Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


12:14 PM

Cybercrime Servers Selling Billions of Dollars' Worth of Stolen Information, Illicit Services

New Symantec report puts dollar figures on full potential value of stolen financial data, malware, and pirated software

The total potential value of a snapshot of stolen goods and services in the underground economy captured during a one-year period was around $7 billion, according to a new report released today by Symantec.

Symantec's Security Technology and Response (STAR) group gathered data from several cybercrime servers from July 1, 2007, through June 30 of this year. The researchers studied stolen credit card information, financial accounts, malicious tools, and the organizations that advertise the sale of this data and tools during that 12-month period, as well as pirated software during July and September 2008.

The total value of the goods and services for sale on the underground servers was $276 million, a figure based on what the bad guys could make off of the information and services they were advertising for sale. Stolen credit card information accounted for nearly 60 percent of those revenues, according to Symantec. But when the actual credit lines and bank balances were taken into account, as well, the overall potential worth of the stolen goods came out in the billions of dollars, according to Symantec.

"What surprised me is the scope and potential value of goods available for sale in the underground economy," says Dean Turner, director of Symantec's global intelligence network. "The fact that 10 years ago Warez [illegal file and software forums] never had a dollar value associated like this with it...that's the level of the organization of this [economy] we're seeing today. This is serious business for criminals."

The researchers watched IRC and Web-based underground forums that buy and sell everything from stolen credit card data, bank account credentials, email accounts, phishing services, and job listings for online fraud and phishing operations. Symantec found that credit card information represented about 31 percent of these advertised services, and credit cards were going for anywhere from 10 cents to $25 per card, with the average credit limit of $4,000. The total potential value of all the credit card data on these servers was around $5.3 billion, according to Symantec, taking into account the value the maximum value of the credit lines.

Symantec also calculated the advertised balance of the stolen bank credentials plus the price the bad guys were asking for the accounts, and found that the estimated value of the stolen accounts was around $1.7 billion. Financial accounts represented about 20 percent of all of the advertised services on the servers, and were being sold at prices from $10 to $1,000 per account. The averaged balance of the stolen bank accounts was $40,000.

And the bad guys can cash out the accounts quietly and quickly: In one case, it took only 15 minutes to transfer the money online to "untraceable" locations, according to the report.

More than 60 percent of the illicit transactions occurred via online currency.

Botnet tools were the priciest malware at an average of $225, and phishing attack hosting services ranged from $2 to $80, according to the report. An average keystroke logger program costs $23, and financial Website vulnerabilities were going for $100 to $2,999 on the underground servers.

Overall, Symantec studied nearly 70,000 advertisers on these servers during this period, with more than 44 million messages posted on the servers. The total amount of advertised goods by the top 10 most active advertisers on these servers was more than $575,000. Nearly all of these servers have a life span of less than six months, according to the report. North America hosted nearly 50 percent of them, followed by Europe, the Middle East, and Africa with 38 percent of the servers. More than 40 percent of the underground economy servers Symantec studied were hosted in the U.S.

In software piracy, the U.S. was one of the most active regions. And desktop games account for 49 percent of all pirated software in the report. Stolen software goes for anywhere from $20 to $8,000, and Symantec estimates that the total value of all categorized file instances was $83.4 million.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-17
The overlayfs implementation in the linux kernel did not properly validate with respect to user namespaces the setting of file capabilities on files in an underlying file system. Due to the combination of unprivileged user namespaces along with a patch carried in the Ubuntu kernel to allow unprivile...
PUBLISHED: 2021-04-17
Shiftfs, an out-of-tree stacking file system included in Ubuntu Linux kernels, did not properly handle faults occurring during copy_from_user() correctly. These could lead to either a double-free situation or memory not being freed at all. An attacker could use this to cause a denial of service (ker...
PUBLISHED: 2021-04-17
A command injection vulnerability has been reported to affect QTS and QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. We have already fixed this vulnerability in the following versions: QTS Build 20210202 and later Q...
PUBLISHED: 2021-04-17
An SQL injection vulnerability has been reported to affect QNAP NAS running Multimedia Console or the Media Streaming add-on. If exploited, the vulnerability allows remote attackers to obtain application information. QNAP has already fixed this vulnerability in the following versions of Multimedia C...
PUBLISHED: 2021-04-16
jose-node-esm-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDe...