September 6, 2018

2018 is a good year to be a cybercriminal globally, especially if you are selling stolen credit card and bank account data, according to recent research from leading cloud security solutions provider Armor. Armor’s security research team, the Threat Resistance Unit (TRU) did a deep dive into the Underground Cybercriminal Markets in Q4 2017 and published their findings in March 2018. The report, called the Black Market Report: A Look Inside the Dark Web, exposed the goods and services being bought and sold in these markets as well as their asking price. In studying the current happenings on underground cybercriminal markets and forums, the TRU Team decided to do some additional analysis on several of the most popular items — credit card data, online bank account data, and Fullz (Full Identity data, also known as Personally-Identifiable Information). The TRU team examined how the prices had changed between 2015 and June of 2018. They began by sorting through dozens of different marketplaces and forums — both English and Russian speaking ones — and then focused on nine different vendors. Overall, prices for these items rose from 2015 to 2018. Although, there were a few anomalies in the pricing, the TRU team details these deviations.

Prices for Stolen Credit Card Data Jumps as Much as 83% from 2015 to June 2018


Prices for Stolen Credit Card Credentials in 2015 Compared to 2018

The TRU Team discovered that credit card data in the U.S., U.K., Canada and Australia had increased in price anywhere from 33% to 83% between 2015 and June 2018. For example, in 2015, the average price for one U.S-issued Visa or Mastercard ran $5 USD, and in June 2018, it jumped 82% to $9 USD.

The average price for a U.K.-issued Visa or Mastercard in 2015 was $12 USD but jumped to $22 USD in June 2018. This is approximately 83% increase. This price hike continued with Canadian and Australian-issued Visas and Mastercards, as well as for U.S., U.K., Australian and Canadian-issued American Express and Discover cards. However, credit cards issued in the European Union stayed the same price or dropped just slightly.

Why the Increase in Credit Card Prices?

So, why had prices of credit cards increased so much from 2015 to June 2018? The TRU Team set out to explore this. Corey Milligan, Sr. Security Researcher with the TRU Team, who led the research behind the March 2018 Black Market Report, believes there are several aspects which could be driving the increase:

  • Increased Risk and Loss of Escrow Services after the AlphaBay and Hansa Market Takedowns— The July 2017 shutdown of AlphaBay, the largest online criminal marketplace on the darknet, and Hansa, formerly the largest dark-web market in Europe, caused chaos in the darkweb marketplace, leaving many sellers scrambling to find a new digital storefront from which to sell their goods and services. These two markets supplied threat actors with a one-stop shop where they could buy and sell any combination of credit cards with large available balances from any country and from almost any issuing bank. According to the FBI, AlphaBay operated for two years, conducting transactions exceeding $1 billion in Bitcoin and other digital currencies and enabling hundreds of thousands of criminals to anonymously buy and sell drugs, hacking tools, credit cards, bank accounts, stolen identities, weapons, and a host of other illegal goods and services. Milligan believes that, as a result of these sting operations, many vendors paused their operations, reducing the supply of credit card data in the markets and causing the prices to rise. Additionally, many illicit data brokers lost money and business in the form of seized escrow funds that were tied up in these markets, and that this caused them to raise prices to compensate for the increasing the risk that clients may pull out of pending sales, due to their lack of trust in escrow services.
  • Strong Message Sent by Law Enforcement In fact, according to news reports, AlphaBay creator Alexandre Cazes was arrested in Thailand and U.S. law enforcement requested that he be extradited to the U.S. to face charges. Cazes did not get extradited, he died in his jail cell from an apparent suicide.The AlphaBay and Hansa sting operations took the brokers, buyers, and even the market administrators by surprise. Whether you attribute that to the skill and coordination of the law enforcement agencies involved or the hubris of the cybercriminals that got caught up in it, it doesn’t matter at this point. At the end of the day, the operations were extremely effective and successful.One of the main aspects that made it so effective is also believed to have been the primary cause of the ensuing chaos. When AlphaBay was taken down it was done in such a way that it left its users believing that they were having technical difficulties. Those conducting the operation went as far as to display an error page that directed users to the Hansa market while the issues were being worked out. This resulted in not only successfully halting AlphaBay’s operations, it funneled cybercriminals to the Hansa market which was already under the control of European law enforcement, led by the Netherlands National High Tech Crime Unit (NHTCU). The NHTCU monitored Hansa’s buyers and sellers, discreetly altering the site’s code to grab more identifying information about those users, and even tricked dozens of Hansa’s anonymous sellers into opening a file on their computers that revealed their locations. The operations led to more than a dozen arrests, the recovery of millions of dollars’ worth of Bitcoins, and the collection of associated user information for use in other operations.Marinus Boekelo, one of the NHTCU investigators who worked on the Hansa operation was quoted as saying: “When a dark market is taken down, everyone goes to the next one. It’s a whack-a-mole effect.” However, by secretly seizing control of Hansa rather than merely unplugging it from the Internet, Boekelo says he and his Dutch police colleagues aimed to not only uncover more about Hansa’s unsuspecting users, but to deal a psychological blow to the broader dark-web drug trade. “We thought maybe we could really damage the trust in this whole system,” stated Boekelo.

    Milligan feels similarly, “I believe, as the result of the AlphaBay and Hansa activities, the criminals buying and selling on the darknet didn’t know which marketplaces to trust, putting the underground economies in flux.” As to be expected, many new markets have cropped up since the demise of AlphaBay and Hansa. However, due to the reenergized level of paranoia, none have established the dominant positions once held by those kings of the underground.

  • Simple Supply and Demand
    The credit card data market in the cyber underground is a well-established, mature marketplace. Like any other market for goods, age of the market, competition between vendors, supply of available credit card data, demand for credit card data, and the value of its use are the primary drivers behind the stability of the price. The market for credit card data has been around for longer than the darkweb has existed. The spike in prices observed since late 2016, early 2017, can be directly attributed to increased security measures by credit card issuers and payment processers, as well as the previously mentioned law enforcement successes. Looking back to 2015 and earlier, however, prices for credit card data have been steadily rising. The why is simple, e-commerce. E-commerce has made stolen credit card data easier to use, essentially increasing its value and, thus, the demand for it.

As one can see from the June 2018 prices of credit cards, a buyer can get basic credit card data for as low as $9, while the most expensive card data only runs $75. The more expensive cards come with corresponding CVV codes, as well as the personally-identifiable information of the cardholder, (name, address, age, phone, social security number or national identifying number, email address and mother’s maiden name) enabling the fraudsters to circumvent fraud questions implemented by the merchants. These credit cards have balance limits starting at $3,000 going up to $50,000. There were so many vendors selling the higher value credit cards, issued from many different financial institutions from all parts of the world and with all of the card’s corresponding information, that the TRU Team decided to focus on providing the current pricing for these type cards.


2018 Prices for Stolen Credit Card Credentials and Corresponding Identifying Information, e.g. CVV numbers, VBV passwords and PII

With this type of credit card data in hand, a fraudster can simply go online, use a TOR service to anonymize their IP address, and purchase high-end items worth thousands of dollars using the stolen card data. The criminal can then turn around and sell those items, making an outstanding profit from their nominal investment of $9 to $75.

Online Bank Accounts


Prices for Stolen Bank Account Credentials in 2015 Compared to 2018

When looking at the prices for credentials for various Online Bank Accounts in the U.S. and the U.K., the TRU team saw that prices had generally gone up between 10% and 20% from 2015 and 2018. However, there were some bank accounts, both in the U.S. and the U.K., which decreased in price, such as U.S. bank accounts with balances between $2,000 and $6,000. These particular accounts dropped in value more than any of the others, going from $375 in 2015 to $268.75 in 2018, a percentage of 28%.

Why Haven’t Credentials for Online Bank Accounts Risen in Price as Much as Credit Card Accounts?

