You may have heard of the Adobe hack which was declared at the beginning of October. At the time Adobe estimated that almost 3 million personal details had been compromised. Just a few days ago the company said that hackers had gained access to 38 million encrypted accounts including credit and debit card details.
Clearly it can take some time from the point of a company discovering that its servers have been hacked to establishing the detail and scale of the attack. In some cases, often for smaller companies, they might not even know that their servers have been compromised.
On the deep web a hacker is currently selling access to three hacked servers in the US for $180. The going rate is usually $100 for each server, says the seller, so it’s clearly a bit of a bargain. A buyer could use the servers to launch phishing attacks, create fake log in details, host pictures or launch attacks on other servers.
Data smash and grab
Hackers thrive and survive on the critical period of time between their data smash and grab, and discovery. This is when the credit and debit card details, and other information, goes up for sale on the deep web, are bought and used. There are a large number of deep web sellers offering these details for sale and as in any thriving market place they vie with each other for business.
‘Fresh dumps’ is one particularly common ‘marketing’ phrase. It basically means that credit/debit card details have just been lifted from somewhere and they’re fresh, that is, it’s just happened and as yet it’s undiscovered. You’ll also find claims to longevity on the part of the sellers. Basically, they’re saying, ‘We’ve been in this business a long time so you can trust us.’ One site claims: “We get new lists every day! 80%+ working guarantee, we will replace if more than 20% dont work!”
The seller offers the guarantee because some hacks are quickly discovered and the card details that have been exposed are quickly withdrawn by the issuers, rendering the cards useless. Note though, that the site claims new information every day. In this particular case it is also referring to PayPal and eBay accounts that are live and have money sitting in them.
Industrial scale sales
Buyers have a number of options. Card details are often sold on an industrial scale and supplemented by other services such as the means to create the plastic. The card numbers, including start and expiry dates, and security codes are embossed onto the cards along with requisite logo. These cards are then sold into the blackmarket. They obviously have a limited shelf life and will only be useful up until the point it’s discovered that the card numbers have been hacked.
Some buyers will simply use the credit card details to hit as many online stores as possible and in a short a period of time as possible. Another option that some people on the deep web employ is to set up their own online store and then trade with other people who use the deep web. For example, there is one particular operation that brands itself ‘In People We Trust’. Essentially, it’s a site that offers customers the opportunity to buy anything from Amazon at half the listed retail price.
Half price Amazon goods
Here’s what it says on its front page: “We are delivering goods by our customer orders. All products are half the price (3-5 day EU and USA shipping is included). You can choose anything from any Amazon and we will provide You with that product for 50% of the retail price. Apple, Samsung, Sony, LG, You name it! Our prices (some might be outdated):”
The price list goes on to offer, for example, an iPhone 5s 64GB at $500 (usually about $1,000) and iPhone 5 64GB for $300 (typically retails at $600) along with other products, many of them other popular Apple devices. The operators claim to have been in business over a year. Because the deep web is populated by hackers, fraudsters and various types of skanksters it’s a given that trust is not very high.
To get around this sellers offer escrow payment services where payment is held by a third party until the goods are delivered. Fraudsters are quickly discovered and their sites will often become the target of attacks. The site that offers half price Amazon goods could be scooping up stolen credit and debit card details and using them to make ‘legitimate’ purchases from Amazon and then passing on the goods to the deep web buyers. Whether they’re hacking or buying the card details it’s not known. You’ve probably already noticed that the web site owners use of English suggest it’s not their first language.
Online and identity theft protection
At the other end of the deep web scale you’ll find individual cards for sale with detailed descriptions such as ‘this belongs to a Greek man’ or ‘this card was owned by a Bulgarian woman.’ These types of ‘offers’ are probably the result of opportunistic theft as opposed to the industrial scale of hacking that happened at Adobe and a raft of other companies.
The hacking of cards does reveal that the theft of credit and debit card details is in itself an industry and one that is not constrained by geographical boundaries. And without wishing to alarm, but by implication, it also suggests that we all need to practice identity theft protection. As Paul Hawkes, a London-based investigator with a long experience of identity theft recently said: “If you have your personal details stolen its’ nothing personal it’s simply business for the thieves. But you do need to do all you can to protect yourself.”
Posted by Steve Bell