At the beginning of the decade, an interesting news piece titled “Stolen Twitter Accounts Can Fetch $1,000” raised a few eyebrows. On the face of it this seemed far-fetched, especially when compared against credit card details that, at the time, carried a price tag of less than $1. Are Twitter credentials really 1000 times more valuable than a pilfered credit card number? This article looks at why criminals want your credentials and how they turn them into hard cash.
The growth in stolen credit cards
At the turn of the century, peoples’ attitudes toward banking, shopping and communicating with friends dramatically changed – it went virtual. Application functionality soared and users became confident trading their credit card details for goods and services online. However, the increase in their numbers passing as traffic, and being stored in online locations often easily accessible from external sources, was far too tempting for criminals to resist. Breach reports rocketed and the asking price for a compromised card ranged between $1 and $25 (depending on its credit limit).
Move forward a couple of years and the sheer size of records compromised in subsequent data breaches affecting millions of cards has flooded the market and caused a collapse of their value to just $0.06 per card when bought in bulk. Bank account details haven’t fared any better, often fetching as little as $10 per account number. The reason? Making money from them is not as easy as it sounds.
Turning stolen details into cash
There are a number of ways criminals can make money from stolen credit card details:
- Purchase goods online, which are then sold
- Manufacture and sell plastic cards – however, this method incurs additional hardware expense, complexities and risks
- A somewhat creative method that’s growing in popularity is online transactions conducted by one criminal pretending to be two users – for example, frequenting online gambling sites. The compromised account ‘loses’ to the legitimate account, leaving the criminal free to cash in their ‘winnings’. It’s the same principle for stock manipulation through online trading sites, and completing fake transactions with PayPal, eBay, etc.
Bank account details command a relatively high price because they can be lucrative; however, earning from them is not easy and involves much higher risk. Often the criminal must visit the bank in person to complete transactions, chancing detection and detention.
Whether using stolen cards physically or over the internet, there is a time limit before the fraud is detected and the card cancelled, so criminals are always on the lookout for more profitable data.
The allure of online credentials
Symantec’s 2008 report on internet security threats records email accounts as the third most available virtual goods for sale, composed of username and password combinations. At $0.10 per credential, they were already more valuable than credit cards. The reason these credentials warrant a larger price tag? The opportunities they afford criminals are numerous:
- Once a webmail application is hacked, the criminal can scrap the victim’s address book and use those addresses in spam lists
- Taking it a step further, the criminal can send phishing messages from the compromised accounts, creating a more reliable effect and increasing the success probability of the scam
- The log-in details will often present criminals access to more than just the email application, as users tend to use the same combination for a multitude of accounts, such as social networking sites, and in some cases even online banking applications
- Stolen webmail accounts may further allow compromise of other credential sets through password recovery features within additional applications.
Sifting through the online underground channels, we see that not all webmail credentials are considered equal in the black market. The credentials to a Hotmail account may fetch a mere $1.50, while a Gmail account can fetch more than $80 per account. The latter is probably due to the wide variety of other cloud services that can be accessed through each Gmail credential – from personal or corporate GoogleDocs through corporate Google Analytics and even Webmaster tools.
Perceived as the crème de la crème, credentials to access social applications today command the highest price tag, as alluded to earlier. However, again, not all sites are equal, and the actual value is dependent on the popularity of the site, so Facebook accounts may command a higher value than another less-popular niche community sites, such as a weight loss forum.
Value also depends on the “popularity” of the account in question. This means that a Twitter account with hundreds of followers will be worth more than a Twitter account with just a dozen followers. The inherent viral behaviour of social networks, together with real-time updates in search engines, are primarily what makes stolen social network accounts the most valuable.
Honour among thieves
Cybercriminals need a place to buy and sell these illicit credentials, such as underground forums and IRC channels, although other private channels, including IM, are used. Separate forums exist for just about any type of malicious online activity: viruses, botnets, phishing, credit card numbers or webmail credentials, to mention just a few.
While an underground forum only establishes the initial match between the buyer and seller, who must proceed with dealings outside of the forum, IRC channels provide the complete marketplace and are seen as more secretive than underground forums. This is because they are not indexed by search engines, and instead rely on word of mouth.
The rising trend of stolen online application credentials is very real, and criminals are making substantial profits from their investments. Yet, for some reason, users still believe it is their credit card details that need protection, giving little thought to their social network credentials. With the realisation that your Twitter account details could be worth as much as $1000, do you really want to hand them over to criminals on a silver platter?
Amichai Shulman is co-founder and CTO of Imperva, where he heads the Application Defense Center (ADC), Imperva’s research organization focussing on security and compliance. Shulman regularly lectures at trade conferences and delivers monthly eSeminars. Under his direction, the ADC has been credited with the discovery of serious vulnerabilities in commercial web application and database products, including Oracle, IBM, and Microsoft. Prior to Imperva, Shulman was founder and CTO of Edvice Security Services Ltd., a consulting group that provided application and database security services to major financial institutions, including web and database penetration testing and security strategy, design and implementation. Shulman served in the Israel Defense Forces, where he led a team that identified new computer attack and defense techniques. He has BSc and master’s degrees in computer science from the Technion, Israel Institute of Technology.