There’s a full-fledged underground marketplace on the Web for all things considered most secure: your email IDs and banking and passwords, online banking passwords, mobile numbers and related authentication details. And what’s more the ‘merchandise’ can be custom-ordered too. ET gives the ‘product’-wise rate list: credit card CVVs; dates of birth and fraudulent phone call service; flooding software, and a full trojan making set.
The underground e-Commerce crackers’ marketplace
CVV2 Data Sets
$1.50 - $3.00
The CVV2 data set consists of a credit card’s 16-digit PAN, CVV2 code, expiration date, billing address and embossed name.
SSN (Social Security Number)
DOB (Date of Birth)
$1.50 - $3.00 per query
SSN: $1.00 -$3.00
DOB: $1.00 -$3.00
These personal details are very often used by banks to authenticate an individual’s identity.
Online Banking Logins
$50 - $1,000 per account, depending on the account balance
After obtaining these credentials, fraudsters would normally attempt to cash the account out by completing wire transfers to accounts.
‘Fulls’ Data Sets
$5.00 - $20.00 per set
‘Fulls’ information includes the full details, username and password), mailing address, card number, CVV2 code, card’s expiration date, MMN, DOB, SSN.
Fraudulent Phone Calls
$10.00 - $15.00 per call (Prices vary according to the destination of the call)
Completed by Fraudster Call Centers, fraudulent phone services are offered to cybercriminals as a means to overcome language barriers for those who need to impersonate the account holder.
SMS or Phone-Flooding Services (aka Telephony DoS/ TDoS)
$25.00 - $40.00 per 24 hours of phone-flooding
Phone-flooding is usually performed in order to render a consumer’s mobile phone unavailable for incoming authentication calls or SMS text messages sent from the bank.
DDoS Attack Service
$50.00 per 24 hours of website-flooding.
A ‘Distributed Denial of Service’ attack is an attempt to make a computer resource unavailable to its intended users by overloading, or “flooding” its bandwidth with an overwhelming volume of web traffic.
CC Checking/ Verification
$0.40 per check
Prices may vary widely.
$20.00 for 50 checks
CC (credit card) checkers are used by cybercriminals to verify the validity of the compromised payment cards.
Bulletproof Hosting
$87-$179 per month
Bulletproof hosting is a hired service used by cybercriminals to host malicious content on web. Bulletproof sites are much harder for law enforcement to take down.
Track 2 Data (aka “Dumps”)
Classic/ Standard cards: $15 - $20
Gold/ Platinum cards: $20 - $80
Worldwide/ Business/ Corporate/ Signature: $30 - $40
‘Track-2’ information is found on a payment card’s magnetic stripe. By purchasing ‘dumps’, fraudsters can produce counterfeit payment cards that can be used in stores.
Zeus Trojan Kit
Backconnect $1,500
Firefox form grabber $2,000
Jabber (IM) chat plug-in $500
It is one of the most pervasive banking Trojans with an infection rate of thousands of computers per day. Zeus Kit: $3K - $4K
SpyEye Trojan Kit
Basic kit- $1,000
Firefox Injection tool $1,000-$2,000
One of the most advanced Trojans. It has its own IE and Firefox HTML injections, pre-defined bank triggers and a growing list of unique features. SpyEye has been 2010’s biggest Trojan innovation.
Source: RSA'S fraud action intelligence team; Online Fraud Report 2010
The underground e-Commerce crackers’ marketplace
CVV2 Data Sets
$1.50 - $3.00
The CVV2 data set consists of a credit card’s 16-digit PAN, CVV2 code, expiration date, billing address and embossed name.
SSN (Social Security Number)
DOB (Date of Birth)
$1.50 - $3.00 per query
SSN: $1.00 -$3.00
DOB: $1.00 -$3.00
These personal details are very often used by banks to authenticate an individual’s identity.
Online Banking Logins
$50 - $1,000 per account, depending on the account balance
After obtaining these credentials, fraudsters would normally attempt to cash the account out by completing wire transfers to accounts.
‘Fulls’ Data Sets
$5.00 - $20.00 per set
‘Fulls’ information includes the full details, username and password), mailing address, card number, CVV2 code, card’s expiration date, MMN, DOB, SSN.
Fraudulent Phone Calls
$10.00 - $15.00 per call (Prices vary according to the destination of the call)
Completed by Fraudster Call Centers, fraudulent phone services are offered to cybercriminals as a means to overcome language barriers for those who need to impersonate the account holder.
SMS or Phone-Flooding Services (aka Telephony DoS/ TDoS)
$25.00 - $40.00 per 24 hours of phone-flooding
Phone-flooding is usually performed in order to render a consumer’s mobile phone unavailable for incoming authentication calls or SMS text messages sent from the bank.
DDoS Attack Service
$50.00 per 24 hours of website-flooding.
A ‘Distributed Denial of Service’ attack is an attempt to make a computer resource unavailable to its intended users by overloading, or “flooding” its bandwidth with an overwhelming volume of web traffic.
CC Checking/ Verification
$0.40 per check
Prices may vary widely.
$20.00 for 50 checks
CC (credit card) checkers are used by cybercriminals to verify the validity of the compromised payment cards.
Bulletproof Hosting
$87-$179 per month
Bulletproof hosting is a hired service used by cybercriminals to host malicious content on web. Bulletproof sites are much harder for law enforcement to take down.
Track 2 Data (aka “Dumps”)
Classic/ Standard cards: $15 - $20
Gold/ Platinum cards: $20 - $80
Worldwide/ Business/ Corporate/ Signature: $30 - $40
‘Track-2’ information is found on a payment card’s magnetic stripe. By purchasing ‘dumps’, fraudsters can produce counterfeit payment cards that can be used in stores.
Zeus Trojan Kit
Backconnect $1,500
Firefox form grabber $2,000
Jabber (IM) chat plug-in $500
It is one of the most pervasive banking Trojans with an infection rate of thousands of computers per day. Zeus Kit: $3K - $4K
SpyEye Trojan Kit
Basic kit- $1,000
Firefox Injection tool $1,000-$2,000
One of the most advanced Trojans. It has its own IE and Firefox HTML injections, pre-defined bank triggers and a growing list of unique features. SpyEye has been 2010’s biggest Trojan innovation.
Source: RSA'S fraud action intelligence team; Online Fraud Report 2010