The value of your credentials

As surprising as this may sound, earlier this year stolen twitter credentials were valued at almost $1,000. When compared to credit card details that fetch less than $1, why do twitter credentials command such large sums? The following article gives a quick glimpse into stolen credentials market, how they’re bought and sold in underground markets and just how criminals turn them into cash.

The fall of stolen credit cards
At the turn of the century, eCommerce and online services took a steep climb. Taking a ride to the bank in order to transfer funds from one account to another (during normal business hours) was replaced by a click of the mouse within the confines of your home, at the local coffee shop or from the airport on the way to catch a flight (at any time of the day). Application functionality soared allowing anyone to become their own travel agent thus avoiding the long summer lines.

As the availability and ease-of-use of the online functions rose, users became accustomed to the purchase of services with their credit card number. The amount of credit cards details passed as traffic, stored in online locations with the ability to access them from external sources, was too much of bait for criminals to pass on. The criminal activity on this front sky-rocketed, as shown by a research conducted on logs of IRC channels between participants of online black markets which took place over a 7-month period during 2006.

This research showed that from all (illegally) exchanged data marked as “sensitive”, the high majority of this data was attributed to credit card numbers. The asking price for a compromised credit card number ranged between $1 and $25 (depending on the size of credit line associated with it). Most of the other “sensitive” data was composed of identifying details such as addresses, names and expiration date which all aid in the processing a of credit card transaction. During that time period, also different user credentials (account names and passwords) were shown to have passed in the channels but these were relatively scarce.

Two years later, a Symantec report showed that stolen credit cards comprise 32% of all goods and services available for sale on underground economy servers. Due to massive data breaches, stolen credit cards became widely available and as a result the face value of individual credit card records decreased.

Credit card numbers were sold for as less as $0.06 per single card when sold in bulk. Bank account numbers (actually identifying debit cards) followed roughly behind stolen credit cards, fetching as low as $10 per account number. These numbers are easily explainable. Not only were stolen credit card numbers a main “commodity” but monetizing on credit cards is not as easy as it may sound.

Monetizing on credit cards
In order to monetize on credit cards different factors must be taken into consideration. First, additional identifying information, for example, name and expiration date, are required to complete a transaction. Furthermore, CVV2 numbers are mainly requested during an online purchase. According to PCI regulations CVV2 values are not allowed to be stored at consumer sites, leading to these values being sold separately than the credit card numbers.

Finally, a real purchase needs to be performed by the criminal and the real goods should be sold in order to cash-out. Alternatively, monetizing on credit cards could be performed by manufacturing real plastic cards with the stolen number. The manufacturing and distribution of these stolen cards entail additional hardware expense, complexities and risks.

As anti-fraud mechanisms are set up to detect illegal activities, and given that many purchases leave a digital-trail, criminals seek to find other creative ways to cash on credit cards. One such way is for a criminal to enter a gambling site, such as Poker, under two accounts.

The first account is attached to the illegal credit card, while the second is attached to a legal card that can be directly cashed by the culprit. Both accounts, under the same user, play in the same table – one against the other- while the “illegal”-account loses to the “legal”-account.

The credit card company sees that the illegal card was used at a gambling site but cannot track the criminal who in the meanwhile received the funds. Other alternatives include stock manipulation through online trading sites (that allow registration with credit cards) or generating fake transactions between two parties controlled by the culprit in applications such as Paypal, eBay and the like.

Although bank account numbers are sold for a relatively high sum, monetizing on bank account numbers is not as simple either. Either an individual is required to come in person to the bank and show other identifying details. Or, given an ATM PIN, a plastic card needs to be manufactured whilst the criminal needs to avert security criminals.

Whether using the stolen cards physically or over the Internet, criminals take cautionary steps to avoid detection of their fraudulent activity. These steps require purchasing, or transferring sums, only in small amounts over a long period of time and attackers attempt to find alternative methods to seek more profitable data.

The rise of online credentials
As opposed to 2006, 2008’s report already showed the incredible black market shift where email accounts were the third most available virtual good for sale. Furthermore, on the low end, the online credentials were going for $0.10 a credential – already higher than that of a credit card!

Online credentials are composed of username/ password combinations in order to gain access to different Internet applications, whether it is a social networking application, a banking account or a health-provider service.

Credentials to an online banking service allow the attacker to transfer funds from the victim’s account to accounts controlled by the criminal (or most often to a mule account that collaborates with the attacker). However, such transfers require a higher level of sophistication in order to avoid being detected by anti-fraud mechanisms deployed at banks.

Stolen accounts to health-provider services may be used for subscription drug trading or for health information compromise. The latter can be used in blackmail operations, targeted sting operation or even for sale as “targeted” marketing data for the healthcare market.

Of particular interest to attackers are credentials for webmail applications. First, once a webmail application is hacked, the criminal can scrap the victim’s address book and use those addresses in spam lists. Taking it a step further, the criminal can send the phishing messages from the compromise account, creating a more reliable effect and increasing the success probability of the scam.

Stolen webmail accounts may further allow compromise of other credential sets through the password recovery feature of applications. This feature usually sends the credentials of an online application to an email account designated by the owner upon registration. Sifting through the online underground channels, we see that not all webmail credentials are considered equal in the black market.

The credentials to a Hotmail account may fetch a mere $1.50, although a Gmail account may fetch more than $80 per account. The latter is probably to the wide variety of other cloud services that can be accessed through one’s Gmail credentials. These include anything from personal or corporate GoogleDocs through corporate Google Analytics and even Webmaster tools.

