SAN FRANCISCO – Fierce competition among identity thieves has driven the prices for stolen data down to bargain-basement levels, which has forced crooks to adopt mainstream business tactics to lure customers, according to a new report on Internet security threats.
Credit-card numbers were selling for as little as 40 cents each and access to a bank account was going for $10 in the second half of 2007, according to the latest twice-yearly Internet Security Threat Report from Symantec Corp. released Tuesday.
Symantec detected 711,912 new threats last year, 468 percent more than in 2006, when it found 125,243 — and almost two-thirds of all 1,122,311 Symantec has cataloged since 2002.
The data is usually sold through instant-message groups or Web forums that exist for only a few days or even hours, according to Symantec, and the hacking community exacts harsh consequences when members try to pass along fraudulent information.
"If the seller says there's $10,000 in a bank account, and there isn't $10,000 in there, their ability to sell will drop through the floor," said Alfred Huger, vice president of Symantec Security Response. "It's a sort of honor among thieves, and it's very strictly enforced."
Researchers said they found more evidence during the last six months of the year that Internet fraudsters are adopting mainstream tactics, including hiring teams of hackers to create new viruses and offering volume discounts on stolen data to encourage larger orders.
In some cases, stolen credit-card numbers were sold in batches of 500 for a total of $200. That's 40 cents each, less than half the price observed during the first half of 2007, when they were down to $1 apiece in batches of 100, according to the report.
Full identities — including a functioning credit card number, Social Security number or equivalent and a person's name, address and date of birth — are going for as little as $100 for 50, or $2 apiece.
Certain identities are more alluring than others, according the report. Stolen identities of citizens of the European Union sell on the high end — for $30 — an average of 50 percent more than U.S. identities.
Researchers said the higher prices reflect the fact that the identities can be used in multiple countries, instead of just one. They added, however, that scarcity of a certain type of identity will drive up its price.
Also popular with attackers are Web site-specific vulnerabilities because few are fixed quickly. Of 11,253 so-called "cross-site scripting" vulnerabilities found on specific sites during the second half of 2007, only 473 were patched.
Cross-site scripting vulnerabilities are flaws in the coding of Web applications that allow hackers to insert malicious code into the pages and then deploy it to unsuspecting visitors.
The report was released as thousands of security professionals gathered in San Francisco for the RSA Conference, a weeklong event at which Symantec's CEO John Thompson Tuesday keynote is among several high-profile speeches.
The survey is based on malicious code gathered from more than 120 million computers running Symantec antivirus software and some 2 million decoy e-mail accounts that collect spam.