CXO

Underground marketplace sells your personal data for a hefty profit

Always been skeptical of those astronomically high monetary figures quoted by the media in cases of information theft or unintended disclosures? Same here. The discover of by McAfee security researcher Francois Paget of an underground marketplace touting top-quality information though, could perhaps narrow the incredulity gap a little.

Always been skeptical of those astronomically high monetary figures quoted by the media in cases of information theft or unintended disclosures? Same here. The discovery by McAfee security researcher Francois Paget of an underground marketplace touting top-quality information though, could perhaps narrow the incredulity gap a little.

The information being sold appears to be heisted from legitimate users via spyware.

Data Crime

Francois gave a running commentary of the above diagram in his blog post:

As you can see in the following screenshot, pricing depends on available balance, bank organization and country. Additional information such as PIN and Transfer Passphrase are also given when necessary. For such prices, the seller offers some guaranties. For example, the purchase is covered by replacement, if you are unable - within the 24 hours - to log into the account using the provided details.

In fact, if you are more of a credit card fraud kind of person, U.S., Austrian and Spanish credit cards with full information, including cw2 validation details and SSN are available in packs of 10. Want to do the dirty job yourself? Skimmers designed for fitting onto ATM machines or "dump tracks" to create your own fake cards can also be acquired.

I wonder what payment options are available for folks who are interested. You think they accept Visa or Mastercard?

About

Paul Mah is a writer and blogger who lives in Singapore, where he has worked for a number of years in various capacities within the IT industry. Paul enjoys tinkering with tech gadgets, smartphones, and networking devices.

20 comments
mlunney1
mlunney1

I have a very simple program. I am paranoid, but I sometimes lie awake at night wondering if I am paranoid enough or not. While I do a lot of shopping on the Internet because I live in Ontario, Canada, away from the major population centers and the stores. I don't use my bank issued VISA card. I got a pay-as-you-go MasterCard from MoneyMart. If I am going to buy something at Amazon, I figure out the price with taxes, and we pay a lot of taxes in Ontario, then I go to the MoneyMart and give them that much plus about $10 more for their service charges. Naturally, I only place big orders so as to minimize the impact of those charges, and to get a better rate on the shipping. I black out with a nice Magic Marker any possible personal information on anything that I am sending to the recycling room in my condo and at work, and then I shred that. This is what I mean when I say I am paranoid. However, while every single one of my siblings but one has been stung, notwithstanding my sage advice, it is worth noting that anyone who has done as I have done has not been stung. At least not yet. Michael Lunney

turtle-sf
turtle-sf

Major credit card banks, if you hold their card, gives you an option to create virtual (single-use) credit card numbers for online shopping. The numbers have short expiration term. The value of virtual card is charged on you main [plastic] card. No fees and extra charges.

RealGem
RealGem

I've always wondered how much you get for basic personal information used for forging false id. That could include health numbers, SINs, addresses, drivers license numbers, and all that stuff. As an IT manager, that would help me assess the "market value" of the information assets that I am responsible for and thus I would know how big a target we are. And, is some info (like SIN) more valuable than others (like address)? Anybody know anyplace to get info like that?

jackintheback
jackintheback

Somethings prevent me from encouraging this behavior, (using OPM(other peoples money) or identity). Its understandable that if someone makes a purchase for more than cash on hand, They are subject to screening. From there, it turns into a grey area due to credit reports and past payment histories. Its too bad that a governmental data source cannot exist to account for the security of this dynamic due to the "privacy" factor. Taxpayers, Businesses, and Consumers suffer the threat and consequences of Identity Misuse Its Hard Enough to teach future generations survival skills and techniques of longevity.

paulmah
paulmah

I wonder what are the payment options available for folks who are interested. You think they accept Visa or Mastercard?

sleepin'dawg
sleepin'dawg

This is now so very, very, old. Tell us something new, not a rehash of stuff that's been around for a few years now. :p [b]Dawg[/b] ]:)

Tony Hopkinson
Tony Hopkinson

I went into finance a car, so they did a credit check on me. It got bounced because they spelled my name wrong. The following week, I go a letter from every credit/loan seller in the UK desperate to make sure Tony Hopkins, bought something off them. No waiver signed , no agreement, no nothing. They put my name in right, got my finance and another two tonnes of f'ing junk mail, this time with the correct name on. It was all a computer error of course. :p

tungstendiadem
tungstendiadem

Should I burry cash and gold coins in coffee cans? Or just write congress and demand they reappropriate spending to address this problem?

turtle-sf
turtle-sf

Sure thing: write congress and wait until crooks post their accounts - then action is guarantied.

mlunney1
mlunney1

Tragically, I wrote to my Member of Parliament about this more than a year ago, and I am still waiting for a reply. But we don't have an election planned in Canada for this year, so no big surprise. As pathetic as it sounds, it won't be until a bunch of influential law makers get nailed that any legislation will be introduced to either Congress in the US or Parliament in Canada. If I am reading the British magazines like PC Pro correctly, they are waiting for their Parliament to do something as well. Perhaps we could have a volunteer? (Just Kidding)

apotheon
apotheon

"[i]Should I burry cash and gold coins in coffee cans?[/i]" Keeping cash is a really bad idea. It depreciates in value rapidly. Gold, meanwhile, has been climbing in value pretty steadily for a long time -- especially recently. "[i]Or just write congress and demand they reappropriate spending to address this problem?[/i]" I think you know how bad an idea that would be.

apotheon
apotheon

Of course they'd accept Visa and Mastercard. The problem is that, after you pay with your credit card, you'd find your card information for sale the next day.

m61
m61

...buy your own information?

apotheon
apotheon

I'm pretty sure they wouldn't care who bought it -- as long as they got money for it.

svasani
svasani

Paypal and Western Union

Drive Guy
Drive Guy

Would have been a much shorter film.

Eoghan
Eoghan

Of course its an underground marketplace, you don't expect them to be advertising in the NYT or Washington Post, do you? Or would they have a clean record at the Better Business Bureau? Highly unlikely.

faiz204
faiz204

i dont think they will accapt credit cards........ i u can see they will only be goin through cash...... coz credit cards can be traced n will b a lot vulnarable!!!!!!!!!!!!!!!

Editor's Picks