Cybercriminals buy and sell stolen information using a vast network of online stores, forums, and even social-networking accounts, according to a report released yesterday by PandaLabs.
Posing as a cybercriminal to gain access to this online black market, PandaLabs researchers uncovered a world where the bad guys work together to buy and sell stolen bank account information, credit card numbers, passwords, and other products. Much of this illegal enterprise is done through online stores and forums, but PandaLabs found criminals using Facebook and Twitter accounts to set up shop as well.
Though this black market is relatively open, the security firm discovered that the sellers of stolen data are careful about protecting their anonymity, demanding that their "customers" contact them only through IM or generic e-mail accounts that can't easily be traced.
In many ways, the cybercriminal network operates like any other business. The list of products for sale sounds like a standard online shopping catalog, from cheap no-frills items to more expensive ones with all the works.
Basic bank and credit card information can sell for as little as $2 a pop, though at that price the buyer doesn't get verification of the actual account balance. For $80, customers can get a credit card or bank account number with confirmation of a small balance, while $700 will buy them a guaranteed balance of $82,000, according to the report (PDF). Prices go up from there on accounts that have already been used to shop online or tap into PayPal.
But it's not just digital data for sale. PandaLabs found cloned credit cards selling for $190, card cloning machines running anywhere from $200 to $1,000, and fake ATM machines costing from $3,500 to $35,000.
Those who want to go into business for themselves can even buy money laundering services, kicking in a seller's commission of 10 to 40 percent. Like any good consultant, the sellers are available for project work where they can set up fake online stores for their customers, says PandaLabs.
Competition in the black market also keeps prices from getting too high, while customers who do a lot of business can even get volume discounts. Paying for the stolen or phony items works just like it does at any online retailer. Buyers can shop at a Web site set up by the seller, adding items to their cart as they browse the different offerings. But payment is made up-front and only through services like Western Union, Liberty Reserve, and WebMoney.
To protect your own data from being stolen and sold on the black market, PandaLabs offers an array of tips, including checking your invoices and credit card statements carefully, filing or destroying ATM receipts, asking a neighbor to collect your mail when you're away, never using a debit card for online purchases, and, of course, making sure you run up-to-date security software.