Symantec takes cybercrime snapshot with 'Underground Economy' report

The criminal market online for buying and selling stolen credit cards, pirated software and information about financial accounts is thriving, according to a report published Monday by Symantec.

The "Underground Economy" report contains a snapshot of online criminal activity observed from July 2007 to June 2008 by a Symantec team monitoring activities in Internet Relay Chat (IRC) and Web-based forums where stolen goods are advertised. Symantec estimates the total value of the goods advertised on what it calls "underground servers" was about $276 million, with credit-card information accounting for 59% of the total.

If that purloined information were successfully exploited, it probably would bring the buyers about $5 billion, according to the report -- just a drop in the bucket, points out David Cowings, senior manager of operations at Symantec Security Response.

"Ninety-eight percent of the underground-economy servers have life spans of less than 6 months," Cowings says. "The smallest IRC server we saw had five channels and 40 users. The largest IRC server network had 28,000 channels and 90,000 users."

In the one year covered by the report, Symantec's team observed more than 69,000 distinct advertisers and 44 million total messages online selling illicit credit-card and financial data, but the 10 most active advertisers appeared to account for 11% of the total messages posted and $575,000 in sales.

Click to see: Pie chart showing the online market of goods and services sold

Symantec's team spent the year primarily in the more accessible underground servers rather than in the tightly restricted ones that require authenticated access, Cowings says. The report cites North America as hosting 46% of the underground servers Symantec observed for the year, with the remainder primarily in Europe, the Middle East and Africa.

The hustle and bustle of trading in stolen goods thrived, with individuals using such names as "Spookie," "Luna" and "Shadow" -- people who sometimes bartered with each other.

According to the report, a bank-account credential was selling for $10 to $1,000, depending on the balance and location of the account. Sellers also hawked specific financial sites' vulnerabilities for an average price of $740, though prices did go as high as $2,999.

In other spots, the average price for a keystroke logger -- malware used to capture a victim's information -- was an affordable $23. Attack tools, such as botnets, sold for an average of $225. "For $10, you could host a phishing site on someone's server or compromised Web site," Cowings says.

Desktop computer games appeared to be the most-pirated software, accounting for 49% of all file instances that Symantec observed. The second-highest category was utility applications; third-highest was multimedia productivity applications, such as photograph or HTML editors.