An organized supply chain has developed among the criminals using online attacks to steal credit card numbers and other sensitive data, according to Teros President and CEO Bob Walters.
Security experts have warned about the growing influence of organized crime behind internet crime. A new aspect of that influence - a fairly sophisticated supply chain - has surfaced, Walters said in an interview.
The first step in the online crime chain is an attack and collection phase to steal data such as credit or ATM cards, he said. The next step is verifying whether the card as real, often using an Internet Relay Chat (IRC) service.
Then, thieves use the data by either selling it, taking over a bank account, or creating a new ATM card complete with a magnetic strip, he said. Online gangs will often transfer stolen goods to someone who is paid very little to transfer the goods to another party, who may try to fence the items on the web.
"This is becoming a fairly organized supply chain," Walters said. "It's becoming more automated week by week."
Criminals get between 50 cents to $100 for each credit card or bank account number, so they are driven to efficiency, he added. The organized criminals that handle the final steps of the supply chain call the shots on pricing of stolen data, which is usually based on how easy it is for them to turn the information into profit.
Attackers were using phishing scams to steal confidential information but are switching to spyware such as keyloggers or web site attacks such as SQL injection, he said.
The key to dealing with this problem will be law enforcement apprehending the gangs who head the operations, Walters said.
Companies, meanwhile, need to have multi-level defenses, including strong authentication and strong email and web protection, he advised.
As reported in SC Magazine here, a report from the Chinese National Computer Network Emergency Response Technical Team/Coordination Center (CNCERT/CC) suggests China is increasingly being used to host websites created for phishing scams.