When criminals obtain your e-mail address, credit card, or Social Security Number, your information enters an underground economy where it’s sold, bought, and (maybe) eventually used in a crime.
As detailed throughout this series, your data can be harvested by a variety of means—malware, phishing, sniffing, and other attacks. The most common method today uses e-mail, Web, and social networking phishing to trick users into installing malware on vulnerable computers; that malware then links infected mashines together into a botnet. Those systems are scoured for any potentially valuable information, then used to attack others under the control of the botmaster. (Fortunately, such attacks are almost entirely targeted against Windows machines; attacks on Macs have been few and far between.)
However it has been obtained, stolen information is then aggregated and sold in online criminal marketplaces—called “carders”—which function much like eBay. For example, the ShadowCrew site that was busted in 2004 by the Secret Service had an estimated 4000 members and up to 8000 credit cards. Another, carders.cc, was itself hacked last spring, but is still in operation.
Different kinds of data have different values: a credit card number may be worth as little as a few cents; that same number with your name, address, and Social Security number could be worth $30. Such data can be used to perpetrate a full-on identity theft, which can enable the miscreants to take out a mortgage in your name. That can happen years after the theft, since—unlike credit card numbers—SSNs don’t expire until you do.
If your computer is in the botnet, or your Webmail username and password was harvested, either of them could be used in a directed phishing attack, in which messages are sent from your computer or account to your contacts, who are then lulled into clicking links which further expand the network.
A carder who buys financial data on the underground market can convert it to cash through a money mule. Mules are usually recruited through work-at-home job offers for so-called payment transfer agents; they often don’t realize they are committing crimes. If it’s a credit card, they use it to purchase goods or gift cards, which are then shipped to the crime boss. For bank account fraud, money is transferred into the mule’s account by the criminal; it is then sent overseas using a money transfer service.
Other mules are true criminals who know exactly what they are doing. They are recruited to use fake credit cards in real stores to launder the cash. For example, they might purchase large numbers of gift cards using stolen credit cards, then use those gift cards or sell them online. Stolen card numbers are usually tested for validity ahead of time with small, dollar-or-less donations to charities (something to look for in your account activity).
Access to online bank accounts is one of the most valuable items in the criminal underground. As credit card fraud monitoring improves, criminals are turning more towards bank accounts which lack the same automated protection systems. They will log into your account and transfer funds directly to a mule at a scheduled time, who immediately transfers it again (to reduce the chances the transaction will be reversed). There is currently a rash of such attacks on small businesses, whose bank accounts often lack the protections of consumer accounts; they can can decimate a company when it can’t recover the funds.
In one of the most brazen online crimes in history, criminals hacked into the servers of RBS WorldPay, gaining access to debit card accounts. The attackers raised the limits on 44 debit card accounts as high as $500,000 and then issued functional cards to 44 accomplices around the world. Over $9.5 million was stolen in 12 hours using over 2000 ATMs. (The RBS attackers were later caught and convicted).
[Rich Mogull has worked in the security world for 17 years. He writes for TidBits and works as a security analyst through Securosis.com.]