REPORT

The Hidden Data Economy

The marketplace for stolen digital information
 REPORT

Table of Contents Authors

This report was researched

4 Hidden in Plain Sight and written by:
■■
Charles McFarland
■■
François Paget
5 Financial Data ■■
Raj Samani

8 Login Access

10 Access to Online Services

12 Identities

14 Conclusionbout McAfee

2 The Hidden Data Economy

 REPORT

Introduction We will highlight why apathy

among victims of a data
breach, and ultimately
those data subjects whose
Data is the “oil” of the digital economy. The commercial market for personal data is
information is being sold, may
booming, with large databases of subscriber information driving up the enormous be costly.
valuations of those companies that own it, even though many have yet to turn a profit.
As the commercial value of personal data grows, cybercriminals have long since built an
economy selling stolen data to anybody with a computer browser and the means to pay.
In the 2013 McAfee® Labs report Cybercrime Exposed: Cybercrime-as-a-Service, we
demonstrated how current tools, products, and services can allow anyone to become a
cybercriminal, regardless of technical ability. We followed up with the report Digital Laundry: An
analysis of online currencies, and their use in cybercrime, which explained virtual currencies
in detail and how they are used to convert stolen data into cash. By the time Digital Laundry
was published in 2013, the publicity following the law enforcement action against the Silk
Road let the world know that illegal products could easily be acquired online. Such actions have
demonstrated just how much traditional crime has evolved with the help of the cyber world.
Cybercrime Exposed and Digital Laundry focused on tools that aid an attack. This report will
attempt to answer the question: What happens after a successful breach?
Immediately after the Target breach, I cowrote a blog that tracked the sale of stolen
credit cards and showed that much like traditional economics, the price of stolen credit cards
went down with the huge influx of new stolen cards on the market. The Target example is
only the tip of the iceberg. This paper provides more detail on this hidden data economy.
—Raj Samani, CTO of McAfee for Europe, the Middle East, and Africa
Connect With Us
Twitter@Raj_Samani
Twitter@McAfee_Lab@McAfee_Lab

3 The Hidden Data Economy

 REPORT

Hidden in Plain Sight victims of a data breach, and ultimately those data
The title of this report suggests that there exists a subjects whose information is being sold, may be costly.
hidden doorway into an underground marketplace for A sad side effect of reading about data breaches is the
nefarious products that is not accessible to us muggles. concept of “data breach fatigue,” which is another way
In reality, this marketplace is not nearly as well hidden of saying “apathy.” The recent article I Feel Nothing: The
as we imagine, and it certainly does not require prior Home Depot Hack and Data Breach Fatigue provides a
knowledge of a secret public house and its hidden wonderful example of such apathy:
courtyard. Cybercrime Exposed: Cybercrime-as-a-
Service highlights just how accessible these products, “Because banks are responsible for making us whole
tools, and services are to anybody with a browser. if our credit cards are misused, and we are simply
Although we do not intend to repeat the findings from issued new cards (an annoying hassle, but not life
that earlier report, the world has moved on since it was altering), I join you in reacting to news of these hacks
written two years ago. with a shrug,” the author writes.

What has changed? This underground marketplace has Although disillusionment may be understandable given
evolved to include almost every conceivable cybercrime the steady stream of breach notifications and stories
product for sale or rent. We correctly predicted that the detailing the theft of millions of records, it is important
rise of this “as-a-service” model would act as a key driver to recognize that this is data about us. Our information is
in the growth of cybercrime. The recently published being openly sold, and the individual repercussions may
McAfee Labs Threats Report: May 2015 provides not be felt for some time.
evidence of this with the rise of the ransomware CTB-
This is why we are publishing this report: to combat
Locker. The authors of CTB-Locker established an affiliate
the sense of apathy. We do not intend to spread fear,
program as part of their business strategy: Affiliates use
but we want to explain why we as a society should be
their botnets to send spam to potential victims; for every
concerned when we receive notifications of breaches as
successful infection in which the victim pays the ransom,
we consider proactive measures to reduce the likelihood
the affiliate gets a percentage of the money.
of becoming victims.
The growth of the as-a-service economy across all
A final comment: We don’t know if the many examples
components of an attack (research, cybercrime tools, and
in this report are authentic or are tied in any way to
infrastructure) continues to grow, and none more so than
the brands, as the sellers claim. Indeed, the excellent
hacking-as-a-service, in particular on how stolen data
reputation of such well-known brands is frequently used
is made available. We will highlight why apathy among
by thieves as the basis to promote this sort of online fraud.

