Prices charged by cybercriminals selling hacked bank and credit card details have fallen sharply as the volume of data on offer has soared, forcing them to look elsewhere to boost profit margins, a new report says.
Researchers for Finjan, a Web security firm, said the high volumes traded had led to bank and credit card information becoming "commoditised" - account details with PIN codes that once fetched $100 (50 pounds) or more each might now go for $10 or $20.
In its latest quarterly survey of Web trends, the California-based company said cybercrime had evolved into "a major shadow economy ruled by business rules and logic that closely mimics the legitimate business world".
Finjan's Israel-based chief technology officer, Yuval Ben-Itzhak, said in a telephone interview that new types of stolen data were now commanding a premium, such as patient healthcare information that can be used for insurance fraud or to illicitly acquire and sell medicines.
Other premium data includes business information, company personnel files and intercepted commercial emails.
MAFIA STRUCTURE
The Finjan report, partly based on contacts the company established with five groups trading online in stolen data, described a Mafia-type cybercrime hierarchy in which bosses operate as business entrepreneurs and typically leave the actual online attacks to underlings.
An 'underboss', or second-in-command, provides the Trojan infiltration software for launching attacks. The workforce that carries these out is paid according to the rate of infections achieved and the country of origin of the infected computers.
'Resellers' then trade the hacked financial data, in the same way that a criminal 'fence' disposes of stolen goods.
In online exchanges with resellers, Finjan researchers were offered a menu of stolen data, with platinum, gold and corporate card details commanding the highest prices.
Sellers promised the data was "fresh" and one even offered a 48-hour guarantee to supply new details if those originally bought were rejected by payment systems as stolen cards.
"It's like in the regular business world - when you buy a good and it doesn't work, you go back and you want to replace it," Ben-Itzhak said.
"It indicates a competitive environment.They need to build reputation, they want to show they're providing high quality data for your money so you can go back and buy from them rather than go to the other groups."
Ben-Itzhak predicted banks, which until now have shouldered the burden of compensating people whose data are hacked, would seek to put some of the onus for security on the customer.
"So far the banks are not mandating the end-ser to have some sort of security on their desktop. They're taking the risk, better to say they're paying the risk, when your account has been compromised," he said.
"However what we noticed recently is the volume increased significantly and the banks are starting to ask the question: did you install something or do you have something running on your desktop.The banks will start to ask questions of the end-users and put some responsibility at least on them."
News
Russia and Ukraine agree to temporary Orthodox Easter truce
In the Orthodox calendar, Easter falls one week after the date celebrated in western Europe.
Bishop urges people of Britain to stand up for Christian truth
It follows an earlier open letter addressed to King Charles, calling upon him to defend Christianity in line with his titles of Supreme Governor of the Church of England and "Defender of the Faith".
Fundraising Regulator reminds churches that collections are subject to code of practice
Churches can breach the code even when acting in good faith.
Religion is often left unspoken in the workplace despite widespread faith identity, research finds
Fifteen per cent of UK employees with a faith say they have experienced religious discrimination in the workplace.