People get ready - Drop in value of stolen IDs means more targeted attacks coming

Despite all the security articles that have been published trying to stem the growth in Identity Theft by educating the masses, we have reached an interesting milestone. Hackers who have been harvesting ID's have collected so many that the market is literally "devaluing" them. My take on this is that hackers will have to start looking for more lucrative ways to spend their time and effort. The logical progression would seem to be to shift their efforts to committing fraud that can bring in more money.

Brian Krebs of the Washington Post (click HERE), references a Verizon report indicating that the black market value of an individual's identity data (e.g. combinations of Name, Date of Birth, Address, Social Security Number, Userids, Passwords, etc.) has dropped from over $10 in 2007 to less than $0.50 as of early 2009.

Where there used to be a free underground market for stolen identity data, thieves now seem to be stockpiling data and offering it in smaller chunks, so as not to drive the price further down by flooding the market. It's starting to look like how a cartel operates.

So, having learned how to fool people into following links or leaking information to people they hardly know, I believe hackers are now more likely to shift their sights, looking for three things going forward:

1. Companies with business models that allow the hackers to gather valuable data that moves in lower volumes, so they can re-sell it to unethical companies and governments
   
2. Companies with business models that allow the hackers to infiltrate their operational systems with malware that can "skim" funds directly or indirectly and transfer them into short-lived entities; perhaps even using hijacked bank accounts to hold funds temporarily
3. Any computer systems that can be infected with malware to operate online businesses from behind a legitimate entity, with no cost or liability (i.e. illegal business practices)
   

If you thought your business wasn't a target before, because your data wasn't high value - think about whether or not your computers could be commandeered to do business for a hacker. Any unprotected computer could still be a target, and once under their control, you could be liable for any illegal busines conducted through your network.

There's no doubt in my mind that all three of these modes of operation are being used by some hackers. They take a bit more work than just harvesting and reselling identities. Just as in many other markets, the raw materials may start out being valuable, but as it progresses, the "value-added" services become more lucrative.

For example, back in the 1980's computer memory chips were so valuable, they were being stolen by the truckload. But that's no longer the case. There arose much higher value products that could be stolen, with less effort  and risk required to obtain and dispose of them.

Our only solace is that there seems to be a limit on the black market value for most commodities. Most people don't really want to buy stolen goods or services.  The online  music market was an interesting case - if you're thinking that millions of people have been effectively stealing songs. But most weren't trying to resell them. It was usually just for their own use.

The other reason I think the shift to more targeted online fraud is inevitable is that thieves are learning that using fast-spreading viruses as the vehicle for taking over millions of computers makes them very visible to anti-virus vendors. The good guys have been depending on being able to capture malware as it spreads so they can analyze it and come up with a "vaccine" for it, in the form of "signatures" that they can detect.

But the bad guys are learning that their targeted malware - a program that just sits on other people's computers and makes them money - doesn't really need to spread at all in order to be profitable. This means that anti-virus companies will continue to find it harder and harder to detect malware through "signatures", because it won't spread as fast. They may never see enough samples of it to create effective signatures.

Without a way to recognize and act on malware it's never seen before, the anti-virus software doesn't add much value. The good guys will have to focus more on understanding what a system "should be doing", and looking for odd activity on the computer that doesn't fit; something like Deep Host Intrusion Prevention (Deep HIP). Moves in this direction are already happening, as evidenced by new technology partnerships such as Trend Micro's OEM relationship with Third Brigade (click HERE). Third Brigade does on the network, roughly what my Streetwise Security Awareness Program teaches people to do in their office environment:

1. Understand and use basic security principles
2. Understand in advance "whom to trust"
   
3. Understand what "should" be happening
4. Focus operations on "what to allow" instead of "what to deny" when it comes to risk decisions
5. Learn from every incident, and use feedback to refine your process for improved security and efficiency
   

One of the keys to addressing the problem on the human side, I believe, is to teach people to avoid risky actions online that can lead to infection - especially through targeted methods that rely on individuals to trust others they barely know. Firewalls and anti-virus products are necessary, but no longer sufficient.  In fact, technology solutions will probably never be sufficient. We need to harden the "people" processes (both formal and informal), as well as the "data flows", to thwart the next wave of targeted attacks.

(Click HERE for more info on The Streetwise Security Awareness Program)

rate this post: