While the big data breaches at Target, Neiman Marcus and Michaels have drawn heavy news coverage, the everyday machinations of various specialists in the cyberunderground remain out of sight and out of mind to most people.
News flash: the cashing in of stolen consumer data carries on every hour of the day, and this has been taking place at a pervasive level since about 2004.
Mark McCurley, information security advisor at consultancy Identity Theft 911, says that cybercriminal gangs from Cyprus, UK and India are known for purchasing stolen credit card numbers on the black market, and making fraudulent $9.84 charges. By staying under $10, the thieves hope consumers won’t notice or report the fraudulent charge.
“This seems like a run of the mill stolen card scam,” says Cameron Camp, a researcher at security tech firm ESET. “The idea is to keep the scam running under the radar for as long as possible with a series of tiny transactions designed to avert suspicion.”
The amount of $9.84 “is low enough that a busy person may not spend the hours required following up on support lines or reporting it to their banks,” adds Alisdair Faulkner, chief products officer at consultancy ThreatMetrix. “It’s a variation of the Super Man III hack where Richard Pryor’s character siphons the half cent reported on employees’ paychecks; this can add up.”
What makes the Cyprian, British and Indian scammers distinctive is their diligence in purchasing dozens of domain names, then creating dummy web sites that appear credible. With that infrastructure in place, they have been using stolen payment card numbers, likely purchased in the cyberunderground, to make successions of small charges.
Anyone can buy 10,000 stolen payment card numbers in online forums where stolen data, malicious software programs and a variety of other illicit goods and services are sold in eBay-like exchanges.
A different group of specialist data thieves could have obtained the payment card data by stealing information directly out of a breached database or by electronically copying magnetic stripe data from a compromised payment terminal, says John Schier, security advisor at Sophos.
“The crooks doing the stealing aren’t necessarily the same as those robbing you of your money,” Schier says. “It’s not uncommon for the stealers to sell the card numbers to the robbers.”
Tracing the hacked accounts to the recent breaching of customer records at Target, Neiman-Marcus and Michaels is theoretically possible, but unlikely.
That’s because stolen credit card data floods into criminal forums on a steady basis. Well north of 740 million records were exposed in 2013, making it the worst year in terms of data breaches recorded. And that’s a very conservative number derived by analyzing approximately 500 breaches listed on the Privacy Rights Clearinghouse Chronology Data Base, according to the Online Trust Alliance.
That list is comprised of publicly disclosed data breaches and includes the 40 million records Target disclosed losing on Dec. 13. Target’s official estimate is now up to 110 million. And many of the breach cases listed for 2013 show an unknown or undisclosed number of records taken. So 740 million is a low number.