'Shopadmins' And the ID Theft Cycle. washingtonpost.com today published a story based on the 10 hours of lurking I did on a variety of underground chat and Web channels frequented by identity and credit card thieves. From that research, Security Fix confirmed recent data breaches at four online merchants that were unaware that hackers had broken into their databases until we contacted them.
I gathered piles of data from talking with nearly two dozen victims whose personal and financial information was posted into the fraud forums. Some of more colorful material from those interviews was left out of the story, mainly for flow and length reasons. Anyway, several chilling and common threads were clear from the interviews with victims.
First, the initial credit-card theft is only the first step in a larger identity theft scam.
Second, far too many sites are compromised each month by hackers and scammers while their owners remain completely oblivious or in denial.
Finally, many of the victims of credit-card theft interviewed for this piece said they decided to shop at the sites that lost their data because they were the least-expensive vendor found through bargain shopping sites.
The text below goes into some of the above points in more detail (and it makes a bit more sense if you've already read the story):
Shopadmins
 A solicitation for "shopadmins," among other illegal goods. Shopadmins are hacked online merchants from which crooks can extract fresh customer credit cards as new orders come in. (Screenshot by Brian Krebs)
In the same underground chat channels I monitored for the story, solicitations can regularly been seen for "shopadmins" -- the slang term in fraud circles for paid, illicit access to Web sites whose databases have been hacked.
In the world of credit-card theft, obtaining "fresh" account numbers is the most important part of the game, as many stolen credit cards that scam artists sell in bulk online are usually either sold multiple times or canceled by the time the fraudster purchases them. But by gaining real-time access to a shopadmin, thieves can retrieve active credit cards from a Web site's database shortly after customers place an order at the hacked online store.
In most cases, the criminals who steal credit-card data do not use the information themselves, but rather sell it in bulk to other crooks or criminal rings. Under federal law, consumers are not liable for more than $50 worth of charges that result from credit-card fraud, and most issuers will even waive that amount and simply issue the victim a new credit-card number. But experts say credit data stolen along with other personal information can provide identity thieves with the ability to glean even more information about victims. [Security Fix]
11:56:22 PM  PermaLink /
|
