A report from IT firm Symantec on the underground economy.
The online underground economy observed by Symantec has matured into a global market with the<br>same supply and demand pressures and responses of any other economy<br><br>Web-based forums are a popular means of trading stolen information. Some reasons for this are that<br>posted advertisements are visible to anyone visiting the website until they are removed, most forums are<br>organized chronologically and can be easily searched, and joining is usually open to anyone, often entailing<br>registration with only a username. That said, various forums have differing levels of membership. Some<br>allow members to immediately post advertisements and interact with other members, while other forums<br>restrict member privileges until certain criteria are met. Many forums conduct a peer-review process for<br>potential sellers before they are endorsed. To establish a reputation and prove themselves, potential sellers<br>are often required to provide samples of their goods for validation and verification. Many of the sites often<br>provide a range of active forums, including tutorials, how-to guides, credit card scams, or even specialized<br>venues for goods from specific countries or regions.<br><br>On discussion groups participants can buy and<br>sell fraudulent goods and services. Items sold include credit card data, bank account credentials, email<br>accounts, and just about any other information that can be exploited for profit. Services can include<br>cashiers who can transfer funds from stolen accounts into true currency, phishing and scam page<br>hosting, and job advertisements for roles such as scam developers or phishing partners.<br><br>Interestingly, rippers are vendors on underground economy servers who conduct fraudulent transactions such as not delivering purchased goods, or deliberately selling invalid<br>or fake credit cards.<br><br>In a sign of the international nature of cybercrime, the report gives the example of data stolen by ‘wardriving’ a term used to refer to the act of using a vehicle and a laptop with a wireless network card to scan for networks in an area. The credit card data was stored on servers in Latvia and Ukraine until being imprinted on blank ATM cards supplied by contacts in China; then the cards were shipped back to North America to be used in skimming operations.<br><br>People using fraudulent credit cards will try to raise as little suspicion as possible in order to get the<br>maximum use of the card. This is because credit card issuers routinely monitor the card transactions of<br>their clients, looking out for unusual spending patterns, locations and/or amounts as part of their security<br>practices. For example, with card-present transactions, suspicious activities such as consecutive purchases<br>from more than one country will quickly alert the credit card issuer of potential fraud or theft and the card<br>will be suspended. However, this is more difficult to monitor for online stores that have no geographical<br>boundaries, and the same credit card number can be used from multiple locations by multiple people with<br>less likelihood of being detected immediately. In addition, not all online stores verify the billing address of<br>the credit card, and often any location can be provided as the shipping address. <br><br>Because many online stores also offer international<br>shipping to compete with other businesses, buyers can easily direct their purchases to secure and<br>untraceable drop locations either close to their physical location for easy retrieval or to an intermediary<br>who will forward the purchase. To the credit card issuer, these transactions may not show up immediately<br>as being suspicious, especially during peak shopping times such as holidays when the number of<br>purchases made increases substantially. This is compounded by the ability of legitimate shoppers to<br>buy gifts online and ship them to a location other than their billing address, often at the expense of<br>the retailers. These factors will hinder the ability of credit card issuers to monitor spending patterns,<br>thereby increasing the opportunity to use fraudulent credit cards.<br>Given these reasons, credit card issuers may not see these online purchases as fraudulent until well<br>after the transactions have been completed and the goods shipped. Although many major online stores<br>have adopted added security features such as online authentication services and billing address checks,<br>there are still many smaller merchants that may not be taking such security precautions online.<br><br>The second most common category of goods and services advertised was financial accounts, with<br>20 percent of the total. This category includes bank account credentials, magnetic stripe skimming<br>devices, online payment services, online currency accounts, and online stock trading accounts. This<br>category ranked third for advertised requests, with 18 percent of the total. By far the major contributor<br>to the popularity of the financial accounts category was bank account credentials, which accounted<br>for 18 percent of all goods and services advertised for sale.<br>Financial accounts are attractive targets because of the opportunity to withdraw currency directly.<br>Although this may involve more steps than using stolen credit card data to make online purchases,<br>the process of cashing out financial accounts can be easier than retrieving cash from credit cards since<br>criminals would require a PIN for the card. Also, most ATMs have CCTV cameras, which may deter<br>criminals from using this method. In addition, withdrawing currency from a bank account has the<br>advantage of a more immediate payout than with online purchases, which would need to be sold to<br>realise a purely financial reward.<br><br>The third ranked category of advertised goods and services for sale was spam and phishing information,<br>with 19 percent of the total. This category includes email addresses, email account passwords, scams,<br>and mailers. For requests, it ranked second, with 21 percent of the total. Spam can be a serious security<br>concern because it can be used to deliver malicious code and phishing attempts. Phishing is an attempt to<br>trick people into divulging confidential information by mimicking, or spoofing, a specific well-known brand,<br>usually for financial gain. Phishers attempt to obtain personal data such as credit card information, online<br>banking credentials, and other sensitive information, which they then attempt to exploit.<br><br>compromised email accounts will often provide access to additional sensitive personal<br>information such as bank account data, medical or school information, or access to other online accounts<br>(social networking pages, etc.). From there, it is often simple for someone to go online and use the<br>password recovery option offered on most registration sites to have a new password sent via email and<br>gain complete access to these accounts. This danger is compounded by the habit many people have of<br>using the same password for multiple accounts.<br><br>There are more credit cards in circulation in the<br>United States than in any other country in the world—1.3 billion cards by the end of 2006, compared with 70m in the UK. Credit cards are also typically sold in bulk, with lot sizes from as few as 50 credit cards to as many<br>as 2,000. Common bulk amounts and rates observed by Symantec during this reporting period were<br>50 credit cards for $40 ($0.80 each), 200 credit cards for $150 ($0.75 each), and 2,000 credit cards<br>for $200 ($0.10 each).