In just four years, cybercrime has evolved from a craft practiced by a few hard-core hackers to something resembling an easy-entry career.
Sophisticated pieces of malware can be bought “off the shelf,” ready to use, making it simple for anyone to launch an online life of crime. Stolen data and criminal services that were once hard to find have become cut-rate commodities.
That’s the sobering conclusion of a report from PandaLabs, the anti-malware research division of Spain-based Panda Security.
In 2007, the online black market was focused mainly on selling and buying small pieces of malware such as Trojans and rootkits, as well as data such as personal bank-account and credit-card details hijacked from users around the world.
Today, people can buy credit- and debit-card information for as little as $2 per card. To learn the size of a card’s available credit line or attached bank balance, it’ll cost you $80 for smaller amounts, more than $700 for accounts with balances of at least $82,000.
For accounts that cardholders regularly use to make purchases online — or which are attached to payment platforms such as PayPal — prices start at $10 and increase to $1,500, depending on the platform and the guarantee of available funds.
Cybercrime wholesalers also offer cloned, physical credit or debit cards starting at $180 each; card-cloning machines from $200 to $1,000; and even fake ATM machines, which can cost up to $35,000.
Money-laundering services (via bank transfers or cashing checks) are available for a commission — usually 10 percent to 40 percent of the operation.
For between $30 and $300, the cybercriminals will even purchase goods and forward them to buyers who use stolen bank accounts to buy products online, but don’t want the goods sent to their own addresses.
For budding cybercriminals who want to set up fake online stores, use rogueware techniques to obtain user details or collect the money victims pay for fake antivirus products, there are developer teams available to design, build and install complete retail websites. The price depends on the project.
Rental costs for botnets — large networks of secretly hacked “zombie” PCs — to send spam vary depending on the number of computers, the frequency of the spam and the rental period. Prices start at $15, with additional options including renting e-mail servers or anonymity-guaranteeing virtual private networks.
Many sellers hawking illegal software and services keep out of sight of most Internet users by sticking to underground forums, although some advertise their “office hours.” Some cybercriminals even have accounts on Facebook and Twitter, which they use as virtual shop windows.
But to ensure anonymity, contact is always made using instant-messaging applications or free, generic e-mail accounts.
“Once contact is made, the transaction can be executed directly or through a website set up by the seller, using a username and password, which as with any online store, allows buyers to browse and fill their ‘shopping cart,” according to the report. “Payment is always made upfront using services such as Western Union, Liberty Reserve and WebMoney.”
The latter two are digital currency exchangers, used to legally funnel money across the Internet.
Programmer Ben Shutman, an expert on cybersecurity, agrees that the cybercrime landscape is changing.
He said anyone can buy an off-the-shelf commercial malware kit for $200 to $4,000.
With the kit, the new cybercriminal can send an e-mail with a link to a victim.
Once the intended victim clicks on the link, he will be taken to a website that automatically downloads software to his computer that can extract credit-card and bank-account numbers.
The computer will also be set up to forward spam and host illegal content, both commoditized services which can be rented to other cybercriminals.
According to Shutman, today’s cybercriminals no longer need extensive programming skills to set up botnets and harvest data because there are “turnkey” programs that simplify the process.
Apple users aren’t safe from cyberattacks just because they run Mac OS X. Cybercrooks can usually infect any operating system, Shutman said.
So how can you avoid becoming a victim? The first step is to install antivirus software on your computer, no matter which operating system it runs, and make sure that virus definitions are automatically updated. Free antivirus software can be downloaded from reputable sources such as CNET.
Second, create a separate administrator account for your computer, and use it only for installing software. Do everything else using limited accounts that can’t affect the computer’s operating system.
Lastly, use common sense. Don’t open e-mail attachments you’re not expecting. Don’t buy unusually cheap software. Check the URL — or Web address — whenever you go to a website. And remember that banks will always call you, never e-mail you, if there’s a problem with your account.