more for card numbers paired with corroborating personal details, with the cardholder's date of birth pushing prices to $US30 – twice the $US15 charged for US customers but less than the $US35 for EU credentials.
Provision of so-called 'Fullzinfo' – including full name, billing address, payment card number, expiration date, PIN number, social security number, mother's maiden name, date of birth, and CVV2 – pushed the price per Australian card record to an average of $US40, on par with Canada but ahead of the $US30 for US records and $US35 for UK records.
“Like any unregulated, efficient economy, the cybercrime ecosystem has quickly evolved to deliver many tools and services to anyone aspiring to criminal behaviour,” Intel Security EMEA CEO Raj Samani said in a statement.
“This 'cybercrime-as-a-service' marketplace has been a primary driver for the explosion in the size, frequency and severity of cyber attacks. The same can be said for the proliferation of business models established to sell stolen data and make cybercrime pay.”
So-called 'dump tracks' – containing the information encoded on the card's magnetic stripe, including the PIN – commanded $US170 for Australian cards, compared with $US110 for US cards, $US160 for UK cards, $US180 for Canadian cards and $US190 for EU cards.
The analysis – which also weighed the cost of PayPal account credentials, bank-account details, full identity-theft credentials and login details for NetFlix and other content services – noted a range of approaches to the marketing of such information online. With prices for Hulu accounts as low as $US0.55, “criminals must move a lot of Netflix or Hulu accounts to make their efforts worthwhile,” the report's authors note.
Scammers were common but some organisations have gone so far as to offer replacement policies on accounts that are found to be different than advertised.
Read more: Cybersecurity, Meet SAM
Even more chilling for corporate security professionals is the availability of login credentials for accessing a range of corporate information systems at banks, airlines, universities, and even SCADA systems running at various infrastructure operators. This segment of the market, which feeds directly off of the massive surge in privileged-account hacking – represents a “very worrying trend”, the authors pointed out.
“Cataloging the available offers is impossible because the field is growing at a tremendous rate,” they continued. “The cybercrime industry may seem so far removed from everyday life that it is tempting to ignore the message. However, cybercrime is merely an evolution of traditional crime.”
“We must conquer our apathy and pay attention to advice for fighting malware and other threats. Otherwise, information from our digital lives may appear for resale to anyone with an Internet connection.”
The figures add new gravitas to ongoing reports of theft of credit-card and other personal details, which have become prime targets in the wake of the massive Target hack as criminals display their predilection for hacking major retailers. Kmart Australia and David Jones this month both confirmed having been hacked, while Russian hackers are said to be targeting Australian banking apps. Other recent financial-related targets include Samsung Pay, crowdsourcing site Patreon.