Science

Stolen credit card market remains hot, studies suggest

One sector of the economy apparently isn't hurting these days — the one run by identity thieves in the dark corners of the internet.

One sector of the economy apparently isn't hurting these days — the one run by identity thieves in the dark corners of the internet. Demand and prices remain stable for stolen credit cards, U.S. Social Security numbers and other private information, according to a new study by security software maker Symantec Corp.

Meanwhile, the supply of such data is steady too, thanks to the way the recession has inspired new scams targeting people who are worried about work and their finances, according to the Symantec report and another study from Gartner Inc. that was due to be released Tuesday.

"There's no pricing pressure at all — it's not dropping, they're not negotiating down," said Alfred Huger, vice-president of Symantec security response. "That tells us that there are still the same number of buyers. The underground economy has not been affected by the recession."

One reason is that the prices for some records have been falling for years and can't go much lower. Stolen credit card numbers now go for as little as six cents each, if they're bought 10,000 at a time. The price can be $30 US per card for smaller orders.

Access to hijacked email accounts can cost 10 cents to $100, while bank account credentials range from $10 to $1,000.

Scammers can hire people to "cash out" compromised bank accounts for between eight per cent and 50 per cent of the amount they're stealing. Hosting for scam websites ranges from $3 to $40 per week.

Price fixing among crooks?

Symantec says sellers appear loath to undercut each other. Many cyber gangs are believed to be affiliated with organized crime, and crooks who don't play by the rules risk being locked out of future business, or being targeted with internet attacks or possibly even physical violence.

"It makes you wonder if there's some collusion among the sellers," Huger said. "And it's a very heavily self-policing industry. I think people there would take a very dim view of significant undercutting of prices that would affect the whole industry."

Security experts not involved in Symantec's study say prices for booty like stolen credit card numbers might not be falling anymore because they have hit a bottom. The usefulness of stolen credit card numbers is waning because of anti-fraud measures — crooks now need additional details, like PIN numbers or the security codes on the back of the cards, to sell as a package deal.

"The value of just the front side of your credit card has gone to almost zero — the bad guys need to get more and more data," said Peter Tippett, vice-president of research and intelligence for Verizon Communications Inc.'s business security solutions division. That division investigates many large data breaches.

Phishing industry

The pipeline for stolen data is being replenished by phoney "phishing" emails that are becoming more common as the economy worsens. Three-quarters of the phishing emails Symantec examined were banking-related, for things like low-interest loans and mortgage refinancing. When people pay for those services, their money vanishes.

Symantec found a startling 66 per cent increase in the number of phishing websites from the previous year.

Symantec studied data from more than 200 million personal computers running its antivirus software, 200 million email accounts that do nothing but collect spam, and information from large corporations that use Symantec's products.

Gartner's study reinforced the finding that phishing scams are proliferating. It estimates that more than five million U.S. consumers lost money to phishing attacks from September 2007 to September 2008 — a 40 per cent increase over the estimated number of victims a year earlier.

Each victim is losing less money, though. Criminals have changed their tactics and are now pursuing a higher volume of lower-value attacks to evade banks' fraud detection systems, said Avivah Litan, a Gartner vice-president.