Symantec finds the underground cyber economy

I'm shocked, shocked

The Security for all “I’m Shocked, Shocked!” award goes to Symantec, who according to this article in MacWorld has uncovered an underground cyber economy. In case you are very young or not into classic movies, the award name comes from this classic dialog in Casablanca.

Rick: How can you close me up? On what grounds?
Captain Renault: I’m shocked, shocked to find that gambling is going on in here!
[a croupier hands Renault a pile of money]
Croupier: Your winnings, sir.
Captain Renault: [sotto voce] Oh, thank you very much.
[aloud]
Captain Renault: Everybody out at once!

That’s right folks, I’m shocked, shocked to find that there is an underground cyber economy! In any case here is some of the big news that those crack Symantec investigators uncovered in their year long study.

Stolen credit cards topped the list of items for sale, and made up 31 per cent of all the goods on offer, while bank details were second most popular with 20 per cent.

While stolen credit card numbers sell for as little as between $0.10 and $25 per card, the average advertised stolen credit card limit observed by Symantec was more than $4,000. Symantec has calculated that the potential worth of all credit cards advertised during the reporting period was $5.3 billion.

The research also found that credit card information is often sold to fraudsters in bulk, with discounts or free numbers provided with larger purchases.

Yikes! Say it ain’t so Symantec! You mean that all those stolen credit card numbers end up for sale on the internet. I’m shocked, shocked! But wait there’s more.

During the 12-month period Symantec found 69,130 distinct active advertisers and 44,321,095 total messages posted to underground forums. Many are invitation-only forums, while IRC chat channels are also a popular way for cyber criminals to sell and share information.

Underground forums? On the internet? I’m shocked, shocked!

Seriously though, this study by Big Yellow is definitely valuable in that it puts some real numbers to stuff we all know has been going on for a long time. I’m hoping that CSOs can use these numbers to scare thier C-level cohorts into ponying up for programs to protect customer data – especially those credit card numbers. But what I’d really like to see is a study that correlates specific batches of bank card numbers for sale to specific breaches. Yeah – we already know where the stolen goods are being fenced, what we’d really like to know is who are the negligent bozos that lost them. When that happens I will truly be shocked, shocked.