The TRU Team believes there are several reasons for this including:

  • Higher Risk — Because bank accounts tend to be monitored more closely than credit cards (depending on the card issuer), compromising and using stolen online banking credentials to steal money from an active account poses a much higher risk to the threat actor. Of course, the cybercriminal that compromises the account credentials but doesn’t steal directly from the account, but rather resells the credentials to another fraudster is taking on less risk than the cybercriminal who actually utilizes the credentials to transfer money out of the compromised account to an account that they or their threat group controls. The TRU Team theorizes that because of the increased risk, the pool of cybercriminals looking to get in the game of stealing from online bank accounts is much smaller than those willing to steal credit cards. As a result, with less demand, the prices have increased more slowly than that of credit card data.
  • More Sophisticated Skills Required to Compromise and Siphon Money from Bank Accounts — Compared to stealing and using credit card data, the process of compromising online bank account credentials and successfully using these credentials to siphon money out of an online bank account requires a much more sophisticated threat actor. One of the reasons is that many banks require multiple levels of authentication before authorizing a transaction, including out-of-band authentication methods such as sending one-time verification codes to the account owner’s phone via text or voice.Additionally, those threat actors who are intent on transferring money out of a victim’s account to a bank account under their control are likely more experienced than a threat actor merely buying credit card data and going online and purchasing high-end items. The reason for this is that they typically must be able to recruit a money mule with an established bank account that will not raise alarm bells when they transfer the monies into the mule’s account.The threat actor must also pay the mule a portion of the siphoned-off funds. A well-established money mule, with a solid reputation who has multiple accounts in various top financial institutions, is going to command on average 10% of the take. However, the payout can run up to 20% depending on the risk and the amount being stolen. Also, the threat actor has to trust that the mule is going to remit the remainder of the stolen monies to them after the mule has taken their cut. It is for this reason that the threat actor will seek out a mule or a mule network operator with a solid reputation. They may pay a higher percentage, but it is critical to work with a mule that has established accounts and can be trusted to remit the funds.If a threat actor decides to not use a money mule then they must personally set up a fraudulent bank account in which to transfer the stolen funds to. Typically, they will use a fake identity to set it up, and once established, they will do an online transfer of the money from the compromised bank account to the bank account under their control. Most likely they will quickly transfer the stolen funds to a second bank account or will withdraw the stolen funds before the transaction can be reversed by the bank. There are instances when the financial institution gets alerted that it is a fraudulent transaction and is able to call back the funds. Even if the threat actor transfers the funds to a second account, eventually they must withdraw the money at some point which puts them at further risk. Typically, most threat actors prefer to engage a money mule, letting them take the big risk of receiving and withdrawing the stolen funds. Similar to the increased risk involved in compromising and laundering money out of online bank accounts, the TRU team wonders if the amount of skill involved also affects the number of threat actors willing to participate in this area of financial cybercrime, thus lessening the demand and lowering the prices.
  • Start-Up Costs are More Expensive–The third item which the TRU thought might affect the demand for online bank account credentials is the price point. Today’s price for bank account credentials begins at a minimum of $268 and goes up to $1,100, depending on the balance of the account. So yes, a cybercriminal can spend $1,100 and potentially get their hands on $16,000. However, as outlined previously, a cybercriminal can spend just $75 and get the credentials of a credit card with a balance of $50,000. This card will come with the corresponding CVV code and key personal information about the card owner, including social security number, name, address, age, email address, phone, and mother’s maiden name. The start-up costs when dealing with online bank accounts is more expensive — and gets even more so when using money mules because they get a portion of the take.

Prices for Full Identities Increase in Europe and Australia, Stay Same in the U.K. and Decrease in the U.S.

