Report: Online black market for personal data thriving


Credit card and bank account information are the most common items sold on the Internet-based black market, concludes a report published by the Web security multinational Symantec.

Information about credit cards represented 32% of data illegally available online in 2008, compared to 21% in 2007. Bank account credentials on sale grew from 17% to 19% in the same period, according to the annual report on the security of the Web carried out by Symantec.

The underground online economy works through websites, or more often chats, where personal information of any kind is sold at accessible prices. Symantec calculates that sensitive information about a credit card and its holder can cost as little as $6 cents (4.50 euro cents) and reaches a maximum of $30 (22.8 euros). 

Prices change according to the accuracy of the information provided, which can also include PINs and passwords, on top of the more common credit card number, expiry date and holder data.

Buyers can use that information to make fraudulent online purchases. "Online shopping can be easy and fast, and a final sale often requires only basic credit card information. Someone knowledgeable enough could potentially make many transactions with a stolen card before the suspicious activity is detected and the card is suspended," reads the report.

Moreover, credit cards are sold in the online black market in bulk packages of anything from 100 to 5,000 stolen cards. This increases the likelihood of the illegal buyer profiting from the cards, and minimises losses related to cards no longer in circulation or with modified numbers and access codes. 

Symantec explains that criminal organisations operating on the Internet are also able to produce brand new credit cards with stolen data, allowing buyers to make illegal purchases in real shops, too. 

Although new, more efficient security systems are being applied by card companies, the risk of such fraud is booming as payment card use increases. 

Indeed, the United States is both the country with the highest number of cards in circulation (1.3 billion cards, an average of over four per person), and the biggest centre for illegal chats or sites selling stolen cards. In comparison, European countries are still lagging far behind.

Bank account details cost more on the online black market, with prices ranging from $10 to $1,000 (7.50 to 757 euros). Corporate accounts are the most targeted, due to their higher capital turnover. "Beyond straightforward account cash outs, bank accounts can also be used as intermediary channels to launder money or to fund other online currency accounts that only accept bank transfers for payments," explains the report.

To collect this information, hackers use several techniques, such as phishing, magnetic stripe skimming (EURACTIV 29/04/08) and breaking into databases. Phishing is the most common, meaning attracting users to fake websites spoofing the sites of genuine companies, especially financial institutions (in 79% of the cases). Responding to bogus requests, users give away their personal data, which is then used to feed the underground economy.

The United States is the largest global host of illegal websites used for phishing (43% of the total), followed by Poland (6% compared to 1% in 2007). Symantec detected over 55,000 phishing websites worldwide in 2008, a 66% increase compared to 2007. This booming trend is also a result of the growing availability of automated phishing toolkits, which are readily available on the black market and allow would-be hackers to set up illegal websites with very little effort.

The report also explains that the second most-targeted companies are Internet service providers, which hold data about email accounts. Hackers can access personal emails and the sensitive information often stored in them, including passwords and codes. Indeed, email accounts are the third most-sold item on the online black market.


The EU is determined to increase the use of electronic payments to replace the more expensive and less secure cash option. The adoption of the Payment Services Directive and the establishment of the Single Euro Payment Area (SEPA) both push in this direction. 

But not many legislative initiatives have yet addressed the growing number of electronic fraud cases. An action plan was implemented between 2004 and 2007 (see EURACTIV Links Dossier).

As part of an ongoing review of EU telecoms rules, which is currently under discussion between the EU institutions, new privacy safeguards are about to be introduced which are a concern for Internet security companies like Symantec and McAfee, both represented by the Business Software Association (BSA). They fear that new requirements to process traffic data could hamper their ability to counter fraud and protect computers from hackers' attacks.

Further Reading

Subscribe to our newsletters