Senior security researcher with Armor’s Threat Resistance Unit, Corey Milligan, says stolen credit card data has great value to cyber criminals because of the number of ways they can use it to commit fraud, for everything from purchasing high-end merchandise for resale to money laundering.
But Brian Stack, vice president of engineering and Dark Web intelligence for Experian, says stolen credit card data is just the start. Cyber criminals, he says, are really after a victim’s full digital footprint.
There’s also a broader universe of stolen data and items available on the Dark Web that security pros need to defend against.
That includes a developing dark market for cloned ATM cards, passports, and prescriptions and prescription labels – all of which have increased in importance specifically over the past three years.
1. Credit Cards:
Last year’s take-downs of AlphaBay and Hansa helped create a major price rise in the fraudulent credit card market on the Dark Web, says Armor’s Milligan. Following the take-downs, he explains, criminals had to spend more money on security, infrastructure, and bulletproof hosting, plus their risk increased dramatically due to more intense law enforcement pressure. “When these markets were taken down, the money tied up in these escrow services became unrecoverable,” Milligan explains. “A lot of people, buyers and sellers, lost money, and confidence in these markets has taken a hit.”
2. Online Bank-Account Credentials:
Armor reports that prices increased in the online bank-account credentials market from 2015 to 2018 by around ten percent to twenty percent According to Corey Milligan, the company saw only a moderate increase because demand is not as great for online bank-account credentials as for credit cards. The chance of success is also less because banks typically have much better security. On top of that, there’s much more overhead: More skill is required, plus profit is less because criminals need to hire money mules to complete the transactions or set up their own fraudulent accounts to siphon the funds.
3. Cloned ATM Cards:
Armor cites a dramatic increase from 2015 to 2018 in the number of vendors offering cloned ATM cards. For example, in 2015 it found only one vendor selling cloned cards from $100 to $250 for accounts with balances ranging from $2,000 to $4,000. But by this year, it found five vendors selling cloned cards from as low as $100 to $1,000 for accounts with balances ranging from $2,000 to $55,000.
Armor’s Corey Milligan says cloned ATM cards have become a popular way for smaller cybercriminals to enter the cybercrime market. The sellers often package these cloned cards as a service offering that includes a how-to guide that explains how to commit the fraud and set up mules; they will even execute part of the service for a fee. Ed Cabrera, chief cybersecurity officer at Trend Micro, says he sees a lot of these cybercrime-as-a-service operations in which the sellers will offer a cybercrime campaign and also run the operation in exchange for a part of the take.
4. Full Identities:
Prices for full identities (Fullz) rose between 10% and 35% for people living in Australia and parts of Europe, including Spain, Italy, Denmark, France, Sweden, and Ireland. Prices in the U.K and Canada stayed the same between 2015 and 2018, while prices in the U.S decreased 29% between 2015 and 2018.
Armor’s Corey Milligan says the dramatic price decline in the U.S was due to an overwhelming supply of personally identifiable information following several high-profile breaches. These include last year’s Equifax breach, as well the breach of the U.S Office of Personnel Management in 2015.
In a related trend, Brian Stack, vice president of engineering and Dark Web intelligence at Experian, cites great demand on the Dark Web for medical data. Hospitals and medical facilities have lax security compared with the financial sector, he says, and by stealing data from medical operations, criminals can get people’s Social Security numbers, names, addresses, phone numbers, and all their sensitive medical information.
The market for passports has increased substantially from 2015 to 2018. Three years ago, Armor’s Milligan says, there weren’t as many vendors, and most of the activity was for scans that typically cost $50. But with increased interest in immigration to Canada and the US, and sizable refugee populations moving from places such as Syria and Africa to Europe, a great deal of additional activity is happening.
For example, sellers are offering complete packages: One seller offers a U.S. green card, passport visa, driver’s license, and insurance card for just $2,000. Another vendor offers an Ontario driver’s license and Canadian passport for only $1,000. Still another offers diplomatic passports from multiple countries for $2,500. Experian’s Stack adds that it’s inexpensive to obtain passport templates, and they can be reused many times.
6. Fraudulent Prescriptions and Labels:
Although Armor did not have comparison data for prescription labels and actual prescriptions, it has documented recent cases in which they have been sold over the Dark Web. Often, Armor’s Milligan says, the sellers will advertise “teaser” offerings on the Dark Web and try to meet the buyers in private chat rooms. In two separate cases, vendors were offering a single fraudulent label from well-known pharmacies for $62.90 and $60, respectively. By and large, they were trying to lure a customer to buy more. This tactic of providing only a bit of data was similar to a prescription Armor found on the Dark Web for codeine, which was advertised for $56 but did not specify a dosage.