‘Fullz’, ‘Dumps’, and more: Here’s what hackers are selling on the black market

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://venturebeat.com/2015/02/08/fullz-dumps-and-cvvs-heres-what-hackers-are-selling-on-the-black-market/

While 2014 was certainly terrible in terms of the number and scope of cyber
attacks, the number and audacity of attacks is only going to rise this
year, as has been repeated with alarming frequency at the recent World
Economic Forum.

While many cybercriminals are out to simply steal our information,
satisfied with creating havoc for individuals or businesses, the majority
do it for the money.

The underground economy in which hackers operate is laden with forums, chat
rooms, websites and other communities designed to facilitate, streamline,
and industrialize cybercrime. Taking a look at what gets sold and traded in
these communities can give us a pretty good understanding of what’s most
valuable to hackers — and what we need to focus on protecting.

Credit cards

Credit card information is the most commonly traded commodity in the
hacking economy. This information comes in several flavors, with “CVVs” and
“dumps” being the most popular.

CVV, which you shouldn’t confuse with the three digits on the back of a
credit card, is fraudster language for credit card records that may include
the cardholder name and address, card number, expiration date, and CVV2
(the three digits on the back of a card). CVVs can only be used with online
retailers and are usually available for purchase on one of the underground
marketplaces for less than $10 (for U.S. cards).

Dumps is fraudster language for the raw information on the card’s magnetic
strip, and can be obtained in a variety of ways, including the physical
skimming of the credit card, capturing the data through a point-of-sale
device that has been infected with malware, or hacking into a retailer’s
internal network. Dump data can be encoded onto a fake credit card that
hackers can then use at a brick and mortar store to make purchases. While
prices vary based on specifics such as the type of card and the expiration
date, they’re generally more expensive than CVVs because the payoff is
bigger — hackers can use them to buy goods of higher value than they can
get with a CVV. Dump data for U.S. credit cards costs around $20-80.

On any given day, stolen credit card information in the underground economy
is worth millions of dollars and provides cybercriminals with a steady and
dependable income stream.

Fullz

Fullz is fraudster speak for financial information that includes the full
information of the victim, including name, address, credit card
information, social security number, date of birth, and more. As a rule of
thumb, the more information you have on your victim, the more money you can
make off of those credentials. Fullz are usually pricier than the standard
credit card credential, but still tend to cost less than $100 per record.
Fullz can be cashed out (turning credentials into money) in various ways,
including performing bank transactions over the phone with the required
authentication details in-hand.

Even Dead Fullz, which are Fullz credentials associated with credit cards
that are no longer valid, can still be used for numerous purposes,
including tax refund scams, ordering credit cards on behalf of the victim,
or opening a mule account (an account that will accept a fraudulent money
transfer from a compromised account) without the victim’s knowledge. As
they are harder to cash out, Dead Fullz usually cost around $1-3 each.

PayPal & eBay accounts

PayPal and eBay account records make for popular commodities on the black
market. With its extreme popularity and the fact that its cash-out methods
are universal (as opposed to banks in different geographies, which have
different guidelines), PayPal is a common target for hackers.

eBay accounts facilitate auction fraud, which has been a popular scam
method for many years running. The cost of PayPal and eBay records in the
underground economy differ from seller to seller and can go for as low as
$2 per account, increasing in value depending on whether or not there are
credit cards associated with the account.

Online gamer accounts

In certain underground forums, hackers target online games and cash out by
selling the virtual gold and other unique virtual goods obtained by the
victim’s character for real-world money. Steam accounts (Steam being the
most popular store for PC games) are also sold on the black market and can
be used for cash-outs or simply to gain access to games purchased by the
victim.

The bottom line

Cybercriminals are always on the lookout for new ways to use stolen
credentials for generating income. And because people regularly store
sensitive personal information across various online accounts without
taking the extra measures needed to protect that information,
cybercriminals have plenty to work with. Fighting fraud on a whole is an
uphill battle. Plug one hole, one exploit, and fraudsters will focus their
efforts on a different one. Unfortunately, as long as cybercriminals
continue to steal and then profit from our data, the underground economy
will continue to flourish.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!