McAfee Uncovers Web Site For Stolen Bank Accounts
The effort was part of an ongoing effort to shut down illicit Web sites marketing stolen credentials.
Altogether, the Web site listed the name of the financial institutions, along with the dollar figure contained in the account, and the requested prices for each account.
On average, the going price appeared to be anywhere between 8 and 10 percent of the balance in the account.
"It happens to every bank that's out there," said Dave Marcus," security research and communications manager for McAfee Avert Labs. "This is a very productive method of crime. It's relatively risk free, and it requires very little effort on the part of the cyber criminal."
Quality and branding also appeared to have an impact on account pricing. The costs for an account from a major U.S. financial institution, such as Bank of America, or Citibank, typically ran higher than those of credit unions or more obscure foreign banks. For example, a multi-currency account containing 2,612 euros from Washington Mutual was advertised at around 500 euros, while an account with 23,200 euros from Caja de Ahorros de Galicia bank in Spain was priced at about 1,200 euros.
"For such prices, the seller offers some guaranties," said Francois Paget, senior virus research engineer for McAfee Avert Labs, in a blog post. "For example, the purchase is covered by replacement, if you are unable -- within the 24 hours -- to log into the account using the provided details."
Researchers could not immediately determine if the accounts were personal or corporate, but said that the nature of the account ultimately mattered little to criminals buying and selling the information.
"The actually price of the login varies by balance," said Marcus. "The higher profile banks go for more. We don't know if they're corporate or individual accounts. But we have to think about it as a regular banking user. The cyber criminal is not looking at it from that perspective."
In addition to bank accounts, the site also offered credit card identities and numbers, including expiration dates and SSN numbers, from the U.S., Australia and Spain.
"Depending on the price, you can choose your bank among various lists; more than 900 choices for North America or European countries," said Paget, who first detected the illicit Web site. "And to convince prospective clients, the site offers free data to demonstrate their know-how."
McAfee couldn't comment specifically as to whether an investigation was underway regarding the site. However, Marcus said that the company "always works with law enforcement" and other worldwide agencies such as Interpol to investigate identity theft issues and other cyber crime.
"I would hope these guys are hunted down and brought to justice," said Marcus. "The takeaway is that it's a different world of crime than it was five years ago. This is the way it will be for a long time, and you really have to make sure you're doing your due diligence."
Yet apprehending cyber thieves, let alone prosecuting them, is often easier said than done. Marcus said that blackmarket Web sites advertising sales of identities often contain extremely long and complex URL in order to discourage users from "accidentally" stumbling upon them. Cybercriminals will then distribute the site addresses to members of these underground economies, Marcus said.
And this is hardly an isolated case. Experts say that sophisticated underground cyber economies, spanning the globe, have developed in the last two to three years to organize and manage the sale of identities and data, in addition to using it for criminal purposes.
"There's an entire stratified, specialized, growing economy for data itself," said Peter Cassidy, secretary general of the APWG (Antiphishing Working Group), a cyber security organization. "It's an economy with different kinds of specialties happening between all the different groups."
"They sell the data into that economy. It kind of drives itself," he added. "You don't have to be a phisher. You can be a data miner."
While these types of economies have grown significantly in both in the U.S. and across international borders, research suggests that the problem might have reached an apex and could be on the downswing. A February Javelin Strategy and Research Survey indicated that the number of adult U.S. victims of identity fraud decreased from 10.1 million in 2003, to 9.3 million in 2005, and subsequently to 8.4 million in 2007.
Meanwhile, the mean fraud amount per fraud victim decreased from $6,278 in 2006 to $5,720 in 2007. In addition, the average resolution time, which was at a high of 40 hours per victim in 2006, was reduced to an average of 25 hours per victim in 2007.
Cassidy said this downward trend could be attributed, in part, to businesses tightening up fraud detection protocols, as well as users becoming more aware of the problem and applying best practices to address it.
"A lot of (fraud detection) is very sophisticated and very penetrating and conclusively powerful in stopping transactions from going through," said Cassidy. "It's just taking longer for industry to get their hands around all the loose ends."