Buying personal information in the deep web
The criminal underground
Before starting our quick tour in the criminal underground to collect information on the principal items and services offered for sale and rent, lets clarify some useful concepts.
What is the underground ecosystem?
The term underground ecosystem is usually used to refer a collection of forums, websites and chat rooms that are designed with the specific intent to advantage, streamline and industrialize criminal activities. The underground ecosystem represents a portion of cyberspace that is considered vital for criminal communities, where criminals can acquire and sell tools, services and data for various kinds of illegal activities.
Hands-on threat intel training
Recently a team of experts from Dell SecureWorks released a report on black hat markets, titled "Underground Hacker Markets", which reported a number of noteworthy trends, the most interesting of which is the growing interest in personal data. Criminal crews are offering any kind of documentation that could be used in sophisticated frauds. Passports, driver's licenses, Social Security numbers and even utility bills are commonly exploited by hackers as a second form of authentication by service providers. For this reason they are purchased by criminals in the underground.
"The markets are booming with counterfeit documents to further enable fraud, including new identity kits, passports, utility bills, social security cards and driver's licenses … It is apparent that the underground hackers are monetizing every piece of data they can steal or buy and are continually adding services so other scammers can successfully carry out online and in-person fraud," states the report published by Dell SecureWorks.
For criminals who desire to acquire a new identity for illegal activities, the underground market offers identity packages that include passports, drivers licenses and social security cards, practically anything necessary to commit identity theft.
One of the most important concepts facing cyber criminal communities is the cashout, a term used to indicate the methods used by bad actors to monetize their efforts, as identity theft "crimes" are made up of two major phases:
- The access to victim's credentials
- The "cashout," to turn stolen sensitive data into money.
Sensitive information could be obtained in different ways, including malware-based attack, phishing campaigns, and by hacking into online merchants' databases. Sensitive data could be also obtained through real-world activities like credit card skimming.
In this article, I'll focus the analysis on the personal information exchanged by criminal crews in the Deep Web, and in particular through hidden services in the Tor Network. The personal information that I'm searching for are:
- Credit cards
- Bank logins and PayPal accounts
- "Fullz"
- Online account credentials
- Personal Data and Documents
- Gaming credentials
The value of personal information
Credit cards
Credit card data are considered by security experts to be the most commonly traded commodities in the underground economy. When searching for stolen credit card data, it is possible to find two types of offers for this kind of good, "dumps" and "CVVs."
The term CVV is an abbreviation for card verification value. In the criminal ecosystem it refers to a credit card record that includes the cardholder's data such as the name, the address, the card number, expiration date and the CVV2.
A dump is the raw information on the magnetic strip that is collected through real-world skimming. Typically it is used to clone the legitimate card by copying the data onto a fake credit card.
While stolen card data can only be used with online merchants, dumps can only be used in a physical store to purchase any kind of product.
The price for both dumps and CVVs depends on numerous factors, such as the type of card, the expiration, the country of the cardholder, the seller and many others. Usually dumps have a higher price with respect to the CVVs because the payoff is bigger; a cyber criminal can buy expensive goods to rapidly cash out them. Typically CVVs cost less than $10, while dumps can go as high as several dozens of dollars.
No doubt, when searching for stolen card data it is quite easy to find online the name Rescator, one of the most important players in the underground community that provides any kind of goods related to the card.
By accessing to the popular online marketplace operated by Rescator, users can easily buy dumps using its friendly interface. Just select a country, the dump type (VISA, MasterCard, AMEX, etc.) and the type of card to retrieve a list of results ready for your bulk order.
As shown in the image below, users can also buy dumps by filtering by expiry date and banks; this information is very useful to a buyer to acquire data for sale or to use the stolen data to target users in a specific geographic area.
As expected, the prices are variable. Most expensive dumps are related to US cards, where prices range from just over $5 up to several tens of dollars. Prepaid debit card dumps are very cheap, and dumps having a close expiration date are sold for a few dollars.
Figure 1 - Rescator Website - Searching for CANADIAN DUMPS
When searching for CVVs in the Tor network, it is possible to find several websites that offer this precious commodity. On crimenetwork.biz (http://crimenc5wxi63f4r.onion/), for example, there are offers proposed by several operators who sell this kind of goods. Typically, these sellers also operate on other carding forums. By analyzing different black markets, it is possible to track a profile for the most popular operators and retrieve significant information about their reputation through the feedback related to their activities.
