Threat Management

Research examines cost of stolen data, underground services

A security firm has examined underground marketplaces to track the asking price for stolen data and services, as well as what black market goods have diminished in value over the years.

According to Symantec, which published research on the topic Wednesday, prices have dropped substantially in recent years for stolen email account information, while credit card data continues to command about the same value.

In 2007, for instance, stolen email accounts sold for $4 to $30 on the underground, while today, scammers can purchase 1,000 email accounts for just $0.50 to $10, Candid Wueest, the author of the blog post wrote.

Stolen credit card information, however, “has not decreased in value in recent years,” Wueest noted.

“In 2007, this information was advertised at between $0.40 and $20 per piece,” he wrote. “How much you pay can depend on a number of factors, such as the brand of the card, the country it comes from, the amount of the card's metadata provided, volume discounts, and how recently the card data was stolen.”

Today, he added, the price range for such data falls between $0.50 and $20, often dropping in cases where fraudsters trade in bulk volumes. Stolen card information is in some instances used to pay for vouchers and online gift cards,  which are then sold for “50 to 65 percent of the nominal value,” Wueest noted of the extending scams.

“Cybercriminals can also sell hotel, airline, and train tickets for approximately ten percent of the original asking price. Of course, this is very risky for the people who buy these tickets. Recently, 118 people were arrested in a global operation on suspicion of using fake tickets or obtaining stolen card data to purchase airline tickets. The airline industry believes that fraudulent tickets are costing it around $1 billion annually,” the blog post said.

Among stolen data for sale in underground marketplaces, Symantec observed that credentials for gaming accounts fetched a higher price, on average, than other frequently obtained items, like scans of passports ($1 to $2), stolen cloud accounts ($7 to $8), email accounts and credit card data. Stolen gaming accounts typically sell for $10 to $15 a piece, the firm found.

In a Thursday interview with SCMagazine.com, Satnam Narang, senior security response manager at Symantec, said that often scammers “get that [stolen] account to drop a specific item,” into their own personal accounts, “or [they] just might want to take it over and use it for [themselves].”

“A lot of times it is information-stealing trojans that are responsible for accessing this data or stuff online that might be related to these games,” Narang added.

At the start of the year, a trojan targeting World of Warcraft players, likely due to the virtual currency and accessories associated with gaming accounts, was identified. It was revealed that the trojan was built into a fake version of Curse Client, an add-on manager for a number of popular online computer games, including World of Warcraft, Minecraft and Skyrim.

Outside of stolen data, blog post author Wueest noted that the highest priced items on the underground were attack services, which include drive-by download web toolkits (rented for $100 to $700 per week), online banking malware SpyEye (sold for up to $1,250 for a six month lease) and distributed-denial-of-service (DDoS) attacks (fetching as high as  $1,000 per day). 

It's worth noting that medical information is often among the highest priced stolen data on black markets, past research has found. A health record is sold on average for $50 on the black market, while a stolen Social Security number can cost as little as $1.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.