Prices for Fullz (Full Identities) in 2015 Compared to 2018

The TRU team also looked at the prices of Fullz, which is a packet of personally-identifiable information (PII) that typically includes:

First name
Last name
Current Home/Billing Address
Previous Home/Billing address
City
State
Zip
Country
Mobile and/ or home phone
Work phone
SSN or National Identity Number
Date of Birth
Mother’s Maiden Name
Credit card number

The TRU team observed several cybercriminals who offered to sell additional data, relating to a victim, if the buyer was willing to pay a bit more money. This information included such items as an individual’s bank account type, bank account number, bank routing number, bank security questions and answers, driver’s license number, victim’s employer. The prices for full identities rose between 10% and 39% for individuals living in Australia and parts of Europe, including France, Sweden, Spain, Italy, Denmark, and Ireland. Prices for full identities in the U.K. and Canada stayed the same between 2015 and 2018, whereas prices for full identities in the U.S. decreased 23% between 2015 and 2018.

Prices for U.S.-Based Full Identities in 2015 vs 2018

There really is no way of knowing exactly why U.S. full identities decreased in price between 2015 and June 2018. What is known is that there has been a great deal of U.S.-based personally-identifiable information compromised in the last several years. And there seems to be an endless supply of this information available on the Underground Cybercriminal Markets.

Between 2015 and June of 2018, the U.S. experienced its largest publicly known breach — the Equifax incident. Described by some as the “worst data breach in U.S. history,” the attack impacted nearly 147 million people in July 2017. Other notable U.S. breaches, involving millions of personal records included the 2015 breach of the U.S. Office of Personnel Management, whereby more than 21 million federal workers (including retired federal workers) were affected. There was also the breach of Experian Information Solutions, the world’s largest consumer credit monitoring firm. In this incident sensitive personal data of about 15 million T-Mobile customers, who underwent credit checks by Experian, were affected. There was also an attack on an Experian subsidiary which exposed the Social Security numbers of 200 million U.S. citizens. These are just a few of the hundreds of publicly reported breaches between 2015 and 2018. In fact, according to Risk Based Security, in 2018 alone there have been 1,074 reported breaches in the U.S., exposing 1.03 billion records for an average of about 960,000 per breach.

One has to wonder if the volume of this cyber activity and the tremendous amount of personal data that has been exposed from these breaches and others hasn’t had an effect on the prices of U.S. Fullz. After all, supply and demand determine prices in a market, and if supply increases and demand remains unchanged or drops then it should lead to a decrease in price.

Why Did Prices for European-Based Full Identities Increase from 2015 to 2018?

Similar to the question around why prices decreased for U.S-based full identities, there really is no way of knowing exactly why prices for European-based full identities increased between 2015 and 2018. However, one wonders if the General Data Protection Regulation (GDPR) has had an effect on the prices. The regulation was designed to protect the personally-identifiable information of those living in the EU, hopefully making it harder for cybercriminals to access and steal this information. It is possible that fear of not complying with the regulation — which was first adopted in 2016 and made enforceable May 25, 2018 — led businesses to improve security, thereby reducing the amount of compromised data and causing prices to go up.

Cybercriminals Hawk Full Identities, Promising Lots of Profit

Regardless of the prices for full identities, there are no shortage of threat actors selling an individual’s personal data and advertising to their buyers how they can make thousands of dollars.

In one advertisement, a seller claimed that by buying Fullz instead of online banking credentials, the buyer could easily get a bank loan for $10,000 and cash it out or open up new credit cards with limits up to $15,000. This same threat actor promises to provide his customers with a step-by-step tutorial of exactly how to go about it, and he is even willing to give it away for FREE.

