In April 2009, IT security firm Symantec revealed that a complete identity, including name, address, date of birth and credit card details, could be purchased on the black market in 2008 for as little as fifty pence.
The Symantec Global Internet Security Threat Report Trends for 2008 Volume XIV revealed that attackers who acquire personal information through illegal internet scams frequently sell the information to third-parties via the internet. The most popular piece of information in 2008 was credit card details, with prices starting at 4 pence per item, while bank account credentials were available for as little as 6 GBP.
A November 2008 Symantec report describes the most common ways in which the ‘underground economy’ of such criminal activity functions. According to the report, one of the most popular methods for trading illegally obtained sensitive information is web-based forums; online message boards where text-based adverts can be placed detailing the availability of such options. Often, the websites where such forums are based also provide advice on how to conduct scams and locate illegal items.
Internet Relay Chat (IRC) is cited in the report as another common method of sharing such information, including advertising and requesting illegal items such as credit card numbers. IRC is a kind of public forum, accessible via web browser or computer based software, which allows group conversations to be held in real time. It is similar to instant messaging in that it allows ‘buddy lists’ and file transfers, but is divided into ‘rooms’ according to user interests or locations.
Stephen Trilling, vice president of Symantec Security Technology and Response said: “Cybercriminals are profiting from creating and distributing customized threats that steal confidential information, particularly bank account credentials and credit card data. While the above ground economy suffers, the underground economy has remained consistently steady.”
The activities of criminal organisations involved in the illegal collection, sale or solicitation of confidential information are being closely scrutinised by law authorities, with the US Secret Service’s computer forensic investigation of a credit card fraud website “Shadowcrew” recently leading to the arrest of eleven people. But despite the crackdown, the April 2009 report shows that ‘phishing’ scams, where websites pose as a reputable source such as a bank in order to trick users into handing over sensitive information, are on the increase. Reports of phishing websites grew from 33,428 in 2007 to 55,389 in 2008, an increase of 66%.
Marc Fossi, executive editor, Symantec Internet Security Threat Report XIV warns that users must still be on their guard: “The unfortunate reality is that innocent Web surfers can visit a compromised website and unknowingly place their personal and financial information at risk,” he said. “Computer users have to be extra vigilant about their security practices.”