Tuesday, June 28, 2005
Market for Stolen Credit Data Thrives Online
"Want drive fast cars?" asks an advertisement in broken English atop the Web site iaaca.com. "Want live in premium hotels? Want own beautiful girls? It's possible with dumps from ZoOmer."
A "dump," in the blunt vernacular of a relentlessly flourishing online black market, is a credit card number. And what ZoOmer is peddling is stolen account information name, billing address, phone for Gold Visa cards and MasterCards, at $100 apiece. It is not clear whether any information stolen from CardSystems Solutions, the U.S. payment processor that was reported on Friday to have exposed 40 million credit card accounts to possible theft, has entered this black market.
But law enforcement officials and security experts say it is a safe bet that it will eventually be peddled at sites like www.iaaca.com, its very name a swaggering shorthand for International Association for the Advancement of Criminal Activity. Despite years of security improvement and tougher, more coordinated law enforcement efforts, the information that criminals siphon -- credit card and bank account numbers and whole buckets of raw consumer information -- is boldly hawked on the World Wide Web.
Its value arises from its ready conversion into online purchases, counterfeit card manufacture or more elaborate identity-theft schemes. The online trade in credit card and bank account numbers, as well as other consumer information, is highly structured. There are buyers and sellers, intermediaries and even service industries. The players come from all over the world, but most of the Web sites where they meet are run from computer servers in the former Soviet Union, making them difficult to police.
A wealth of institutional knowledge and shared wisdom is doled out to newcomers seeking entry into the market, like how to move payments and the best time of the month to crack an account.
In the United States alone, the Federal Trade Commission estimates, about 10 million Americans have their personal information pilfered and misused in one way or another every year, costing consumers $5 billion and businesses $48 billion annually. "There's so much to this," said Jim Melnick, a former Russian affairs analyst for the Defense Intelligence Agency, now the director of threat development at iDefense , a company in Reston, Va., that tracks cybercrime. "The story that needs to be told is the larger, long-term threat to the American financial industry. It's a cancer. It's not going to kill you now, but slowly, over time."
It is not clear just how many cards and account numbers actually make it to the Internet auction block, but law enforcement agents consistently describe the market as huge. Every day, at sites like www.iaaca.com and carderportal.org, pseudonymous vendors conduct business in an arcane slurry of acronyms. Alongside advertisements for various scams are pitches from code writers who sell their services to con artists known as phishers, who contract with spammers to send out millions of increasingly sophisticated phony e-mails designed to lure victims into revealing account information.
A phishing operation might bring in thousands of account numbers along with other identifying details: names, addresses, phone numbers, passwords, mothers' maiden names. The richer the detail, and the higher the account balance, the better the asking price. According to Mark Rasch, a former chief of cyberinvestigations for the Justice Department and now the senior vice president of Solutionary , a computer security company, the numbers taken in the CardSystems breach -- at least 200,000 are said to have been in the stolen files -- are almost certain to end up in one of these trading venues.
CardSystems represented a vital hub through which millions of account numbers passed. ChoicePoint, a data aggregator, was another gold mine; it announced in February that thousands of records had been downloaded from its databases by thieves posing as legitimate business clients no hacking required. For all the information that law enforcement and security experts can glean from sites like www.iaaca.com, "there are whole marketplaces of bulletin board systems and chats that are invisible," Rasch said. Still, law enforcement says it has made inroads. In October, the Justice Department and the Secret Service announced the internationally coordinated arrests of 28 people in eight U.S. states and several other countries, including Sweden, England, Poland, Belarus and Bulgaria.
Among those arrested were the alleged ringleaders of www.shadowcrew.com, the largest English-language Web bazaar trading in stolen credit card, debit card and bank account numbers, counterfeit drivers' licenses, passports and Social Security cards, according to the Justice Department. The investigation broke up a 4,000-member underground that, the department says, bought and sold nearly 2 million credit card account numbers in two years and caused more than $4 million in losses to merchants, banks and individuals.
But eight months later, the traders have adapted and resumed business, though they seem a bit more wary now, said John Watters, chief executive of iDefense, which generates cybercrime intelligence for government and financial industry clients. "The next battle will be substantially harder," Watters said. "It's getting harder for us to do our job." Asked at a symposium late last month whether law enforcement was losing the battle against cybercriminals, Brian Nagel, assistant director for investigations at the U.S. Secret Service, said no.
But another panel member, Jody Westby, managing director for security and privacy practice at PricewaterhouseCoopers, disagreed, insisting that, based on Federal Trade Commission statistics on identity and credit card theft, only about 5 percent of cybercriminals are ever caught.
Westby offered a bleak assessment. "We're not making an impact," she said. "The criminals are too hard to track and trace, too hard to prosecute, and the information they steal is too easy to use."