Ad from Cybercriminal Selling Fullz

“Bank usernames and passwords are not as important as the Fullz and here is why. With a bank username and password by itself you can’t do very much, but with Fullz records you can CREATE NEW bank usernames and passwords that will match whatever IP/Browser Agent you are using. So think of the Fullz as the master key to fraud. My Fullz come with the following information:

  1. Name
  2. Address
  3. DOB
  4. Social Security #
  5. Tel #
  6. Driver’s License
  7. Workplace
  8. Bank Name
  9. Bank Location
  10. Date Bank Account Was Opened
  11. Average Monthly Balance
  12. Bank Checking Account #
  13. Bank Routing #

“Dudes, with all this info you can do ACH transfers of 10k or more, open up brand new 15,000 USD and up credit cards, open up fresh bank accounts for quick internal transfers, and way way more. And I will also provide you with a Bank Account Takeover Guide–a tutorial that gives you step by step how to get approved for a bank loan and how to cash it out safely (VALUE $300) FREE.”

As evident from the number of threat actors advertising credit card, online bank account, and personal-identity data in the cyber underground, there is no shortage of this type information being compromised, packaged and sold. No matter if a particular type of data has gone up or down in price, cybercriminals are still targeting it, and both private individuals and organizations processing or storing sensitive data must take great care to protect it.

In fact, to give readers a sense of the monetary loss due to cybercrimes involving financial and personal data, the Ponemon Institute’s 2018 13th annual Cost of a Data Breach study found that the global average cost of a data breach is up 6.4 percent over the previous year to $3.86 million. The average cost for each lost or stolen record containing sensitive and confidential information also increased by 4.8 percent year over year to $148. In a breach such as the incident that impacted Equifax in 2017, the total cost of the losses is astronomical. Armor and the TRU team are helping to protect its clients’ employee and customer data, and it is also our goal to help educate organizations and individuals on how to best protect themselves from current and emerging cyber threats, especially financial cyber threats.

The TRU research team recommends the following cybersecurity protections for organizations and individuals. These recommendations will go a long way to mitigating these threats. However, for organizations housing sensitive data, it is critical that they also have a team of security experts, either internally or externally, who have a vast view into the cyberthreat landscape, have real-time threat intelligence around current and emerging threats, and know how to detect and eradicate these threats.

Cybersecurity Protection Tips for Organizations

  • Train your employees on how to identify suspicious activity.
  • Train your employees on how to identify suspicious activity.
  • Find, classify and protect your most sensitive data, particularly information impacted by compliance regulations such as PCI-DSS and HIPAA.
  • Deploy patches as promptly as possible to shorten the vulnerability window.
  • Employ data encryption to protect sensitive data in transit and at rest.
  • Monitor cloud usage, manage access to cloud services, and secure any data or applications you migrate.
  • Utilize security technologies such as firewalls, anti-malware software, and intrusion detection and prevent systems to build a shield around your environment.
  • Employ two-factor authentication around your key applications such as email, online banking, bill pay, etc.
  • Consider using a computer dedicated to only doing your organization’s online banking and bill pay. That computer or virtualized desktop should not be used to send and receive emails or surf the web, since Web exploits and malicious email are two of the key malware infection vectors.

Cybersecurity Protection Tips for Individuals

  • Do not click on suspicious links or open email attachments from unknown senders.
  • Use anti-malware software.
  • Update your software regularly for security patches.
  • Be cautious accessing online banking sites, email or other sensitive sites when using public Wi-Fi hotspots, as many of them lack strong security and can leave you susceptible to attacks.
  • Employ two-factor authentication around your key applications such as email, online banking, bill pay, etc.
  • Do not use the same password for multiple websites or services and allow a single compromised account to turn into many.
  • Consider using credit monitoring services to detect suspicious activity.
  • Computer users should use a computer dedicated only to doing their online banking and bill pay. That computer or virtualized desktop should not be used to send and receive emails or surf the web, since Web exploits and malicious email are two of the key malware infection vectors.
  • Reconcile your banking statements on a regular basis with online banking and/or credit card activity to identify potential anomalous transactions that may indicate account takeover.
  • Make sure your anti-malware is current and can protect against the latest exploits. Also, make sure that your anti-malware vendor has signatures for detecting the latest Trojans and that you have the most up- to-date anti-malware protections installed.

Resource Center

More security resources at your fingertips.

Practical Content for Security, DevOps, & IT Professionals