Ever wonder what happens to your credit-card information after it’s been stolen? Not much is ever said about that. However, there are a few intrepid researchers and journalists who plunge into the digital underground to learn what happens to the millions of stolen credit-card numbers.
Over the past several years, I have exchanged emails with Brian Krebs, a well-known security blogger. On occasion, he has provided insight into what it meant for him to immerse in that world — from learning how to read Russian to suffering retribution from those he wrote about. The story of his exploits even appears to be headed for the big screen.
Like Krebs, Thomas J. Holt, an associate professor at Michigan State University, along with researchers Olga Smirnoav of Eastern Carolina University and Yi-Ting Chua also of Michigan State University, journeyed into the underground world of stolen-data markets. Their research culminated in the paper Examining the Structure, Organization, and Processes of the International Market for Stolen Data and a talk at this year’s Defcon.
Underground economy, internet style
There have always been underground economies. For example, the one that started right after Congress passed the 18th amendment, prohibiting the distribution and consumption of alcohol. Similar in nature, Krebs and the researchers found a thriving subterranean economy surrounding the sale of stolen data.
The research team wanted to learn about this particular economy: in particular, how information from stolen credit cards ended up being sold, how money exchanged hands, and how goods were distributed. To accomplish their goal, the academics analyzed 1899 threads generated from 13 web forums. Russian was the primary language on ten of the forums, and English the language preferred on the remaining three.
What kind of goods were for sale?
Of the 1,899 threads obtained by the researchers 84% referenced information pertaining to the following:
● CVV data from credit cards
● Dumps of bank account or credit card data
● Fullz: Electronic data from accounts like eBay and PayPal
● Methods to receive currency from these accounts on or off-line
● Malware and tools to expedite cybercrimes
Some of the terms may be confusing. Here are the definitions:
● CVV: The three to four digit number on the signature line of credit cards that enables the cardholder to make purchases without being present at the time of the transaction
● Dump: Stolen credit card or bank account number and the associated customer data
● Fullz: Dumps containing information associated with the account and account holder
The group averaged the prices for each stolen data type. In the US the cost per individual account was:
● CVV: $1.67
● Dump: $3.04
● Fullz: $3.47
Guarantors are necessary
Dealing in stolen property purveys an attitude that is not conducive to trust. Which is why the transaction process of having the customer put the money up first and then receive the product (stolen data of choice) was not popular. Seeing an opportunity, a job, the researchers called a guarantor, came to be. The paper explains:
A guarantor acts as an intermediary in a transaction by holding money on behalf of the buyer until such time as the seller releases the requested merchandise. Once the buyer confirms they have received their purchase, the guarantor releases the funds to the seller.
And like any other intermediary, those facilitating stolen-data transactions charged for their services. If the transaction was less that $500 the average rate was 8%, and over $500 the percentage dropped.
Forum moderators and or bouncers
Like most forums, moderators are needed to keep everyone in line and trouble to a minimum. If a forum member causes too much trouble, the moderator will inform those in charge to revoke the offending person’s site privileges. On many of the forums, the moderator checks the validity of the seller’s stolen goods and is in charge of seller ratings.
The research team mentioned that several of these forums have been in existence for years, signifying the process is working. If the number of data breaches continues to grow, stolen data forums will be busier than ever.
What is the answer?
The research team discussed possible solutions — all centered on disrupting the forums and payment processors. One payment processor, Liberty Reserve, was mentioned in the paper as being prosecuted in the US for money laundering. In this August 14 post, the Department of Justice mentioned the deputy to Liberty Reserve’s founder plead guilty to money laundering.