The Black Market of Data Theft

Cost of data in underground economy can jeopardize security strategy. You will be shocked to know where the data travels and the kind of price paid for it. Today, the size of the black market for data – just in India – is pegged at about $1 billion.

Debarati Roy Sep 22nd 2011 A-A+

In January 2011, UCO Bank’s Shani Shingnapur branch in Maharashtra was celebrated as the first bank without locks on its doors. Shani Shingnapur is famous for its houses without doors because villagers believe that Shani (a Hindu god) punishes theft.

The question is: Would the bank dare do away with cyber locks?

Obviously not. They know that valuable data transforms into currency, lots of it. Leave a cyber door open and before you know, cyber criminals are holidaying in Las Vegas, at your cost.

A Symantec report on data theft called the Underground Economy estimates that the value of total value of goods (mainly data) advertised in the underground economy is worth over $276 million (Rs 1,240 crore). And that was in 2008. Today, Maninder Bharadwaj, director, Enterprise Risk Services, Deloitte, pegs the size of the black market for data—just in India—at about $1 billion (Rs 4,500 crore).

What’s On Sale

There’s limited research on the workings of the underground data market. But recent research (January 2011) by Panda Security is eye-opening. Credit card details can start as low as $2 (Rs 90) and can go up to $90 (Rs 4,000) for cards with complete information, including the victim’s address, CVV2 number, driving license number, secret questions and answers.

Bank credentials start from $80 (Rs 3,600) and reach $700 (Rs 31,500) for an account with guaranteed balance. Details for online accounts cost anything from $80 (Rs 3,600) to $1500 (Rs 67,500)
for accounts with guaranteed balance.

According to Symantec’s 2008 report, e-mail accounts (like the ones the hackers of Epsilon were after) are sold by the megabyte. The cost for these can range anywhere from $0.30 to $40 (between Rs 13 to Rs 1,800) per MB.

But it’s not just data on sale. Physical credit cards cost around $190 (Rs 8,550), with the cost of card details additional. One can buy a physical card cloner for anything from $200 (Rs 9,000) to $1000 (Rs 45,000). The cost of a fake ATM is about $35,000 (Rs 15 lakh).

What the Black Market Looks Like

In the data theft market, supply outstrips demand. According to Symantec, credit card data makes up about 30 percent of the total goods advertised on hacker sites and outstrips demand by 7 percent. Financial accounts are also on bulk sale, with supply forming about 20 percent of the market.

Credit card details are hot. Though they make up only a third of advertised goods, they are worth over 55 percent of the total value of advertised goods. Once bought, these credit cards are a gold mine for criminals. Symantec estimates that if criminals sucked each account dry, they could make about $5.3 billion (Rs 23,850 crore).

The second most popular data type on sale is information that could be used for identity theft at 16 percent of the market. Next is financial accounts, making up 8 percent of the market. But the latter are relatively fast-moving items because they are easy to cash out, providing immediate monetary gain. The average balance of financial accounts was around $40,000 (Rs 18 lakh).

If these figures make it seem like it’s only credit cards or passwords that are on sale, that’s wrong. “Today, you can purchase entire portfolios that include every conceivable piece of data, from mother’s maiden name to family pet name,” says Shane MacDougall, principal partner at Tactical Intelligence, and a hacker at the DEFCON Hacking Conference. “Everything is up for sale, from pre-made credit cards, to ATM’s with built-in skimmers. It’s truly an eye-opening experience.”

There is also a growing business focus among hackers. Like businessmen, they are beginning to focus on ROE (return on effort). That’s leading to a shift from random hacking to taking orders for a fee. The reason is simple. Attacking a company for its data is more profitable—and represents a guaranteed payout—for hackers than trying to steal hundreds of credit card numbers, putting them up for sale, and waiting until someone makes a bid.

“The cyber-underground economy has shifted its focus to the theft of corporate intellectual capital because customers (people or organizations ordering an attack) can pay a big fat check in one go,” says Vinoo Thomas, technical product manager, McAfee.

Data theft of this type is typically ordered for by rival organizations, governments, lobbyists, and the media. “Data including IP, business models, industrial designs, or something as basic as the details of someone’s next ad campaign could be of immense value to your competitor,” says Thomas.

What does this imply for enterprise? A re-look at their risk stance. “It would be ideal to shift the approach from ‘what is important to us’ to ‘what is important to them’,” says Thomas.

Black Market Operations

In the world of organized cyber crime, the word hacker is a generic term that encompasses a vast network of interconnected resources, each one an expert in their own field. Each as his own work profile and come together to complete a package that includes creating malware, finding potential victims, and being a ‘mule’ to collect money.

Hackers trade data on the Internet using special hacker forums or IRC (Internet relay chat). “What better place can a computer geek choose other than the World Wide Web? They know how to camouflage themselves, are masters of the medium, and cannot be bound by the jurisdiction of a single country,” says Bhardwaj.

The anonymity of the Internet, emboldens hackers to step out of the dark alleys of the underworld. Today, it’s become relatively simple to come across these underground forums on the Internet. Between July 1, 2007 and June 30, 2008, Symantec observed 69,130 distinct active advertisers in underground economy and counted 44,321,095 postings. The potential worth of the top-10 most active advertisers was $18.3 million (Rs 82 crore). And the potential worth of the top seller in the underground economy was $6.4 million (Rs 28 crore).

“Most initial contact with hackers or data vendors is made through ICQ (an instant messaging tool) or a similar messaging service. Once vetted, you have access to underground exchanges,” says MacDougall.

Today, forums like and are currently active on the Internet.  The preferred modes of payment for transactions are payment processors and services like Western Union, Liberty Reserve, WebMoney, among others. According to Symantec, such transactions account for 63 percent of the total transactions.

Changing with Times

Like any smart business, hackers in the underground economy are adapting to new market needs. Today, for instance, everything—from the tools and the skills required to commit a crime—can be bought and sold on a single platform, allowing for a turnkey projects.

“There exists a mind-bogglingly sophisticated business model that evolves incessantly to react to market needs. Without that dark edge, any entrepreneur would be jealous of this model,” says Jay James, principal partner, Tactical Intelligence.

“What’s funny and yet ironical is the fact that most sites that sell data operate like legitimate businesses. You’ll commonly see ‘try before you buy’, ‘free delivery for physical goods’ (card cloners and fake ATM’s) and there are even ‘money back guarantees!” says MacDougall.

What’s next? Information on EMI?.