<br><br>Typically ID theft is associated with loss of money but there are several types: financial (the identity is used to obtain goods and services); criminal (the<br>identity is used during a criminal investigation or arrest); commercial (the identity of a business is used to<br>obtain credit); governmental (the identity is used to obtain government-issued documents such as a<br>passport or driver’s license); and cloning (the identity is assumed by another and used on a daily basis).77<br>Compounding the situation for victims is that it may take months, if not years, to clear up these activities<br>from their credit ratings once these illegal actions are detected. The prices for full identities ranged from $0.90 to $25. As with other goods,<br>Symantec observed that cost depended on the location of the identity, and that those from the European<br>Union were advertised as the most expensive. The higher prices may be indicative of increased demand<br>and lower supplies of identities from the European Union. The popularity of EU identities may also be<br>due to the flexibility of their use, since citizens there are able to travel and conduct business fairly freely<br>across the region.81 Full identities were also sold in bulk, with size and price ranges including 10 for $60<br>($6 each), 500 for $750 ($1.50 each), and 1,000 for $1,000 ($1 each).<br><br>The financial sector has been responding to such fraud activities by implementing stricter preventative measures, such as the updated Payment Card Industry (PCI) Data Security Standards, which is a set of requirements for enhancing payment account data security such as network requirements, encryption transmission requirements, and maintaining security policies. <br><br>Also for sale or hire on this underground economy are software tools and scanners that may be used to provide services<br>such as denial-of-service (DoS) attacks, spamming and phishing campaigns, and finding exploitable<br>websites and servers. They can also be used to generate a number of goods, such as compromised<br>hosts, credentials, personal information, credit card data, and email addresses. Scam pages, which were advertised for an average price of $10. Prices<br>for scam pages ranged from $2 to $50. Scam pages are designed to spoof a legitimate website. At the very<br>minimum, scam pages include the HTML, images, and other content necessary to spoof the targeted site.<br>These scam pages often use actual content from the company targeted by the scam, including images,<br>formatting, and even underlying page code.<br><br>The top four countries hosting underground servers: USA, Romania, Germany and UK. The immense volume of legitimate activity in some regions may provide opportunities for the underground servers to go unnoticed, it is suggested. The United States, United Kingdom, and Canada rank highly for pirated – because English-language – games and other software.<br><br>What to do?<br><br>Organizations should monitor all network-connected computers<br>for signs of malicious activity including bot activity and potential security breaches, ensuring that any<br>infected computers are removed from the network and disinfected as soon as possible. Organizations<br>should employ defense-in-depth strategies. Defense-in-depth emphasizes multiple, overlapping, and<br>mutually supportive defensive systems to guard against single-point failures in any specific technology<br>or protection methodology. Defense-in-depth should include the deployment of antivirus, firewalls,<br>and intrusion detection systems, among other security measures.<br>Administrators should update antivirus definitions regularly and ensure that all desktop, laptop, and<br>server computers are updated with all necessary security patches from their operating system vendor. As<br>compromised computers can be a threat to other systems, Symantec also recommends that enterprises<br>notify their ISPs of any potentially malicious activity, such as bots.<br><br>ID protection<br><br>To reduce the likelihood of identity theft, organizations that store personal information should take the<br>necessary steps to protect data transmitted over the Internet or to limit the exposure of confidential<br>information stored on their computers by successful intrusions. This should include the development,<br>implementation, and enforcement of secure policy requiring that all sensitive data is strongly encrypted<br>and educating users on the proper procedures for using such programs. Encrypting sensitive data that is<br>stored in databases will limit an attacker’s ability to view and/or use the data. However, this step will<br>require that sufficient computing resources be made available, as encrypting and decrypting the data for<br>business use consumes processing cycles on servers. Furthermore, encrypting stored data will not protect<br>against man-in-the-middle attacks that intercept data before it is encrypted. A man-in-the-middle attack<br>is a form of attack in which a third party intercepts communications between two computers. The third<br>party captures the data, but still relays it to the intended destination to avoid detection.<br><br>Organizations should also enforce compliance to information storage and transmission standards such as<br>the PCI standard. Visit www.pcisecuritystandards.org<br><br>Policies should be put in place and enforced that ensure that computers containing<br>sensitive information are kept in secure locations and are accessed only by authorized individuals.<br>Sensitive data should not be stored on mobile devices that could be easily misplaced or stolen. This step<br>should be part of a broader security policy that organizations should develop and implement in order to<br>ensure that any sensitive data is protected from unauthorized access. Security processes and systems<br>should be regularly tested to ensure their integrity.<br><br>Consumers should be aware of the amount of personal information that they post on the Internet, as this information can be used in malicious activities such as phishing scams or email harvesting schemes.<br><br>Symantec advises that users never view, open, or execute any email attachment unless the attachment is expected<br>and comes from a known and trusted source, and unless the purpose of the attachment is known. Also, users should be suspicious of any email that is not directly addressed to their email address.
Organisations should monitor the purchasing of cousin domain names by other entities to identify purchases that could be used to spoof their corporate domains. So-called typo domains and homographic domains should also be monitored as this may indicate potential phishing websites. This can be done with the help of companies that specialize in domain monitoring; some registrars also provide this service.
A cousin domain name may include some of the key words of an organization’s domain or brand name; for example, for the corporate domain “bigbank.com”, cousin domains could include “bigbank-alerts.com”, “big-bank-security.com”, and so on. A typo domain plays on a wrong typing of a name such as Googel for Google; and a homographic domain plays on the fact that a 1 for example looks to the casual eye like a i or I.
