How Does The Hacker Economy Work?
Written on Tuesday, February 13, 2007 by Gemini
It's a murky world of chat rooms, malware factories, and sophisticated phishing schemes. Here's a look inside.
When retailer TJX disclosed on Jan. 17 that the computer systems that store data related to credit card, debit card, check, and merchandise return transactions had been broken into, it said it had discovered the hack in December. But security officials at Visa had been seeing an increase in fraudulent activity on credit and debit cards related to TJX properties, such as T.J. Maxx, Marshalls, and HomeGoods stores, since mid-November. That means it's possible the purloined consumer data has been floating around the Internet, available for purchase on black market Web sites and chat rooms, for at least two months, maybe longer.
Hacking isn't a kid's game anymore. It's big business. Online black markets are flush with stolen credit card data, driver's license numbers, and malware, the programs that let hackers exploit the security weaknesses of commercial software. Cybercriminals have become an organized bunch; they use peer-to-peer payment systems just like they're buying and selling on eBay, and they're not afraid to work together.
While the independent hacker still exists (pardon us, but in this story, we'll refer to "hacker" in the layman's sense), the FBI sees true organized crime in parts of the hacking community, particularly in Eastern Europe, says special agent Chris Stangl, who works in the bureau's cybercrime division, the agency's third largest behind counter-terrorism and intelligence. "You'll have hackers cracking the machines, individuals collecting the data, and individuals selling for profit," Stangl says. Getting a clear picture of the hacker economy isn't easy. It's a murky underground about which few people are willing to talk on the record. But the general outlines can be gleaned from inside and outside sources.
Direct Approach
Some hackers take the direct approach. Ransom scams--in which a criminal infects a company's systems with malware that encrypts data and then demands money to provide the decryption key--are common in Russia. Uriel Maimon, a researcher with the consumer division of RSA, a security vendor now owned by EMC, says he's seen a half-dozen of these scams over the past five months.
But in the scheme of things, those kinds of scams aren't all that common because they're risky--they require "a direct financial connection between the victim and the author or proprietor of the malware," says David Dagon, a researcher with the Georgia Tech Information Security Center. More omnipresent is the thriving black market in data. Online sites abound where credit and debit card numbers, cardholder names, and the card verification value, a three- or four-digit code that's used to verify a card's authenticity, can be bought and sold. Jeff Moss, who goes by the handle "The Dark Tangent" and is the founder of Black Hat, a security research and training firm (owned by InformationWeek parent CMP), says he knows of one European cyberattacker who makes nearly a half-million dollars annually buying and selling databases and customer lists.
Credit card information is mostly sold in bulk. "You don't just buy one Amex card with no limit; you typically buy a set because any one could be canceled or entered into fraud claims," Dagon says. Though some sites have list prices, basic card information can go for as low as $1 a card, and prices often depend on the quality of the data, says Johannes Ullrich, CTO of the SANS Internet Storm Center.
Credit card thieves, who call themselves "carders," often ply their wares through IRC chat rooms, private and public forums with names like CardersMarket and Carder.info, and even conventional-looking e-commerce sites. The experienced hackers and carders stick to private, encrypted, password-protected IRCs, Ullrich says.
One forum, CardingWorld.cc, has more than 100,000 posts from 13,000 registered members, most of whom write in Russian. The site's English section includes offers for Bank of America, Fidelity Bank, and PayPal logons; credit card information from around the world; valid gift cards; and services for the safe transfer of large amounts of money. Most sellers and buyers on the forum request that purchases or offers be taken to private messages on the bulletin board system or to ICQ instant messaging.
