How much for your ID?
The UK cybercrime report from the online security expert Garlik revealed 92,000 cases of identity theft – reported cases, that is – during 2006 in the UK alone. That’s almost certainly a gross underestimate, as the criminologists involved claim that 90% of all cybercrime goes unreported. One reason for this is that victims don’t think of online “crime” as truly “criminal”, believing the police would be unable or unwilling to get involved. Another is embarrassment at being defrauded, especially by the “you have won the Estonian lottery” or the “I am the president of the Nigerian National Bank, and would you like £20 million” kind. This takes on an even more sinister light once you know just how cheaply the criminal gangs behind this highly organised cybercrime wave sell the data they steal.
You don’t need to be a criminologist or a genius at Googling to track down the sites where this data is sold, but you do have to be quick, since many such sites set up shop for just 24 hours at most. You also need to be careful, because many deliver a dose of malware along with their stolen goods, although I’ve always wondered just how stupid you have to be to buy stolen credit card details – from anonymous, untraceable crooks on the web – using a credit card.
Luckily, you don’t have to enter the shady underbelly of the web to find out just what happens, since the likes of Symantec have done it for you. The firm’s latest Internet Security Threat report has just been published, covering everything IT security-related over the previous six months, and it makes chilling reading once you get past the usual “who’s spamming whom” and “which country hosts the most naughtiness” stuff.
Symantec suggests that cybercrime is now quasi-corporate, highly professional and highly organised. You can find organised crime units the world over all churning out sophisticated, well-targeted and profitable spam and phishing attacks.
Its corporate aspect is best highlighted by the career ladder that it now displays, with ground-floor entrance opportunities for even the least “qualified” of wannabe crooks. It doesn’t matter whether you can write code, hack or even scam – if an online gang is prepared to sell you a phishing toolkit for as little as £25 that makes it easier than taking toys from a two-year-old. It works almost like a pyramid scheme for gangsters, and a very successful one at that. Symantec reckons that 42% of all the phishing attacks it detected during the first six months of 2007 were created using the top three most widely used off-the-shelf kits, which is hardly surprising given that these come with everything a crook could need, including fake websites and advice on successful email targeting techniques.
But the really frightening stuff starts once you look further into stolen identity. Within the black web economy, there are regular auctions of personally identifying information (PII), the main ingredient used by identity thieves to create an online clone of your affairs, destroying your financial credibility and creditworthiness in the process. Without getting too bogged down in details, here’s what constitutes PII: your car registration number is PII but its make and model isn’t; the name of your bank isn’t PII but your account number is, and so on. The most frequently traded item at these black web auctions are stolen credit cards, which change hands for as little as 25p in packs of ten. Email passwords are a little more valuable at 50p a pop, while a compromised Unix shell will set you back a whole quid. Bank accounts are relatively expensive items at £15 a go, but it’s the price of a full stolen identity that should shock you as much as it did me. All you need to become someone else is a fiver!