4 The Hidden Data Economy

 REPORT

Financial Data software. Valid credit card number generators can be

Selling stolen financial data is a relatively broad topic, purchased or found for free online. As these tools can
with a multitude of data types for sale and marketplaces be easily found, their generated combinations do not
that vary between the visible web via a standard browser have market value.
and the “dark web” through other access methods. ■■ “Random” refers to a card number chosen randomly in
a hacked database. It is random for the bank and card
Data breaches involving the theft of financial data,
type.
particularly payment card information, continue to
dominate headlines. Particularly impacting retailers, the
■■ “Fullzinfo” means the seller supplies all of the details
theft of such information invariably results in this data about the card and its owner, such as full name, billing
appearing on the visible web. Payment card information address, payment card number, expiration date, PIN
made available in those marketplaces will vary in price number, social security number, mother’s maiden
based on a multitude of options. A snapshot of these name, date of birth, and CVV2.
options is shown in the following table. Occasionally, additional information is available for sale.
The preceding categories relate to the information Payment card data that includes “with COB” refers to those
available along with the payment card number: cards with associated login and password information.
Using these credentials, the buyer can change the
■■ “CVV” is the industry acronym for card verification shipping or billing address or add a new address.
value. CVV1 is a unique three-digit value encoded on
the magnetic stripe of the card. CVV2 is the three-digit Some sellers will not provide the data after purchase.
value printed on the back of the card. After all, whom will the buyer complain to in the event
that the stolen information is not delivered? However, as
■■ “Software-generated” is a valid combination of a
depicted in the following image, many sellers will deliver
primary account number (PAN), an expiration date,
stolen card information with all associated information.
and a CVV2 number that has been generated by

Payment Card Number United European

With CVV2 United States Kingdom Canada Australia Union
Random $5–$8 $20–$25 $20–$25 $21–$25 $25–$30

With Bank ID Number $15 $25 $25 $25 $30

With Date of Birth $15 $30 $30 $30 $35

With Fullzinfo $30 $35 $40 $40 $45

Table 1. Estimated per card prices, in US$, for stolen payment card data (Visa, MasterCard, Amex, Discover). Source: McAfee Labs.

5 The Hidden Data Economy

 REPORT

The term dump refers to information electronically

copied from the magnetic stripe on the back of credit
and debit cards. There are two tracks of data (Track 1
and Track 2) on each card’s magnetic stripe. Track 1 is
alphanumeric and contains the customer’s name and
account number. Track 2 is numeric and contains the
account number, expiration date, the CVV1 code, and
discretionary institution data.

List prices are variable, based on supply, balance,

and validity. Some of these factors are detailed in the
following image.

Figure 1. Payment card data with additional information.

Buyers have many options, including the geographic

source of the card and the card’s available balance. Both
of these options impact the price of a card, as we see in
the following table.

Dump Track With High Balance Price

Track 1&2: PinATM United States $110

Track 1&2: PinATM United Kingdom $160

Track 1&2: PinATM Canada $180

Track 1&2: PinATM Australia $170

Track 1&2: PinATM European Union $190

Table 2. Dump track prices per card. Source McAfee Labs

Figure 2. Payment card shopping lists.

6 The Hidden Data Economy

 REPORT

As the preceding image illustrates, buyers have many

choices.

The sale of payment card data is common, and is well

documented in a recent series of McAfee blogs.
However, such payment cards are not the usual type of
financial data targeted and subsequently sold on the
open market. Much like cards, online payment service
accounts are also sold on the open market, with their
prices determined by additional factors. Such factors
are, however, considerably more limited than those of
payment cards, with the balance the only defining factor
influencing prices, as we see in the following table.

Online Payment Service Estimated Price per

Account Balance Account
$400– $1,000 $20– $50

$1,000– $2,500 $50– $120

$2,500– $5,000 $120– $200 Figure 3. Example of bank login credentials for sale.

$5,000– $8,000 $200– $300

Table 3. Online payment service accounts for sale. Source McAfee Labs

The prices in this table are estimates. We have seen

many examples of services for sale that fall outside of
these price ranges.

Everything is available. In the following images, we

see bank-to-bank transfers offered for sale, and the
Figure 4. Example of bank login data for sale.
availability of banking login credentials.

