Stolen credit card data is a highly sold item on underground markets, as well as the malware and tools thieves need to steal the data themselves.
Malware is malicious, bad software. It’s the code that cyber-criminals use to steal credit card numbers and bank accounts. As we all saw with that hack against Target, cyber-criminals are getting really good at using malware.
They’re getting so good they’ve built a thriving underground where credit cards go on sale before the rest of us even knew a mega-breach happened.
On a recent day, at a crowded Starbucks in dowtown San Francisco, Tom Pageler powers up his laptop and takes me online shopping — with a twist. We go to the anonymous Tor network, to a website that requires a log in and that he didn’t want to reveal the name.
Pageler doesn’t want to tip off anyone, because being a trusted user on a criminal website takes work. It’s a lot like eBay; you’ve got to visit, buy and sell regularly and get rated and reviewed by your peers.
“When they transact with you, no one’s getting arrested, no one’s getting burned,” Paegeler says. “So every time you make a transaction on the underground, you’re just building your street cred.”
Today, credit cards are on super sale. Pageler says that means a big breach just happened.
Strangely, platinum credit cards on the site are selling for less money than gold cards. Apparently people in the underground don’t just look at credit limits. They do analytics to see, according to the data, what banks have the weakest security.
“For them, they’ll know based on bank ID number which bank it is, and where they’re getting the best return on fraud,” he says.
Pageler is not actually a cyber-criminal. He’s a former Secret Service agent who studied them and is now in the private sector, at DocuSign. Today he’s showing me how a low-level operator would work this site. Say I wanted to launch an attack. Without any specialized coding skills, I could buy the package of services I need: a list of 10,000, customized by age, gender, region; that goes for just $79. To make sure the emails work, there’s a “cleaning price” of $48, Pageler says.