Fraud as a Service: a new industry for the 2010s
The economic downturn is affecting everyone; there’s just not a lot money going around these days. So spare a thought for the criminal – with less money to steal, he has to work harder for his living.
And that is certainly the conclusion to be drawn from Panda Security’s latest report: The Cyber-Crime Black Market: Uncovered. We have already seen in a previous post that complex viruses are being developed and used, probably to run interference for the trojans. By tying up the AV industry’s top engineers in locating, unravelling and disarming these viruses, the online criminals hope to keep the work of their data-stealing trojans operational over a longer period. But just consider the organizational skills that this requires: it’s an underground black market industry that mirrors the organisation of legitimate industry. Whatever you want, you can have: at the market price.
The report comes out of Panda’s decision to have a closer look at the internet’s black market, “to see what kind of services they are selling today,” explained technical director Luis Corrons. “We found that basically it is the same as what’s been going on for years – only now the service is more specialised, and the availability more widespread. In the past they sold things like infection kits, spam services, stolen credit cards; and yes that is still available. But now the criminals are offering far more services. In the past you could buy a number of credit cards; and depending on the amount you buy, the price goes up or down.” This is still available said Corrons, “but now the criminals have started offering guarantees. OK, you can pay, say, $2 for a credit card; but if you want access to a bank account with a certain amount of money guaranteed, you pay more – and you can have that. You can even request bank accounts with more than $80,000 – but to get such credentials you’d have to pay $700.”
Apart from the guarantees, the whole process has become more integrated. “You can buy the credit card details which you can use,” he continued, “and then you can hire additional services so they will take care of and make all the money transfers for an additional fee. Or, let’s say you buy some luxury items with these stolen credit card details – such as a big LCD TV. Well you can’t have it sent straight to your house because obviously the police can track it. No problem. There are people offering to do this for you. You want to buy this – we’ll do it for you, and take care of sending it to your house.”
|From the comfort of an office or bedroom, with a single computer and spurred on by the lack of international legislation or cooperation between countries to facilitate investigations and arrests, cyber-criminals have been making a lucrative living from these activities.|
Corrons even described a site in Russia that offers to provide you with anything you want for just 20% of the usual cost. How? Well FAQs on the site explain that they will use stolen credit cards to buy primarily from US online stores, and let you have the goods for 20% of the cost – which they take from you for their fee. This Russian site only supplies Russian residents, but is indicative of how the black market is evolving.
|Credit card details||From $2-$90|
|Physical credit cards||From $190 + cost of details|
|Card cloners||From $200-$1000|
|Fake ATMs||Up to $35,000|
|Bank credentials||From $80 to 700$ (with guaranteed
|Bank transfers and cashing
|From 10 to 40% of the total $10
for simple account without guaranteed balance
|Online stores and pay
|From $80-$1500 with guaranteed
|Design and publishing of fake
|According to the project (not
|Purchase and forwarding of
|From $30-$300 (depending on the
|Spam rental||From $15|
|SMTP rental||From $20 to $40 for three
|VPN rental||$20 for three months|
Clearly, there is so much money to be made from these activities, even in difficult times, that what Panda is describing is the beginning of a new industry: cloud-based Fraud as a Service.