Hackers are craftier than ever, pilfering PII piecemeal so bad actors can combine data to set up schemes to defraud medical practices, steal military secrets and hijack R&D product information.
Create a Repository of the Stolen Data
Hackers start by taking an inventory of what was stolen. They will look through the stolen data files for the victim’s authentication credentials, personal information such as names, addresses and phone numbers, as well as financial information such as credit card details. Much of this information can be used for future attacks or sold off for more money.
Sell the Personal Information
Once an inventory is created, hackers will package up and sell personal information such as names, addresses, phone numbers, and email addresses. They are typically sold in bulk, mainly to maximize profit. The more recent the records are, the more valuable they are on the black market.
Target Data That’s Worth the Most Money
Once the baseline personal information is accounted for, hackers will then comb through the list of authentication credentials and look for potentially lucrative accounts. Government and military addresses are very valuable, as well as company email addresses and passwords for large corporations. Users are notoriously bad at selecting passwords. Many people often reuse their passwords, which lets hackers use credentials for military or corporate accounts to target other companies or other accounts owned by the original victims. In one noted example, Dropbox was breached in 2012 using credentials stolen during the LinkedIn data breach of earlier that year. This type of attack is very common: Attackers will decide what will make the most money. They may plan such a hack themselves, or they may sell the credentials to others on the dark web for a higher price.
Sell Credit Card Information
Financial information such as credit card numbers are typically packaged by hackers and sold in bundles. A criminal with the right contacts on the black market could easily buy credit card information in groups of ten or a hundred. According to Laliberte, usually a “broker” buys the card information, then sells them to a “carder,” who goes through a series of phony purchases to avoid detection. First the “carders” use a stolen credit card to buy gift cards to stores or to Amazon.com. They then use those gift cards to buy physical items. The carder may then sell the electronics through legitimate channels like eBay, or through an underground website on the dark web. According to McAfee, a credit card with a CVV2 code on the back is worth between $5 and $8, but if it also has the bank’s ID number, it could go for $15 online. If the stolen information has the victim’s complete information, that could go for up to $30.
Offload Remaining Stolen Data in Bulk
After several months, the hacker will bundle up authentication credentials and sell them in bulk at a discounted price on the dark web. By now, most of the credentials are worthless since the company has most likely discovered the breach and taken steps to fix it. For example, a database containing the entire LinkedIn credentials dump from several years ago is still available, but are for the most part of little value.
Receive Refunds on Phony Tax Returns
Criminal organizations will take stolen identities and file fraudulent tax returns, seeking to receive tax rebates from both state government treasuries and the IRS. In most cases, they piecemeal the data sets, often stealing names, addresses, social security numbers and other financial information separately. But once they have enough data they then file the fraudulent return. While the IRS reports that total fraud losses dropped 14% last year, fraudsters still stole $783 million last year.
Open Fake Medical Practice and File Fraudulent Claims
This has become a growing problem, especially with Medicare where the federal government estimates that roughly 10% of the money spent on the program is lost to fraud and waste. Trustwave reported this year that one medical record from a single individual fetches $250 on the black market. Because of the millions of dollars that can be made on the black market, criminals set up fraudulent medical practices and submit false claims based on stolen information. They will also prey on the elderly or most any other citizen. It’s easy to send bills for small amounts that people assume they need to pay. Incremental payments of $26 here and $56 there add up and don’t take a lot of work on the part of the criminal.
Sell Intellectual Property
Companies in the industrialized world spend millions of dollars every year on research and development, money that developing nations in the Middle East, Eastern Europe and Asia don’t have. It was bad enough when hackers stole emails, social security numbers and salary data on more than 50,000 Sony employees a few years ago, but it escalated to another level when unreleased movies, important IP to Sony, was stolen. The stolen IP issue has been in the news of late as President Trump has forged a trade war with China over the multi-billion dollar US trade deficit with China as well as the People’s Republic policy of stealing IP from US companies. The United States Trade Representative recently reported that IP theft by the Chinese alone costs US businesses at least $50 billion annually. Most of these hacks are sophisticated actions sanctioned by nation-states and have grabbed the attention of the federal government. Other more garden-variety hackers also sell stolen data piecemeal. Stolen emails, for example, can lead more sophisticated hacking organizations to IP theft that would interest developing nations.