Surveying the criminal market

Simon Tame | 10 November 2016

It’s no secret your personal information and data is valuable to cybercriminals, but is there more of a market for certain types of data than others? During our research into criminal forums and marketplaces, it’s never surprising to see personal data on sale, be it payment card details, social security numbers, compromised accounts or databases. So how common is the trade of these types of data, and how do they compare to each other in terms of how frequently they advertised? To establish some indication of this, we ran searches for keywords and phrases on over 300 criminal locations. The results of which are shown in Figure 1.

Items for sale criminal marketplaces 

The graph shows that the discussion of payment card details is considerably more frequent than the other data types. This is not to say that the number of mentions in the graph directly translate to the number of payment card details being sold, but I would argue that it highlights how frequently this data is traded, sold and posted to criminal forums and marketplaces. There are a number of possible explanations for this, but I would say that credit card details can be easily monetized by cybercriminals, which in turn increases the demand for this type of information. This is evident through the large number of clear and dark web sites dedicated to the sale of payment card details, called automated vending carts (AVCs), examples of which include Rescator and Bestvalid. Quite simply, there is readily accessible money behind a compromised payment card details, while monetizing a social security number, account or a database can take a lot more time and effort.

Further contributing to the overwhelming disparity between discussions of payment card details and the other highlighted commodities could be the relatively large number of methods by which they can be compromised. For instance, it’s possible for attackers to use physical skimming devices, point of sale malware, keyloggers, phishing pages and other forms of social engineering and even data breaches to steal or acquire compromised payment card information. These factors are all likely to contribute to the number of payment card details available on criminal forums and marketplaces.

While our findings relating to keywords cannot be used to quantify the number of payment card details, or indeed other commodities, being sold on criminal locations, the findings do provide insight in to how popular each type of data is. Research such as this helps us to understand the state of the cybercriminal marketplace, including what cybercriminals can most easily obtain, and what is likely to be perceived as the most profitable commodity. Developing this understanding in turn enables us to develop a stronger appreciation of the cybercrime ecosystem, which helps develop our appreciation of a threat actor’s environment.