Two questions on cybercrime yield valuable intel for potential victims: 1) Aside from ransomware, how do cyber criminals make money; and 2) How do they hide it?
1. Cyber Criminals Seek High Returns on Investment.
All investors, whether pursuing legal or illegal paths, concentrate on the ROI – return on investment. In addition to financial capital, cyber criminals focus on the effort expended compared to the potential gain. Whether acting individually or in a syndicate, cyber criminals sell their goods primarily in bulk.
According to a June 24, 2020 report on the Dark Web Price Index 2020, the following are average prices for stolen accounts on the dark web:
Credit Card Data (Cloned Mastercard with PIN): $15
Cloned American Express with PIN: $35
Stolen online banking logins, minimum $100 on account: $35
Stolen online banking logins, minimum $2000 on account: $65
Stolen PayPal account details, minimum $100: $198.56
US driving license, high quality: $550
Hacked Facebook account: $74.5
Hacked Instagram account: $55.45
Hacked Twitter account: $49
Hacked Gmail account: $155.73
Based on an ATLAS VPN report, Forbes reported that Social Security Numbers trade for $4, whereas physical passport prices range from $2,980 to $5k.
At these prices, criminals must accumulate large numbers of these commodities before selling to recoup the costs of their investments. These investments initially include the purchase of exploit kits (specialty software), botnet leases, “hacking as a service” licenses, and malware code. A 2016 Ponemon Institute study found that technically proficient hackers spend an average of $1,367 for specialized attack toolkits.
Aside from these financial expenditures, the cyber criminals must invest their time. And, as with any business, the goal is to minimize time and costs in extracting a profit. Therefore, entities and individuals that arm themselves with sufficient cybersecurity measures and make it more difficult for hackers to obtain marketable credentials can help remove the target on their backs. Hackers may be dissuaded or financially prohibited from attacking systems that are too difficult and compromise the ROI.
Thinking of cybercrime as an entrepreneurial enterprise, forces businesses to plan cyber defense spending in an efficient manner. Comparing prices of data on the black market against the inventory of a business’s own valuable data will allow budget priorities to set themselves.
2. Cyber Criminals Launder Money through Video Games.
Similar to normal, tax-paying citizens, cyber criminals make basic purchases with their ill-gotten gains: food, clothing, phones, and entertainment services. However, for larger sums, these criminals must launder their money to avoid attention from government regulators. Just like in Breaking Bad where character Walter White used a car wash to provide an appearance of legitimate income, cyber criminals use Fortnite to “clean” their money. An operation that has been ongoing for the better part of a decade, cyber criminals look for new video games that allow the purchase of gaming currency that can then be resold to other players.
Specifically, cyber criminals use stolen credit cards to purchase V-bucks on Fortnite, discount them and resell them in bulk to other players, other criminals on the dark web, and/or exchange V-bucks for actual money through the game itself. This allows cyber criminals to exchange out their currency to countries across the globe, in almost every language, avoiding traditional banks. While frustrating for innocent victims of cyber-crime, it’s an impressive Knights Templar-style tactic (although lacking ideology and good intentions).
For other Fortnite players (especially 13 y.o. kids with unblemished credit histories), it’s a warning not to purchase V-bucks online at eBay or other discount gift-card websites, as the purchaser is unknowingly introducing themselves to these criminals as washing machines.