Sunday, March 25, 2007

Phishing Markets

From Tech.view column from The Economist;

-A complete identity package, including a permanent resident card (or green card) and a social security card, goes for $150 and takes about 40 minutes to deliver.

-Identity theft is one of the fastest growing white-collar crimes in the world. A fresh identity is stolen every four seconds. Some 10m Americans have been victims. The average cost of restoring a stolen identity is reckoned to be $8,000, and victims spend typically 600 hours dealing with the nightmare—plus many years more restoring their good name and credit record.

-A new report from an internet security firm called Symantec says that more than one-half of all the “underground economy servers” used for selling confidential information and captured personal data are located in the United States. The trade in personal data suggests that internet criminals have more or less given up hacking into banking systems and trying to steal databases of customer accounts.

-In the underground marketplace, a credit card with its verification number can be bought for $6 a pop. For buyers in bulk, stolen identities—including bank account, credit card, date of birth and social security details—go wholesale for around $15 apiece, offering a ten-fold mark-up when retailed in MacArthur Park and elsewhere.

-Symantec says that in the second half of 2006 some 6m computers around the world were infected by “bots” (robotic pieces of malicious software), 29% up on the previous six months. Four out of five of them had been attacked by Trojan horses that sniffed out confidential information by logging keystrokes, recording internet sites visited, and reporting the findings to a third party. Other unsuspecting users were redirected to fake websites where they were fooled by phishing scams into parting with their identity details.

Why this sudden upsurge in identity theft? One factor, whether cause or effect, is a growing market in what the industry calls “zero-day exploits”. The majority of security testers agree that the ethical thing to do when they discover a flaw in a computer programme is to give the manufacturer sufficient warning for it to prepare a software patch before going public with the finding. But more and more vulnerabilities are being detected by shady hackers who auction their exploits off to the highest-bidding crooks.

Nasty little zero-day tricks that exploit flaws in popular software go for $20,000 to $30,000 each. A zero-day exploit for Microsoft’s new Windows Vista operating system will fetch anything up to $50,000. A Trojan horse designed for stealing online account information can be snapped up for as little as $5,000.


Related;
Symantec Reports Rise in Data Theft, Data Leakage, and Targeted Attacks Leading to Hackers’ Financial Gain
AntiPhising Working Group

No comments: