New Year’s Sales; Big Discounts on Stolen Data

Headlines for January have been dominated by revelations of one retailer after another suffering from enormous breaches of personal, and financial data.  From the 18th of December 2013 when news of the Target breach were publicly disclosed, to Neiman Marcus the cumulative loss runs into the many tens of millions.  At McAfee Labs we provided analysis into the Point of Sale (PoS) malware used for the Target breach which answers one of the key questions; namely how were attackers able to intercept approximately 110,000,000 records worth of payments, transactions, and other personally identifiable data.  Another question however is the net result of so much data flooding the underground economy.

In Q2 2013 we published the whitepaper entitled ‘Cybercrime Exposed’ whereby analysis of the broad nature of cybercrime products, tools and services were presented.  One of the categories within the White Paper was ‘Hacking-as-a-Service’ in which the end-customer of the cybercrime could simply purchase products such as credit cards.  The indicative prices are presented below:

Figure 1

Whilst the prices may have been relatively accurate in the summer of 2013, the reality is that as a direct result of recent breaches, the prices for large volumes of credit cards have plummeted significantly.   With newer dumps of card data related to recent breaches appearing with alarming regularity, the ‘over’ supply of cardholder data is clearly impacting prices.  This is demonstrated in the recent dumps entitled “Eagle Claw 1” and “Eagle Claw 2”, shown in the below screenshots.  “Tortuga” is a little older:



Please note that specific information in the screenshot have been intentionally obfuscated.  This of course is only one of many dumps available, earlier examples include Tourtuga and Barbarossa.  As the below example demonstrates the prices do appear to be falling as more card data floods the marketplace:


As of January 31, the pricelist for CC Dumps and Cards ranges from 2.00 USD to 85.00 USD depending on geography and completeness of data (CVV2 inclusion).

fig 10




Note that in addition to accepting Bitcoin, this site (and others) also accept Web Money, Lesspay,  Western Union and MoneyGram.  In our recent research paper entitled ‘Digital Laundry’ we reviewed the role of virtual currencies within cybercrime.

To further illustrate the pricing, here are some current listings on Carding forums/markets that are not affiliated with the Lampeduza Republic:


Compare this to prices from January 2011:


We should of course not be surprised, and these examples are just a small tip of the iceberg.  Also, whilst price reduction is just one impact, forums and their participants are demonstrating significant frustration at the disclosure of these breaches.  The below excerpts show recent commentary from within the community directed at a notable, independent, security researcher:




Note the spelling of “картонко” above.    You’ve seen this before if you have been following all the news around the retail POS issues.   In this context it’s referring to cards (aka credit cards).


Selling data, CC Numbers, and other financial jewels is not all that is available in these forums/markets/communities.  Many provide a full service.   It is not uncommon to also be able to acquire specific software ‘tools of the trade’ or the services of those that will use said tools for you so as to distance yourself (or your customer) from some of the risk.

Some examples:


  • General malware
  • Keylogging and Backdoor Trojans (kit and ready-made)
  • Crypting / Packing Tools
  • Scripts / Probes / Scanners
  • Brute force scripts (tailored to specific accounts, i.e. Paypal)
  • Cameras, Skimmers, and other hardware solutions
  • RFID & NFC Tools



  • Education / Classes (Carding tools, lingo, POS and Banking software)
  • Escrow and Anonymity Services
  • Tool and Exploit development
  • Shipping services (stealth and anonymous)
  • Currency “conversion”
  • CC and CVV Verification
  • ID and Passport Creation
  • Email / SMTP services (including flooding / DoS)
  • VPN
  • Reverse engineering
  • Decryption (ex: password cracking, etc)
  • Printing and Embossing


With further revelations hitting the media on a daily occurrence we can expect to see the supply of stolen data for sale to increase, and ultimately a further decrease in the prices offered.  Moreover, as we documented in the CyberCrime Exposed whitepaper the technical bar required to become a cybercrime has never been so low, indeed all that is required to be a cybercrime is access to the internet.




The post New Year’s Sales; Big Discounts on Stolen Data appeared first on McAfee.