7 The Hidden Data Economy

 REPORT

There will always be suspicions about the validity of Sellers who employ sophisticated sales and marketing
the products for sale, as many individuals have paid efforts are leveraging YouTube to advertise their wares
for stolen financial data only to not receive what they to potential customers. The videos often attempt
expected. One seller refers to this dishonor among to provide some degree of visual confirmation for
thieves within their opening pitch: prospective buyers that they can be trusted, although
such approaches can backfire through comments
“ARE YOU FED UP OF BEING SCAMMED, AND RIPPED? associated with the videos.
ARE YOU TIRED OF SCAMMERS WASTING YOUR TIME,
ONLY TO STEAL YOUR HARD-EARNED MONEY?” Login Access
Other types of data for sale include access to systems
within organizations’ trusted networks. The types of
This particular seller, though not offering free credit
entry vary, from very simple direct access (such as login
cards that a buyer could use as a test, does offer a
credentials) to those that require a degree of technical
replacement policy for any cards that do not provide the
competence to carry out (such as vulnerabilities).
advertised balance. Other methods of ensuring a seller’s
In the following image we can see the availability of
honesty include the use of social validation, with positive
vulnerabilities that allow potential buyers access to bank
feedback from other buyers. Forums are full of helpful
and airline systems located in Europe, Asia, and the
advice from buyers who have successfully negotiated
United States.
purchases as well as which sellers to avoid.

“Hey man, don’t know if you know this, but pulled

a exit scam on evo?
as far as i know, he pulled an exit scam, then he came
back saying his friends had screwed him over, asked
people to pay like 4BTC to join his official priviate reselling
club. he then just disspeared again.
in fact theres a guy called Underwebfullz (or somthing like
that) whos doing the same thing on alpahbay, so people
think its him”

Figure 5. Example of access to bank and airline systems for sale.

8 The Hidden Data Economy

 REPORT

As with the sale of financial data, sellers strive to offer a As with previous examples, a buyer can question
degree of proof to prospective buyers that their offers whether the access offered is indeed valid. It would not
are valid. be particularly difficult to produce a screenshot and
imply this represents access; yet this message does
Recent research by cybercrime expert Idan Aharoni
represent a very worrying trend (as Aharoni points out).
suggests that the types of systems criminals sell
access to now include critical infrastructure systems. Stolen enterprise data is also for sale. In the following
In his article “SCADA Systems Offered for Sale in figure we see a seller offering data stolen from a
the Underground Economy,” Aharoni included one university.
example in which a seller provided a screenshot that
appears to be a French hydroelectric generator as
evidence that the seller had access.

Figure 7. Example of stolen information from a university offered for sale.

Figure 6. One seller claims that this is a screenshot of a French

hydroelectric generator, used as evidence that the seller has access to a
critical infrastructure SCADA system.

9 The Hidden Data Economy

 REPORT

Access to Online Services

Many people subscribe to digital services, including
music, videos, loyalty programs, and others. Because
such accounts are relatively inexpensive, one might
assume that information from them would not offer
a sufficient return. Despite such economics, however,
the availability of such accounts is widespread across
multiple marketplaces, which suggests a demand among
prospective customers.

When a stolen online account becomes compromised,

the legitimate owner can be impacted in a variety
of ways. The account can be held or closed due to
malicious activity by the buyer—sometimes causing
weeks of support calls. A victim could also suffer
financial losses from the purchase of items with stored
credit card information, or lose access to free perks
such as loyalty points collected during the lifetime of the
account. Worse, there are circumstances in which the
impact is quite disturbing.

The following image shows one example of online

service accounts for sale.
Figure 8. Example of online video streaming accounts for sale.

Are online video streaming users the only victims?

Hardly. The sad reality is that access to just about
every conceivable online service is available. We found
another online video streaming service account selling
for $0.55. With single accounts to digital services selling
for less than a dollar, criminals must move a lot of online
accounts to make their efforts worthwhile.

10 The Hidden Data Economy

 REPORT

Figure 9. Other online video streaming service accounts are for sale for Figure 11. Cyberthieves sell Marvel Unlimited accounts for cheap access
less than $1. to digital comics.

Many online streaming entertainment media services Even free online accounts attract criminals. The following
are commonly sold. Both HBO NOW and HBO GO image shows a hotel loyalty account with 100,000
accounts can be found for less than $10 as well as points on sale for $20. Customers legitimately open
other cable TV-branded streaming services. Clearly, these accounts at no cost, and yet there is a market for
video streaming services are in high demand. Even them, resulting in the loss of accumulated perks that
premium professional sports streaming services can be sometimes take years to accrue.
purchased for $15. We also found other online accounts
being sold, including lifetime subscriptions to premium
pornography accounts, as well as free referral links to
the dark web market Agora.

Figure 12. Even hotel loyalty programs are for sale.

Figure 10. Example of access to an HBO GO account for sale.

