Symantec's Security Technology and Response (STAR) group gathered data from several cybercrime servers from July 1, 2007, through June 30 of this year. The researchers studied stolen credit card information, financial accounts, malicious tools, and the organizations that advertise the sale of this data and tools during that 12-month period, as well as pirated software during July and September 2008.
The total value of the goods and services for sale on the underground servers was $276 million, a figure based on what the bad guys could make off of the information and services they were advertising for sale. Stolen credit card information accounted for nearly 60 percent of those revenues, according to Symantec. But when the actual credit lines and bank balances were taken into account, as well, the overall potential worth of the stolen goods came out in the billions of dollars, according to Symantec.
"What surprised me is the scope and potential value of goods available for sale in the underground economy," says Dean Turner, director of Symantec's global intelligence network. "The fact that 10 years ago Warez [illegal file and software forums] never had a dollar value associated like this with it...that's the level of the organization of this [economy] we're seeing today. This is serious business for criminals."
The researchers watched IRC and Web-based underground forums that buy and sell everything from stolen credit card data, bank account credentials, email accounts, phishing services, and job listings for online fraud and phishing operations. Symantec found that credit card information represented about 31 percent of these advertised services, and credit cards were going for anywhere from 10 cents to $25 per card, with the average credit limit of $4,000. The total potential value of all the credit card data on these servers was around $5.3 billion, according to Symantec, taking into account the value the maximum value of the credit lines.
Symantec also calculated the advertised balance of the stolen bank credentials plus the price the bad guys were asking for the accounts, and found that the estimated value of the stolen accounts was around $1.7 billion. Financial accounts represented about 20 percent of all of the advertised services on the servers, and were being sold at prices from $10 to $1,000 per account. The averaged balance of the stolen bank accounts was $40,000.
And the bad guys can cash out the accounts quietly and quickly: In one case, it took only 15 minutes to transfer the money online to "untraceable" locations, according to the report.
More than 60 percent of the illicit transactions occurred via online currency.
Botnet tools were the priciest malware at an average of $225, and phishing attack hosting services ranged from $2 to $80, according to the report. An average keystroke logger program costs $23, and financial Website vulnerabilities were going for $100 to $2,999 on the underground servers.
Overall, Symantec studied nearly 70,000 advertisers on these servers during this period, with more than 44 million messages posted on the servers. The total amount of advertised goods by the top 10 most active advertisers on these servers was more than $575,000. Nearly all of these servers have a life span of less than six months, according to the report. North America hosted nearly 50 percent of them, followed by Europe, the Middle East, and Africa with 38 percent of the servers. More than 40 percent of the underground economy servers Symantec studied were hosted in the U.S.
In software piracy, the U.S. was one of the most active regions. And desktop games account for 49 percent of all pirated software in the report. Stolen software goes for anywhere from $20 to $8,000, and Symantec estimates that the total value of all categorized file instances was $83.4 million.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message