When Zappos notified its customers that their names, email addresses, billing and shipping addresses, phone numbers and the last four digits of their credit card numbers may have been exposed during a data breach earlier this month, the online shoe retailer emphasized that “critical credit card and other payment data was NOT affected or accessed.”
That’s definitely a relief. It means that the 24 million customers whose information may have been compromised in the breach don’t immediately have to worry about finding mysterious charges on their credit card statements at the end of the month.
So what do they have to worry about? According to experts, the most likely security risks for consumers range from the annoying (more spam in their email inboxes) to potentially much more dangerous targeted “phishing” emails, where the sender disguises himself as a trusted individual or organization in order to trick the recipient into clicking a link that will download malware onto his or her computer or into giving the sender confidential information such as a password, credit card or Social Security number.
The hackers who infiltrated Zappos’ databases certainly accessed a bundle of information. Other breaches, such as some of the web server attacks perpetrated by hacktivists, expose only names and email addresses. Whether large or small, these breaches raise a number of questions:
- Why is this information valuable to cybercriminals?
- What’s the actual, monetary value of this information?
- What’s the minimum amount of information cybercriminals need to perpetrate their misdeeds?
- When a company gets hacked, how long does it take before cybercriminals start exploiting the information they obtain?
- What’s the risk to consumers when cybercriminals get this information?
- What are the odds of those risks occurring?
Why is this information valuable to cybercriminals?
Personal information is the currency of the underground economy. It’s literally what cybercriminals trade in. Hackers who obtain this data can sell it to a variety of buyers, including identity thieves, organized crime rings, spammers and botnet operators, who use the data to make even more money.
Spammers, for example, might get a fresh list of email addresses to which they can send Viagra and Cialis offers. They make money (say $1 per click) off response rates or website/pop-up ad impressions. Meanwhile, identity thieves could use the email addresses to create a phishing scheme designed to trick people into giving up their bank account or credit card numbers.
Rod Rasmussen, president and CTO of Internet Identity, a Tacoma, Wash.-based Internet security company, says cybercriminals trade this information among each other to create a more complete picture of an individual. “The idea is, you put together more information on people so you can do more damage. You get their name, credit card number, PIN number, email address, phone number from different sources to get their full information.”
What’s the actual monetary value of this information?
A name or email address is worth anywhere from fractions of a cent to $1 per record, depending on the quality and freshness of the data, information security experts say.
“There’s so much data flowing around, you have to have lots of it in order to get money for it in the underground,” says Rasmussen. “Even credit card numbers are going for under $1.”
That may not sound like a windfall, but when you multiply it by millions of records, it quickly adds up. Take the Zappos breach as an example: If hackers in fact obtained data on 24 million customers, even if they sell only 5 million email addresses at five cents a pop–cha-ching–they’ve just made $250,000 off of one hack.
Botnet operators make even more money. Say you own a botnet that consists of 100,000 computers. You may rent it out to spammers for $1,000 per hour, says Stu Sjouwerman, founder and CEO of KnowB4, a provider of Internet security awareness training based in Clearwater, Fla. If you rent or buy the 24 million records from Zappos’ so that you can then send malware to those email addresses, even if only 20 percent of recipients get infected with your malware that takes control of their computer, you’ve still grown your botnet by about 5 million computers with very little work, he adds.
“Now you can charge $5,000 an hour instead of $1,000 per hour for 5 million bots that start sending spam,” says Sjouwerman. “These guys make money hand over fist.” Of course, their illegal activity also means criminal charges, jail time and financial restitution.
What’s the minimum amount of information cybercriminals need to perpetrate their misdeeds?
Sjouwerman says all cybercriminals require to start doing damage is an individual’s email address. With that, they can inundate victims’ inboxes with spam.
To steal people’s identities or commit credit card fraud, cybercriminals need a password, credit card or Social Security number, says Rasmussen. If they have people’s email addresses, they can sometimes obtain that more sensitive data by sending phishing emails or distributing malware via email, says Sjouwerman. Some malware installs key-logging software that records usernames and passwords when they log on to their various online accounts, he says. If one of those accounts is a bank account, cybercriminals can quickly empty it.
If cybercriminals get only the last four digits of your credit or debit card, they may be able to use it to reset your password on an ecommerce site, says Rasmussen. Some companies use the last four digits of customers’ credit cards as a PIN code, and they may ask for it if you need to reset your password, he says. So cybercriminals may use it to reset your password so that they can make purchases using your account. But more likely, adds Rasmussen, “They’ll sell that information to someone else who will do some other attack.”
When an organization gets hacked, how long does it take before cybercriminals start exploiting the information they obtain?
It depends on the criminal and the information they obtained, says Rasmussen. If credit card numbers are involved, fraudsters will start using that information immediately, he notes. Cybercriminals who use emails for phishing schemes may also act quickly. To trick more people into downloading malware onto their computers or giving out sensitive information, cybercriminals may send a fake breach disclosure notification asking victims to reset their passwords on a website that looks real but is, in fact, fake, before the company that was hacked sends out a disclosure notice, says Sjouwerman.
- Next >
Vital info about cybercrime: url no longer available?