11 The Hidden Data Economy

 REPORT

One motivation for purchasing stolen online account Identities

access is to hide the buyer’s reputation, either due The sale of a victim’s identity is the most frightening
to bad business practices or outright fraud. A buyer category because it is so personal.
wishing to acquire a new online auction community
business identity can pay plenty, but an established McAfee recently collaborated with law enforcement in
account with good history can be valuable. Europe to take down the Beebone botnet. This botnet
was able to download malware—including ZBot banking
password stealers, Necurs and ZeroAccess rootkits,
Cutwail spambots, fake antivirus, and ransomware—onto
the systems of unsuspecting users. We are dismayed
at the lack of remedial action taken by users, and in
particular those based outside of the United States and
Europe. Raj Samani’s blog on this topic said that a
Figure 13. An online auction account for sale. vast section of society fails to appropriately protect their
data—often with significant ramifications.

For less stringent needs, online auction accounts are In the following image we have an example of a person’s
available in packs of 100 for a range of account types. digital identity stolen by cyber thieves. A prospective
buyer could take control of this individual’s digital life—
social media, email, and more. (We have shared this
information with law enforcement in the United Kingdom.)

Figure 14. A credit card sales location that also offers access to online
auction accounts.

Figure 15. Example of an identity for sale.

12 The Hidden Data Economy

 REPORT

The preceding example, though rich in information, “A Day in the Life of a Stolen Healthcare Record,” in
requires the buyer to wade through lots of text. But which a “fraudster leaked a large text file [that] contained
some sellers offer a more graphical interface to appeal the name, address, social security number, and other
to prospective buyers. The following example lets buyers sensitive information on dozens of physicians across the
choose individuals by their email accounts, the first step country.” (See following image.)
to taking control of other parts of the victims’ lives.

Figure 16. This service lets buyers easily choose a profile.

Closely related to the marketplace for stolen identities

is the marketplace for stolen medical information.
Such data is not as easy to buy as payment card data, Figure 17. An example of information stolen from a medical service
but sellers of medical information are online. Security offered for sale.
Source: Krebs on Security.
journalist Brian Krebs discussed this in his article

13 The Hidden Data Economy

 REPORT

Although the majority of this report highlights the sale Conclusion About McAfee Labs
of stolen data, stolen data is sometimes openly shared The examples of the hidden data economy in this
without cost. In the following image, the hacker collective report represent only the tip of an iceberg. We omitted McAfee Labs is one of the world’s
Rex Mundi disclosed identifiable patient data because many other categories and services, but we hope
leading sources for threat
the Labio service did not pay them a ransom of €20,000. research, threat intelligence, and
these examples make the threat clear. In this report we cybersecurity thought leadership.
discussed stolen data offered for sale. Cybercriminals With data from millions of sensors
also buy products that enable attacks. This includes across key threats vectors—file,
the purchase and rental of exploits and exploit kits that web, message, and network—
are fueling an enormous number of infections across McAfee Labs delivers real-time
threat intelligence, critical analysis,
the world. Cataloging the available offers is impossible
and expert thinking to improve
because the field is growing at a tremendous rate. protection and reduce risks.
When we read about data breaches, the cybercrime www.mcafee.com/us/mcafee-labs.
aspx
industry may seem so far removed from everyday life
that it is tempting to ignore the message. However,
cybercrime is merely an evolution of traditional crime.
We must conquer our apathy and pay attention to
advice for fighting malware and other threats. Otherwise
information from our digital lives may appear for resale
to anyone with an Internet connection.

Figure 18. Hackers revealed private customer information to punish a

medical company for not paying a ransom.

14 The Hidden Data Economy

 About McAfee
McAfee is one of the world’s leading independent
cybersecurity companies. Inspired by the power of
working together, McAfee creates business and
consumer solutions that make the world a safer place.
By building solutions that work with other companies’
products, McAfee helps businesses orchestrate
cyber environments that are truly integrated, where
protection, detection and correction of threats happen
simultaneously and collaboratively. By protecting
consumers across all their devices, McAfee secures
their digital lifestyle at home and away. By working
with other security players, McAfee is leading the effort
to unite against cybercriminals for the benefit of all.

www.mcafee.com.

The information in this document is provided only for educational purposes and for the convenience of McAfee customers. The
information contained herein is subject to change without notice, and is provided “as is,” without guarantee or warranty as to the
accuracy or applicability of the information to any specific situation or circumstance.

2821 Mission College Blvd. McAfee and the McAfee logo are trademarks or registered trademarks of McAfee, LLC or its subsidiaries in the US and other countries.
Santa Clara, CA 95054 Other marks and brands may be claimed as the property of others. Copyright © 2017 McAfee, LLC. 62122rpt_hidden-data_1215
888.847.8766 DECEMBER 2015
www.mcafee.com

15 The Hidden Data Economy