Brought to you by the Guardian eCommerce Privacy Seal Program.
A "dump," in the blunt vernacular of a relentlessly flourishing online black market, is a credit card number. And what ZoOmer is peddling is stolen account information name, billing address, phone for Gold Visa cards and MasterCards, at $100 apiece. It is not clear whether any information stolen from CardSystems Solutions, the U.S. payment processor that was reported on Friday to have exposed 40 million credit card accounts to possible theft, has entered this black market.
But law enforcement officials and security experts say it is a safe bet that it will eventually be peddled at sites like www.iaaca.com, its very name a swaggering shorthand for International Association for the Advancement of Criminal Activity. Despite years of security improvement and tougher, more coordinated law enforcement efforts, the information that criminals siphon -- credit card and bank account numbers and whole buckets of raw consumer information -- is boldly hawked on the World Wide Web.
Its value arises from its ready conversion into online purchases, counterfeit card manufacture or more elaborate identity-theft schemes. The online trade in credit card and bank account numbers, as well as other consumer information, is highly structured. There are buyers and sellers, intermediaries and even service industries. The players come from all over the world, but most of the Web sites where they meet are run from computer servers in the former Soviet Union, making them difficult to police.
A wealth of institutional knowledge and shared wisdom is doled out to newcomers seeking entry into the market, like how to move payments and the best time of the month to crack an account.
In the United States alone, the Federal Trade Commission estimates, about 10 million Americans have their personal information pilfered and misused in one way or another every year, costing consumers $5 billion and businesses $48 billion annually. "There's so much to this," said Jim Melnick, a former Russian affairs analyst for the Defense Intelligence Agency, now the director of threat development at iDefense , a company in Reston, Va., that tracks cybercrime. "The story that needs to be told is the larger, long-term threat to the American financial industry. It's a cancer. It's not going to kill you now, but slowly, over time."
It is not clear just how many cards and account numbers actually make it to the Internet auction block, but law enforcement agents consistently describe the market as huge. Every day, at sites like www.iaaca.com and carderportal.org, pseudonymous vendors conduct business in an arcane slurry of acronyms. Alongside advertisements for various scams are pitches from code writers who sell their services to con artists known as phishers, who contract with spammers to send out millions of increasingly sophisticated phony e-mails designed to lure victims into revealing account information.
A phishing operation might bring in thousands of account numbers along with other identifying details: names, addresses, phone numbers, passwords, mothers' maiden names. The richer the detail, and the higher the account balance, the better the asking price. According to Mark Rasch, a former chief of cyberinvestigations for the Justice Department and now the senior vice president of Solutionary , a computer security company, the numbers taken in the CardSystems breach -- at least 200,000 are said to have been in the stolen files -- are almost certain to end up in one of these trading venues.
CardSystems represented a vital hub through which millions of account numbers passed. ChoicePoint, a data aggregator, was another gold mine; it announced in February that thousands of records had been downloaded from its databases by thieves posing as legitimate business clients no hacking required. For all the information that law enforcement and security experts can glean from sites like www.iaaca.com, "there are whole marketplaces of bulletin board systems and chats that are invisible," Rasch said. Still, law enforcement says it has made inroads. In October, the Justice Department and the Secret Service announced the internationally coordinated arrests of 28 people in eight U.S. states and several other countries, including Sweden, England, Poland, Belarus and Bulgaria.
Among those arrested were the alleged ringleaders of www.shadowcrew.com, the largest English-language Web bazaar trading in stolen credit card, debit card and bank account numbers, counterfeit drivers' licenses, passports and Social Security cards, according to the Justice Department. The investigation broke up a 4,000-member underground that, the department says, bought and sold nearly 2 million credit card account numbers in two years and caused more than $4 million in losses to merchants, banks and individuals.
But eight months later, the traders have adapted and resumed business, though they seem a bit more wary now, said John Watters, chief executive of iDefense, which generates cybercrime intelligence for government and financial industry clients. "The next battle will be substantially harder," Watters said. "It's getting harder for us to do our job." Asked at a symposium late last month whether law enforcement was losing the battle against cybercriminals, Brian Nagel, assistant director for investigations at the U.S. Secret Service, said no.
But another panel member, Jody Westby, managing director for security and privacy practice at PricewaterhouseCoopers, disagreed, insisting that, based on Federal Trade Commission statistics on identity and credit card theft, only about 5 percent of cybercriminals are ever caught.
Westby offered a bleak assessment. "We're not making an impact," she said. "The criminals are too hard to track and trace, too hard to prosecute, and the information they steal is too easy to use."
Brought to you by the Guardian eCommerce Privacy Seal Program.