Worthy of mentioning is also the fact that credentials used by a person for one application will most probably serve that person on other applications as well. This is driven by the human nature and the limited ability to remember multiple credentials. Thus, it is not uncommon for people to have the same username and password used for their Facebook account as well as their Twitter account and their Airline Frequent Flyer account. This is especially true for applications that encourage (or even instruct) their registrants to use their webmail account as the application account name.

Stolen credentials to access social applications are considered nowadays of highest value, as described at the beginning of the article. Credentials to these social applications fetch a high sum according to the popularity of the application. For example, the credentials to a Facebook account may fetch higher value than a less-popular social application devoted to some niche community as the hacked account may reach more users. To complete the picture, the amount a social network account may fetch rises according to the “popularity” of the account in question.

This means that a Twitter account with hundreds of followers will be worth more than a Twitter account with just a dozen of followers. The inherent viral behavior of social networks, together with real-time updates in search engines, make stolen social network accounts most valuable. Recently a hacker posted to a black market forum the option to purchase 32 million username/ password combinations to different webmail accounts obtained by exploiting a vulnerability in site.

The cyber-criminal’s marketplace/ Honor among thieves
Needless to say, cyber-criminals need a place to sell and buy their online goods. Most of the online activity is performed in underground forums and IRC channels, although other private channels such as IM are used. In this article we focus on the main marketplace – underground forums and IRC channels. Separate forums exist for just about any type of malicious online activity such as viruses, botnets, phishing, credit card numbers or webmail credentials, to mention just a few. Similarly, IRC channels exist for each of these topics and others.

In an underground forum model, a user is required to login to the forum. Each forum has an administrator who manages the forum and is responsible for the management of the user’s trustworthiness score system. This is done by the administrator’s mechanism of “sticky threads” which defines the priority of the user’s message.

Positive “sticky threads” place the user’s message at the top of the message queue, or keeps the message in the forum throughout a longer time period. De-prioritizing “sticky threads” pull messages towards the end of the queue, or expires the user’s messages all together. “Sticky threads” are based both on bribery to the forum’s administrator, as well as on a reputation-based system. Bribery may include a small subset of the goods for sale (for example, a sampling of the stolen credentials) or a “commission” on a sale of the goods. Reputation-based system relies on feedback from other forum users. A user who has performed successful past transactions is considered reliable and thus gains her “sticky thread”.

However, a user who does not deliver goods upon payment is quickly tagged as a “ripper”. The payer may then complain to the forum administrator who decides to change the ripper’s “sticky thread” or even ban the ripper from the forum altogether. Messages are posted to the forum by any logged-in user, whereas the post is publicized, meaning that any logged-in user can read the forum’s messages. When a reader is interested in the contents of the post, a “match” is made and the reader contacts the individual who posted the message at an online private location external to the forum (e.g. IM).

While the underground forum only establishes the initial match between the buyer and seller to proceed with dealings outside of the forum, IRC channels provide the complete marketplace. Matches are made and transactions are performed all within the IRC channel.

These marketplaces are considered more secretive than underground forums as they are not indexed by search engines. While forums are picked up by search engines, it is not possible to “hit” an IRC channel via a search engine. Rather, IRC channels are known by word of mouth. In this model, the interested IRC user (buyer or seller) connects to an IRC network via a server.

Once connected, the user chooses the channel she is interested in joining. It is assumed that in order to gain initial knowledge on the existence of a particular IRC channel, the user is a serious participant rather than just lurking around. However, different channels also employ reputation- based systems similar to that found in an underground forum model. The IRC user may follow up on a public communication and may join in the “conversation” at any moment. If there is a “match” during the conversation, both parties may then communicate over a private one-on-one IRC room. It is in those private IRC rooms where the contract between the parties takes place.

Regardless of the marketplace, the parties in play are all similar. In the case of online credential sales – a single transaction may be performed, namely between the seller of the credentials and the buyer. This scenario is slightly more complex in the case of credit cards, as an additional party is required to cash out on the card, as described in the section “Monetizing on credit cards”.

Once a buyer obtains the database of credit cards, she re-enters the marketplace, this time to seek the user who can cash out on the cards, for example, a plastic card manufacturer. We have seen that in these cases, the buyer of the stolen credit cards and the user who monetizes on the card, split the earnings on a 40%-60% basis such that the buyer receives 40% of the earnings while the user who took a higher risk by monetizing on the card retrieves the higher amount.

The different marketplaces also use the same currency. In the cyber-criminal underground marketplaces, online payment services as well as offline monetary transfers are performed according to the buyer’s and seller’s likings. It is the current underground trend that the online payment services used are Liberty Reserve and WebMoney. Western Union and MoneyGram are the more commonly used services for cash transactions.

You wouldn’t knowingly publish your credit card details to an unknown source and it’s about time you afforded your online user details and passwords the same protection. While criminals are able to use your online persona to generate an income they’re going to keep doing so.

Once Application credentials have been stolen they will be used for different malicious activities ranging from performing online banking transactions to harvesting additional addresses to using as a stepping stone to other application accounts. We believe that this trend has just started to pick up and has still much to grow until reaching its peak before hackers will leech on to their next data source.


Subscribe to the Help Net Security breaking news e-mail alerts:


Don't miss