Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:54 PM
Dark Reading
Dark Reading
Products and Releases

Dell SecureWorks Reports Hackers Selling Health Insurance Dossiers For Over $1,000 Each

These packages of data are referred to in the underground as "fullz, compiled specifically for the purpose of identity theft and fraud

July 15, 2013. Atlanta, GA. Dell SecureWorks, an industry leader in information security services, has recently discovered several underground marketplaces where hackers are selling information packages containing "verified" health insurance credentials, bank account numbers /logins, social security numbers, and other personally identifiable information (PII) on victims. These packages of data are referred to in the underground as "fullz", an underground term for the electronic dossier on a particular individual, compiled specifically for the purpose of identity theft and fraud.

Don Jackson, senior security researcher with the SecureWorks' Counter Threat Unit (CTU) research team, said that when these "fullz" are sold, along with all the custom manufactured or counterfeit physical documents related to the identity data (e.g., credit cards, social secrurity cards, driver's license, insurance cards, etc.), the packages are referred to as "kitz." The current asking price for a complete identity theft kit, containing the health insurance credentials, is in the range of $1,200 to $1,300 each.

As evident by Jackson's findings, a number of these marketplaces are serving as a one-stop shop for identity theft and fraud. Not only are they selling the stolen credentials, but they also sell the supporting (counterfeit) documentation or ("dox") for an extra charge. Although Jackson did not identify specifically who was behind the underground marketplaces, he does suspect that the criminals involved in one major operation were located in the United States. This was based on specific computer network information and tell-tale signs in usage of English in electronic communications.

Hacker Pricing for Stolen Credentials:

"Kitz"--- these particular Kitz contained verified health insurance, SSN, bank account info /logins (account & routing numbers, account type), driver'slLicense, full name, address, phone, etc. and counterfeit physical documents and hardware related to the identity data in the package (eg: credit cards, driver's license, insurance cards, etc)---- ranging between $1200 - $1300 per Kitz. Add $100 - $500 for rush orders and other miscellaneous fees like wire transfer, escrow, etc.

"Fullz"--- If these records also include health insurance credentials for a US victim, then they were negotiated for about $500 each, based on what was included: full names, addresses, phone numbers, email addresses (with passwords), dates of birth, SSN or EIN, one or more of: bank account information (account & routing numbers, account type), online banking credentials (varying degrees of completeness), or credit card information (including full track2 data and any associated PINs).

Health Insurance Credentials– Health insurance credentials are $20 each. They include names (more than one for spouse & family coverage), date(s) of birth, contract number, group number, type of plan (Individual/Group, HMO/PPO, deductible and copay information), and insurer contact information for customer service and filing claims). Note: when there is a dental, vision, or chiropractic plan associated with the health plan, each of those was an additional $20.

Fees for Additional Stolen Credentials

US credit card with CVV Code-- $1 - $2

Non-US credit card with CVV-- $2 - $10

Credit card with full track 2 and PIN-- $5 - $50

Prestige credit cards (include Platinum, Diamond, Black) with verified available balance-- $20 - $400*

Online bank account, < $10K--- $250 - $1000*

Compromised computer-- $1 - $100

PayPal, verified balance-- $20 - $200*

Game accounts (Steam, Minecraft, WoW, PSN, XBOX Live/Microsoft)-- $5 - $1000**

Skype account (premium)-- $1 - $10

* Some hackers' prices are based on 4% - 12% of verified current balance

** Rare items are often "parted out' or fenced separately

Bank Accounts with Attached Email Accounts---Jackson also found that credentials for bank accounts, which also included the credentials for the email account associated with the bank account, , were more valuable; as the scammer can stop the victim from receiving email alerts sent by the bank, allows a hacker to change account information and confirm back to the bank that the changes are correct.

Bank Accounts with ACH Bill Pay or Wire Transfer Features--additional features matter in the value of an account. For example, the ability to wire transfer or ACH bill-pay brings a higher value; whereas, two-factor authorization, like SMS sent to the account owners' phone to confirm wire transfers, etc. hurts the value of a stolen account.

Compromised computer: bulk with only proxy- access is cheap; specific selection criteria (speed, bandwidth, location) and full interactive admin/root access is premium.

Game Accounts---The CTU found the biggest jump in value among stolen credentials was in game accounts. There is more realized value in virtual items and currency. Steam and PSN and XBOX live linked to other accounts, multiple game titles and characters, payment information, and other services -- $10/hour) or $1000+ for rare/uniqe top-level items. Important to "launder" stolen items through other shill characters.

"It is not surprising that we are seeing health insurance credentials being sold in the underground hacker markets, along with other financial and PPI data," said Jackson. "Our CTU researchers discover caches of stolen data frequently, and we have found that the hackers will steal anything they think they can sell on the underground. Health insurance credentials continue to rise in value as we see the cost of health insurance and the cost of medical services continue to rise."

Earlier this year, Dell SecureWorks' Incident Response Team was called into a large healthcare company to investigate a possible cyber intrusion. The security experts discovered that one of the company's computer systems had been infected with the Gatak Trojan, a credential- stealing Trojan (one that typically looks for names, addresses, credit card numbers, bank account numbers). The Incident Response Team found more than 25 additional unique versions of the malware across their network. Luckily, it was determined that the hackers had not gotten away with any protected health information (PHI), financial or PII data. However, Dell SecureWorks' experts made sure that the company's infected systems were removed from the network and cleaned or rebuilt. They also made recommendations on how the organization could fix the vulnerabilities in their network so the hackers could not reenter.

Key Security Steps for Protecting Healthcare, Financial and PPI Data

Dell SecureWorks advises a layered approach to security. Organizations should consider implementing the following:

Firewalls around your network and Web applications

Intrusion Prevention Systems or Intrusion Detection Systems (IPS/IDS). These inspect inbound and outbound traffic for cyber threats and detect and/or block those threats

Host Intrusion Prevention Systems (IPS)

Advanced Malware Protection Solution

Vulnerability scanning

24 hours a day x7 days a week x365 days a year log monitoring, and Web application and network scanning

Security Intelligence around the latest threats (people working on the latest threats in real-time, human intelligence)

Encrypted email

Educating your Employees on Computer Security. A key protective measure is to educate your employees to never click on links or attachments in emails, even if they know the sender. Employees should check with the sender prior to clicking on the email links or attachments. Email and surfing the web are the two major infection vectors.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-08-04
Cross-site scripting (XSS) vulnerability in the Journal module's add article menu in Liferay Portal 7.3.0 through 7.3.3, and Liferay DXP 7.1 fix pack 18, and 7.2 fix pack 5 through 7, allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_journal_web_portlet_JournalPortl...
PUBLISHED: 2021-08-04
Cross-site scripting (XSS) vulnerability in the Fragment module in Liferay Portal 7.2.1 through 7.3.4, and Liferay DXP 7.2 before fix pack 9 allows remote attackers to inject arbitrary web script or HTML via the _com_liferay_site_admin_web_portlet_SiteAdminPortlet_name parameter.
PUBLISHED: 2021-08-04
showdoc is vulnerable to Missing Cryptographic Step
PUBLISHED: 2021-08-04
A path traversal vulnerability in the static router for Drogon from 1.0.0-beta14 to 1.6.0 could allow an unauthenticated, remote attacker to arbitrarily read files. The vulnerability is due to lack of proper input validation for requested path. An attacker could exploit this vulnerability by sending...
PUBLISHED: 2021-08-04
DevExpress.XtraReports.UI through v21.1 allows attackers to execute arbitrary code via insecure deserialization.