April 14, 2009

Online Data Theft Not Halted By Recession

A new study by security software maker Symantec Corp. has shown that demand and prices remain stable for stolen credit cards, Social Security numbers and other private information, The Associated Press reported.

The Symantec report and another study from Gartner Inc., due to be released Tuesday, said that the recession has inspired new scams targeting people who are worried about work and their finances.

Alfred Huger, vice president of Symantec Security Response, said there's no pricing pressure at all and it's not dropping and they're not negotiating down.

"That tells us that there are still the same number of buyers. The underground economy has not been affected by the recession," he said.

That is probably because prices for some records have been falling for years and can't go much lower. Experts say stolen credit card numbers now go for as little as 6 cents each, if they're bought 10,000 at a time.

Smaller orders can be priced at $30 per card, while access to hijacked e-mail accounts go for 10 cents to $100 and bank account credentials from $10 to $1,000.

People can be paid to "cash out" compromised bank accounts for between 8 percent and 50 percent of the amount they're stealing, while hosting for scam Web sites range from $3 to $40 per week.

Sellers appear loath to undercut each other, Symantec says. Cyber gangs are often affiliated with organized crime, and crooks that don't play by the rules risk being locked out of future business, or possibly even physical violence.

Huger said it's a very heavily self-policing industry. "I think people there would take a very dim view of significant undercutting of prices that would affect the whole industry," he added.

However, prices for things like stolen credit card numbers might not be falling anymore because they have hit a bottom, according to security experts not involved in Symantec's study.

Stolen credit card numbers are not as useful as they once were because of anti-fraud measures - crooks now need additional details, like PIN numbers or the security codes on the back of the cards, to sell as a package deal.

Peter Tippett, vice president of research and intelligence for Verizon Communications Inc.'s business security solutions division, said the value of just the front side of your credit card has gone to almost zero.

"The bad guys need to get more and more data," he said.

But phony "phishing" e-mails that are becoming more common as the economy worsens have become the new go-to outlet for stolen data. Symantec said three-quarters of the phishing e-mails it examined were banking-related, for things like low-interest loans and mortgage refinancing.

They also cited an alarming 66 percent increase in the number of phishing Web sites since last year.

The data came from more than 200 million personal computers running Symantec's antivirus software and 200 million e-mail accounts that do nothing but collect spam. The company also used information from large corporations that use Symantec's products.

The Gartner study reinforced the finding that phishing scams are increasing, as an estimated 5 million U.S. consumers lost money to phishing attacks from September 2007 to September 2008.

Gartner said that was a 40 percent increase over the estimated number of victims in the previous year.

But Avivah Litan, a Gartner vice president, said scammers have changed their tactics and are now pursuing a higher volume of lower-value attacks to evade banks' fraud detection systems.


On the Net: