Hacker Economy.

When retailer TJX disclosed Jan. 17 that the computer systems that store data related to credit card, debit card, check, and merchandise return transactions had been broken into, it said it had discovered the hack in December. But security officials at Visa had been seeing an increase in fraudulent activity on credit and debit cards related to TJX properties, such as T.J. Maxx, Marshalls, and HomeGoods stores, since mid-November. That means it's possible the purloined consumer data has been floating around the Internet, available for purchase on black market Web sites and chat rooms, for at least two months, maybe longer.

Hacking isn't a kid's game anymore. It's big business. Online black markets are flush with stolen credit card data, driver's license numbers, and malware, the programs that let hackers exploit the security weaknesses of commercial software. Cybercriminals have become an organized bunch; they use peer-to-peer payment systems just like they're buying and selling on eBay, and they're not afraid to work together.

While the independent hacker still exists (pardon us, but in this story, we'll refer to "hacker" in the layman's sense), the FBI sees true organized crime in parts of the hacking community, particularly in Eastern Europe, says special agent Chris Stangl, who works in the bureau's cybercrime division, the agency's third largest behind counter-terrorism and intelligence. "You'll have hackers cracking the machines, individuals collecting the data, and individuals selling for profit," Stangl says.

Getting a clear picture of the hacker economy isn't easy. It's a murky underground about which few people are willing to talk on the record. But the general outlines can be gleaned from inside and outside sources.

It's not a crime to point out vulnerabilities on the Net, making malware hard to prosecute, says eEye's Maiffret.

It's not a crime to point out vulnerabilities on the Net, making malware hard to prosecute, says eEye's Maiffret.

Direct Approach

Some hackers take the direct approach. Ransom scams--in which a criminal infects a company's systems with malware that encrypts data and then demands money to provide the decryption key--are common in Russia. Uriel Maimon, a researcher with the consumer division of RSA, a security vendor now owned by EMC, says he's seen a half-dozen of these scams over the past five months.

But in the scheme of things, those kinds of scams aren't all that common because they're risky--they require "a direct financial connection between the victim and the author or proprietor of the malware," says David Dagon, a researcher with the Georgia Tech Information Security Center. More omnipresent is the thriving black market in data. Online sites abound where credit and debit card numbers, cardholder names, and the card verification value, a three- or four-digit code that's used to verify a card's authenticity, can be bought and sold. Jeff Moss, who goes by the handle "The Dark Tangent" and is the founder of Black Hat, a security research and training firm (owned by InformationWeek parent CMP), says he knows of one European cyberattacker who makes nearly a half-million dollars annually buying and selling databases and customer lists.

Credit card information is mostly sold in bulk. "You don't just buy one Amex card with no limit; you typically buy a set because any one could be canceled or entered into fraud claims," Dagon says. Though some sites have list prices, basic card information can go for as low as $1 a card, and prices often depend on the quality of the data, says Johannes Ullrich, CTO of the SANS Internet Storm Center.

Credit card thieves, who call themselves "carders," often ply their wares through IRC chat rooms, private and public forums with names like CardersMarket and Carder.info, and even conventional-looking e-commerce sites. The experienced hackers and carders stick to private, encrypted, password-protected IRCs, Ullrich says.

One forum, CardingWorld.cc, has more than 100,000 posts from 13,000 registered members, most of whom write in Russian. The site's English section includes offers for Bank of America, Fidelity Bank, and PayPal logons; credit card information from around the world; valid gift cards; and services for the safe transfer of large amounts of money. Most sellers and buyers on the forum request that purchases or offers be taken to private messages on the bulletin board system or to ICQ instant messaging.

A site called Dumps International appears to provide credit cards and equipment for reading and encoding credit cards, as well as Social Security numbers, dates of birth, mothers' maiden names, PINs, and batches of credit card "dumps" that contain card numbers, cardholder names, and expiration dates. The cost for U.S. credit card numbers on the site ranges from $40 for a standard credit card up to $120 for a "signature" card, one step above platinum and corporate cards. There are even specials--buy 100 cards in a mixed batch and the price drops to $30 a card.

The average life expectancy for such sites is about six months before they're rerouted through a new proxy server to throw off law enforcement. TalkCash.net, which functioned until last summer, even offered a list of "rippers," those who'd used the marketplace but were unreliable, and "verified vendors," those who had proved that they could deliver on their promised goods.

Cybercriminals close their deals using peer-to-peer payment systems like PayPal and e-gold, which lets people exchange electronic currency backed by the value of gold bullion rather than a particular national currency. Some use Western Union wire transfers to make payment. E-gold says it "in no manner condones" the use of its service for criminal acts, and PayPal chief information security officer Michael Barrett says the company regularly works with law enforcement when it identifies usage patterns that indicate criminal activity.

Moving money around can be dangerous for hackers, since transactions over $10,000 must be reported by banks and wire transactions can be easy to track. Georgia Tech's Dagon says large transactions can be split up, with some in the hacker gang taking payment in plasma TVs, large numbers of compromised iTunes accounts, World of Warcraft credentials, and even access to compromised routers.

Malware For Sale

Another valuable commodity in the hacker economy is malware such as viruses, worms, and Trojan horse programs. These so-called exploits provide hackers entrée into corporate systems.

A recent report by Internet Security Systems (acquired last year by IBM) warns of the emergence of an "exploits-as-a service" industry, with sophisticated manufacturing and distribution networks similar to the computer industry's legitimate production channels. "Managed exploit providers are purchasing exploit code from the underground, encrypting it so that it cannot be pirated, and selling it for top dollar to spam distributors," the report says.

As with any market economy, the most valuable commodities command the highest prices. In December, a flaw in Microsoft's new Windows Vista operating system was found for sale on a Romanian Web forum for $50,000, says Raimund Genes, CTO of security vendor Trend Micro, who contends that the malware industry commands more revenue than the $26 billion that legit security vendors generated in 2005.

Serious money like that has attracted an equally serious criminal element. Zero-day exploits--which take advantage of security vulnerabilities as soon as they're discovered, before vendors can patch their products--were selling late last year for as much as $20,000 to $30,000 each, Genes says.

However, despite the danger zero-day and other security vulnerabilities pose to companies and their customers, there's little law enforcement can do to prevent someone from writing a program that exploits one of these vulnerabilities. It's not a crime "to point out an unpatched vulnerability on the Internet," says Marc Maiffret, founder and chief hacking officer of eEye Digital Security.

Phishing Pays Off

Phishing scams are also a thriving underground business, often employing groups of people who bring different skills to the table, says a Web application security consultant who goes by the name RSnake. The "spammer" scours the Web for e-mail addresses that can be sold to "hackers," who look for security vulnerabilities to exploit, create phishing sites, and tell the spammers where to send the phishing e-mails on their behalf. Meantime, "carders" buy the information stolen by hackers to create the fraudulent credit and debit cards they use to steal money or sell to other criminals. Of course, the same cybercriminal can multitask, RSnake adds.

The Anti-Phishing Working Group, a cooperative of public and private organizations, says the tools used by phishing fraudsters are getting a lot more sophisticated. The group's report for December cites 340 new variants in the keyloggers and Trojan horses used by phishers that month alone--a record high. That increase is mostly because of "better use of software tools to automate the creation and testing of new variants," the report says.

Hackers hope businesses hold onto their data, Kaminsky says.
Chances are, those tools were spawned by tech-savvy Eastern Europeans known for creating automated phishing programs and spam engines, RSnake says. "The people I've spoken to in Eastern Europe are actually pretty young guys, in their 20s," he says. "Some have formal educations, but some don't. Some live in countries like Romania, where houses have more Internet throughput than some businesses in the U.S. They've grown up on the Internet for the past 10 years, and the laws in their countries are less stringent than in other places, like the U.S."

Sophisticated technology isn't the only tool of the phishing trade. It seems unbelievable, but Nigerian "419" scammers continue to fleece gullible e-mail users. These are the e-mails that usually begin, "I need your help," and describe a situation where a large amount of money needs to be rescued or transferred from one country to another. They're known as "advance fee" solicitations because they ask the victim to send money to help free up the funds, with the promise of a lucrative payoff. The 419 designation refers to the section on fraud in the Nigerian criminal code.

Last month, the former treasurer for Michigan's Alcona County was arrested and charged with embezzling $1.2 million in public funds, at least some of which he sent to a notorious Nigerian e-mail scammer. The Federal Trade Commission posts this warning on its Web site: "If you receive an offer via e-mail from someone claiming to need your help getting money out of Nigeria--or any other country, for that matter--forward it to the FTC at spam@uce.gov."

Pump And Dump

On Jan. 25, the Securities and Exchange Commission charged a 21-year-old Florida man with breaking into numerous online brokerage accounts, then liquidating their portfolios. Investigators say Aleksey Kamardin of Tampa, during a five-week span last summer, made more than $82,000 by using funds in multiple compromised accounts at Charles Schwab, E-Trade, JPMorgan Chase, TD Ameritrade, and other online brokers to buy shares in lightly traded companies. Those purchases gave the illusion of increased legitimate trading, which raised the stocks' price. Kamardin then sold the shares he had purchased earlier, and other legit investors saw the stock price fall sharply, investigators say.

It's a variation on the old "pump-and-dump" stock scam. In these scenarios, the thief will have invested in cheap, or penny, stocks using accounts based in the Cayman Islands or elsewhere offshore, where the accounts can be established anonymously. Once the thief buys or steals identity information, he can set up fraudulent accounts--or break into other people's accounts, as in the case of Kamardin--and buy large quantities of those penny stocks, driving up the price.

This presents a tricky situation for financial services firms. "They don't want to prohibit people from trading, so the creation of these fraudulent accounts becomes part of the financial services firms' risk of doing business," asserts Marc Gaffan, director of marketing for RSA's consumer solutions division. Also, it's difficult to scrutinize trade orders because they're time-sensitive, Gaffan says. Delays cost investors money and discourage them from doing business with a given company. E-Trade experienced this dilemma last year when a compromised computer opened the door for cyberattackers to run pump-and-dump scams on E-Trade clients, resulting in fraudulent activity that contributed to the $18 million in fraud losses the company reported for its third quarter.

What's To Be Done?

The Secret Service's New York Electronic Crimes Task Force made one of its biggest busts in 2002 when it charged former Prudential Insurance database administrator Donald McNeese with identity theft, credit card fraud, and money laundering. McNeese stole records from a Prudential database that contained information on about 60,000 employees. When he tried to sell the stolen info over the Web, Bill Moylan, a 25-year veteran of Long Island's Nassau County Police Department who was working undercover for the task force, spotted it and contacted him. McNeese sent Moylan about 20 of the employees' identities and encouraged him to use the stolen records to create fraudulent credit cards, with a portion of the proceeds to be sent to McNeese's home in Florida. McNeese was ultimately sentenced to three years probation and ordered to pay $3,000 in restitution.

The Secret Service is the federal agency primarily responsible for investigating cybercrime, and it continues to make progress against the hacker economy. In 2004, agents arrested a group of hackers running a site called Shadowcrew.com, and the following year six of those men pleaded guilty in federal court to trafficking in stolen credit and bank card numbers and identity information. Last March the Secret Service announced the arrests of seven suspects, for a total of 21 in three months, as part of Operation Rolling Stone, an investigation of identity theft and online fraud "through criminal Web forums."

Despite these successes, the hacker economy continues to flourish. At the RSA Security Conference in San Francisco last week, RSA president Art Coviello told the audience that the market for stolen identities has reached $1 billion, according to IDC research, and that malware has risen by a factor of 10 in the last five years, according to the Yankee Group.

"The fundamental issue is that we have a law enforcement model that's geographically based, but there's no geography on the Internet," says Dan Kaminsky, a security researcher with DoxPara Research. Says RSnake: "They can't do wiretaps overseas or raid someone's house in Romania without local cooperation. There just isn't enough talent in our federal agencies to keep on top of this efficiently."

As a result, law enforcement has come to rely heavily on cooperation from the private sector, such as financial institutions, Internet service providers, and telcos. Also, there are about a dozen electronic crime task forces operating in local law enforcement agencies around the country, many of which have access to FBI InfraGard, an information sharing system between the FBI and the private sector. InfraGard began in the FBI's Cleveland field office in 1996 as a local effort to gain support from IT pros and academia for the FBI's cyber-related investigations.

Vendors must take some responsibility for opening the door to the mercenary market for malicious code and stolen data by shipping software with security flaws. IBM's ISS reported that last year a total of 7,247 software security vulnerabilities were reported, up nearly 40% from 2005, with Microsoft, Oracle, and Apple the biggest offenders.

Businesses and end users must shoulder some of the responsibility as well for lax security measures and for simply storing too much data. In the case of TJX, it turned out the retailer was storing credit-card data contrary to Visa's rules. "It just feels wrong to people to throw away data," says DoxPara's Kaminsky.

Companies need to give careful thought to the data they're managing and realistically assess their ability to protect it. If they don't, they just might see it show up on a black market site.