The following list is an example of goods and prices proposed by one of the operators specializing in the sale of stolen card data:
===> Prices for fresh Credit Card (CC, CCV, CVV2)
- US (Visa/Master) = $6 per 1
- US (Amex, Dis) = $7 per 1
- US Bin = $15, US Dob = $15
- US fullz info = $25 per 1
---------------------
- UK (Visa/Master) = $14 per 1
- UK (Amex, Dis) = $22 per 1
- UK Bin = $25, UK Dob = $25
- UK fullz info = $35 per 1
---------------------
- CA (Visa/Master) = $15 per 1
- CA (Amex) = $20 per 1
- CA Bin = $20, CA Dob = $20
- CA fullz info = $35 per 1
---------------------
- AU (Visa/Master) = $18
- AU (Amex, Dis) = $20 per 1
- AU Bin = $20, AU Dob = $25
- AU fullz info = $30 per 1
---------------------
- EU (Visa, Master) = $25 per 1
- EU (Amex, Dis) = $30 per 1
- EU Bin = $30, AU Dob = $35
- EU fullz info = $45 per 1
- Italy = $20 per 1 (fullz info = $35)
- Spain = $20 per 1 (fullz info = $35)
- Denmark = $25 per 1 (fullz info = $35)
- Sweden = $20 per 1 (fullz info = $35)
- France = $20 per 1 (fullz info = $35)
- Germany = $20 per 1 (fullz info = $35)
- Ireland = $20 per 1 (fullz info = $35)
- Mexico = $15 per 1 (fullz info = $30)
- Asia = $15 per 1 (fullz info = $30)
Figure 2 - Stolen card data offered on Tor forum
Bank logins and PayPal accounts
Bank logins are another very popular commodity in the criminal underground. Compromised bank account information could be collected by infecting computers of victims with specific malware or through phishing campaigns. The price for compromised bank account information in the underground market depends on various factors, such as the account balance (wherein many instances the price is a percentage of the balance), the bank, and any insurance on their validity.
It is easy to find bank logins in black markets such as the Nucleus Market (http://nucleuspf3izq7o6.onion). In the following image a seller is offering a Wells Fargo bank account with a balance ranging from $200-1000 for $15 USD.
.
Figure 3 - Wells Fargo bank account
Another very popular item in the criminal underground is compromised PayPal accounts. PayPal accounts are very useful for criminal crews because they are usually used for the cashout process. Also in this case we can find the prices to be very different depending on the amount of money available in the account, its age and the country of the owner. The prices could vary from a few dollars for a hacked US PayPal account, up to a few dozen dollars for a verified account with either a credit card or bank account linked. A Business PayPal account with zero Balance could be sold for nearly $10 USD.
Figure 4 - PayPal account offer
Figure 5 - Hacked PayPal account for cashout
"Fullz"
The term "Fullz" is used to indicate another type of financial credential traded in the underground markets. It is a hacker terminology for the full information on a victim, which includes the name, the address, the social security number, the credit card data, the date of birth, the mother's maiden name, driver's license number and more. This information is used by criminals to impersonate victims in more complex scams. Information included in a Fullz could be used for example in a takeover of the victim's online accounts, as usually the information allows hackers to reply to the answers used in password recovery procedures implemented by many online services. As a rule of thumb, the more information you have on your victim, the more money you can make out of the credential. Due to the importance of such kind of goods, Fullz are usually sold for higher prices than the standard credit card dumps.
"This type of credential can be cashed out in a number of ways, such as using a bank's telephone service while posing as the victim, doing a 'change of billing' and ordering credit cards, applying for loans and more. Even 'Dead Fullz,' which are 'Fullz' credentials that are no longer valid, can be used for things like opening a 'mule account' on behalf of the victim and without his or her knowledge," wrote Omri Toppol in a blog post published on Security Affairs.
Prices for Fullz vary on a number of factors. UK and US citizen data could be acquired in lots with a cost that ranges from $5-10 USD up to $40 USD for very specific profiles.
Figure 6 - Fullz available in the Nucleus marketplace
Online account credentials
Online account credentials are another type of information sold in almost every underground market and hacking forum.
The credentials that are most in demand are those relating to Amazon, Apple, Email, eBay, Facebook, Twitter and Instagram services. eBay accounts are very popular among criminal communities because are used to facilitate auction fraud, which is a very common scam method. Meanwhile, social media accounts are used for phishing campaigns.
Online accounts are basically used for two main purposes:
- Cashout processes
- Sophisticated scam schemes.
Apple, Amazon and PayPal accounts are usually used by criminal crews for cashout processes, it is very common to use them to transfer money to accounts managed by money mules or to purchase expensive goods, like electronic devices and luxury objects.
When searching for these products in several underground black markets, it is possible to find different prices. Account credentials could be sold for a price that ranges from $5 USD up to $80-100 USD. The most expensive account credentials I have found are Facebook credentials; in some cases they are sold for $50 USD for a single account.
Stolen email account credentials are very popular in the hacking forum, typically the seller proposes them in lots of 100, 1000 and 10000 units that are sold for a price that goes from $50 up to $500 USD.
Sometimes the sellers guarantee the validity of the email address, which has been probably hacked through malware based attacks or phishing campaigns.
Figure 7 - Amazon account (Nucleus black market)
Figure 8 - Amazon account (Black Bank black market)
Personal data and documents
We have seen that in the underground marketplace, it is possible to acquire a working Social Security card, name, and address for $250. In some cases, it is possible to pay an extra fee of a few dozen dollars to buy a utility bill to use in identity verification processes. Among most popular goods in the underground, there are counterfeit documents, including non-US passports, which are available for a cost between $200 to $1000. Usually it is very hard to find US passports because US law enforcement is believed to infiltrate the hacking community, making their commercialization risky. Fake US driver's licenses run for $100-$150, meanwhile counterfeit Social Security cards run between $250 and $400 on average. In both cases, these documents could be used to improve efficiency of fraud schemes.
Figure 9 - Fake documents (Passports and ID)
Figure 10 - Professional Certificate to work in the EU
Gaming credentials
Other goods that are becoming popular in the criminal underground are gaming credentials, as they are used as a cashout mechanism. Once purchased, the account the criminals sell virtual gaming goods and features to monetize their efforts. Criminals convert virtual gold and unique virtual goods obtained by the victim's character for real-world money. The most popular online platform for gaming is Steam; for this reason Steam accounts are becoming a precious commodity in the underground market. Recently security experts have also discovered extortion attempts to the owners of the stolen credentials.
Figure 11 - Minecraft account
Conclusion
In this brief tour of black markets and hacking forums hosted in the Deep Web, we found that the offer for personal information and online service accounts is very articulate. The principal communities of online criminals are offering a growing number of services and goods that advantage illegal activities.
Monitoring the criminal ecosystem is crucial for investigators and security experts who gather valuable information for their investigations. Periodically, we will evaluate developments in the markets analyzed in this report in order to study the trends in criminal communities.
Hands-on threat intel training
Sources
In this Series
- Buying personal information in the deep web
- Dark Web hacking tools: Phishing kits, exploits, DDoS for hire and more
- Dependency confusion: Compromising the supply chain
- BendyBear: A shellcode attack used for cyberespionage
- ATP group MontysThree uses MT3 toolset in industrial cyberespionage
- BlackBerry exposes threat actor group BAHAMUT: Cyberespionage, phishing and other APTs
- Top 9 cybercrime tactics, techniques and trends in 2020: A recap
- KashmirBlack botnet targets WordPress, Joomla and other popular CMS platforms
- BAHAMUT: Uncovering a massive hack-for-hire cyberespionage group
- Linux security and APTs: Identifying threats and reducing risk
- Top 6 ransomware strains to watch out for in 2020
- 2020 Verizon data breach investigations report: Summary and key findings for security professionals
- How hackers use CAPTCHA to evade automated detection
- The State of Ransomware 2020: Key findings from Sophos & Malwarebytes
- Dark web fraud: How-to guides make cybercrime too easy
- Top 6 malware strains to watch out for in 2020
- Top Cybersecurity Predictions for 2020
- Malware spotlight: What is click fraud?
- What does dark web monitoring really do?
- ThreatMetrix Cybercrime Report: An interview
- Are dark web monitoring services worth it?
- Cybercrime and the underground market [Updated 2019]
- Verizon DBIR 2019 analysis
- Common causes of large breaches (Q1 2019)
- The Magecart Cybercrime Group Is Threatening E-Commerce Websites Worldwide
- Russian Cyberspies Target 2018 U.S. Midterm Elections
- The Increasing Threat of Banking Trojans and Cryptojacking
- Leaders’ Meetings: A Privileged Target for Hackers
- Fraud as a Service (FaaS): Everything You Need to Know
- All about SamSam Ransomware
- The Decline of Ransomware and the Rise of Cryptocurrency Mining Malware
- Mechanics Behind Ransomware-as-a-Service
- The Art of Fileless Malware
- ZLAB MALWARE ANALYSIS REPORT: RANSOMWARE-AS-A-SERVICE PLATFORMS
- Which Are the Most Exploited Flaws by Cybercriminal Organizations?
- 5 New Threats Every Organization Should be Prepared for in 2018
- Memcrashed: The Dangerous Trend Behind the Biggest DDoS Attack Ever
- Open source threat intelligence tools & techniques
- Global Cost of Cybercrime on the Rise
- An Enterprise Guide to Using Threat Intelligence for Cyber Defense
- The Five Largest Ransomware Attacks of 2017
- Intellectual Property Crimes in the Dark Web
- Top 5 Smartest Malware Programs
- Is Russian Intelligence Using Tainted Software to Access Corporate and Government Networks?
- Vault 7 Leaks: Inside the CIA's Secret Kingdom (July-August 07)
- DragonFly 2.0: The Alleged Nation-State Actor Hits the Energy Sector Again
- Russian APT Groups Continue Their Stealthy Operations
- Massive Petya Attack: Cybercrime or Information Warfare?
- SAP SECURITY FOR CISO: SAP Attacks and Incidents
- Role of Threat Intelligence in Business World
- WikiLeaks Vault 7 Data Leak: Another Earthquake in the Intelligence Community
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Threat Intelligence
Dark Web hacking tools: Phishing kits, exploits, DDoS for hire and more
Threat Intelligence
Threat Intelligence
Threat Intelligence
ATP group MontysThree uses MT3 toolset in industrial cyberespionage