Written on Wednesday, April 18, 2007 by Gemini
In continuation of my earlier post on this topic...How Does Hacker's Economy Work?
A site called Dumps International appears to provide credit cards and equipment for reading and encoding credit cards, as well as Social Security numbers, dates of birth, mothers' maiden names, PINs, and batches of credit card "dumps" that contain card numbers, cardholder names, and expiration dates. The cost for U.S. credit card numbers on the site ranges from $40 for a standard credit card up to $120 for a "signature" card, one step above platinum and corporate cards. There are even specials--buy 100 cards in a mixed batch and the price drops to $30 a card.
The average life expectancy for such sites is about six months before they're rerouted through a new proxy server to throw off law enforcement. TalkCash.net, which functioned until last summer, even offered a list of "rippers," those who'd used the marketplace but were unreliable, and "verified vendors," those who had proved that they could deliver on their promised goods.
Cybercriminals close their deals using peer-to-peer payment systems like PayPal and e-gold, which lets people exchange electronic currency backed by the value of gold bullion rather than a particular national currency. Some use Western Union wire transfers to make payment. E-gold says it "in no manner condones" the use of its service for criminal acts, and PayPal chief information security officer Michael Barrett says the company regularly works with law enforcement when it identifies usage patterns that indicate criminal activity.
Moving money around can be dangerous for hackers, since transactions over $10,000 must be reported by banks and wire transactions can be easy to track. Georgia Tech's Dagon says large transactions can be split up, with some in the hacker gang taking payment in plasma TVs, large numbers of compromised iTunes accounts, World of Warcraft credentials, and even access to compromised routers.
Malware For Sale
Another valuable commodity in the hacker economy is malware such as viruses, worms, and Trojan horse programs. These so-called exploits provide hackers entrée into corporate systems. A recent report by Internet Security Systems (acquired last year by IBM) warns of the emergence of an "exploits-as-a service" industry, with sophisticated manufacturing and distribution networks similar to the computer industry's legitimate production channels.
"Managed exploit providers are purchasing exploit code from the underground, encrypting it so that it cannot be pirated, and selling it for top dollar to spam distributors," the report says.As with any market economy, the most valuable commodities command the highest prices. In December, a flaw in Microsoft's new Windows Vista operating system was found for sale on a Romanian Web forum for $50,000, says Raimund Genes, CTO of security vendor Trend Micro, who contends that the malware industry commands more revenue than the $26 billion that legit security vendors generated in 2005.
Serious money like that has attracted an equally serious criminal element. Zero-day exploits--which take advantage of security vulnerabilities as soon as they're discovered, before vendors can patch their products--were selling late last year for as much as $20,000 to $30,000 each, Genes says.
However, despite the danger zero-day and other security vulnerabilities pose to companies and their customers, there's little law enforcement can do to prevent someone from writing a program that exploits one of these vulnerabilities. It's not a crime "to point out an unpatched vulnerability on the Internet," says Marc Maiffret, founder and chief hacking officer of eEye Digital Security.