Saturday, September 18, 2010

Your email IDs, passwords on sale online




There’s a full-fledged underground marketplace on the Web for all things considered most secure: your email IDs and banking and passwords, online banking passwords, mobile numbers and related authentication details. And what’s more the ‘merchandise’ can be custom-ordered too. ET gives the ‘product’-wise rate list: credit card CVVs; dates of birth and fraudulent phone call service; flooding software, and a full trojan making set. 
The underground e-Commerce crackers’ marketplace 

CVV2 Data Sets 

$1.50 - $3.00 

The CVV2 data set consists of a credit card’s 16-digit PAN, CVV2 code, expiration date, billing address and embossed name. 


SSN (Social Security Number) 
DOB (Date of Birth) 

$1.50 - $3.00 per query 
SSN: $1.00 -$3.00 
DOB: $1.00 -$3.00 

These personal details are very often used by banks to authenticate an individual’s identity. 

Online Banking Logins 

$50 - $1,000 per account, depending on the account balance 

After obtaining these credentials, fraudsters would normally attempt to cash the account out by completing wire transfers to accounts. 

‘Fulls’ Data Sets 

$5.00 - $20.00 per set 

‘Fulls’ information includes the full details, username and password), mailing address, card number, CVV2 code, card’s expiration date, MMN, DOB, SSN. 

Fraudulent Phone Calls 

$10.00 - $15.00 per call (Prices vary according to the destination of the call) 

Completed by Fraudster Call Centers, fraudulent phone services are offered to cybercriminals as a means to overcome language barriers for those who need to impersonate the account holder. 

SMS or Phone-Flooding Services (aka Telephony DoS/ TDoS) 

$25.00 - $40.00 per 24 hours of phone-flooding 

Phone-flooding is usually performed in order to render a consumer’s mobile phone unavailable for incoming authentication calls or SMS text messages sent from the bank. 

DDoS Attack Service 

$50.00 per 24 hours of website-flooding. 

A ‘Distributed Denial of Service’ attack is an attempt to make a computer resource unavailable to its intended users by overloading, or “flooding” its bandwidth with an overwhelming volume of web traffic. 

CC Checking/ Verification 

$0.40 per check 
Prices may vary widely. 
$20.00 for 50 checks 

CC (credit card) checkers are used by cybercriminals to verify the validity of the compromised payment cards. 

Bulletproof Hosting 

$87-$179 per month 

Bulletproof hosting is a hired service used by cybercriminals to host malicious content on web. Bulletproof sites are much harder for law enforcement to take down. 

Track 2 Data (aka “Dumps”) 

Classic/ Standard cards: $15 - $20 
Gold/ Platinum cards: $20 - $80 
Worldwide/ Business/ Corporate/ Signature: $30 - $40 

‘Track-2’ information is found on a payment card’s magnetic stripe. By purchasing ‘dumps’, fraudsters can produce counterfeit payment cards that can be used in stores. 

Zeus Trojan Kit 

Backconnect $1,500 
Firefox form grabber $2,000 
Jabber (IM) chat plug-in $500 

It is one of the most pervasive banking Trojans with an infection rate of thousands of computers per day. Zeus Kit: $3K - $4K 

SpyEye Trojan Kit 

Basic kit- $1,000 
Firefox Injection tool $1,000-$2,000 

One of the most advanced Trojans. It has its own IE and Firefox HTML injections, pre-defined bank triggers and a growing list of unique features. SpyEye has been 2010’s biggest Trojan innovation. 


Source: RSA'S fraud action intelligence team; Online Fraud Report 2010

No comments:

Post a Comment