Hackers Sell Health Insurance Credentials, Bank Accounts, SSNs and Counterfeit DocumentsBy: Elizabeth Clarke
Dell SecureWorks, an industry leader in information security services, has recently discovered several underground marketplaces where hackers are selling information packages containing "verified" health insurance credentials, bank account numbers /logins, social security numbers, and other personally identifiable information (PII) on victims. These packages of data are referred to in the underground as "fullz", an underground term for the electronic dossier on a particular individual, compiled specifically for the purpose of identity theft and fraud.
Don Jackson, senior security researcher with the SecureWorks' Counter Threat Unit™ (CTU) research team, said that when these "fullz" are sold, along with all the custom manufactured or counterfeit physical documents related to the identity data (e.g., credit cards, social secrurity cards, driver's license, insurance cards, etc.), the packages are referred to as "kitz." The current asking price for a complete identity theft kit, containing the health insurance credentials, is in the range of $1,200 to $1,300 each.
As evident by Jackson's findings, a number of these marketplaces are serving as a one-stop shop for identity theft and fraud. Not only are they selling the stolen credentials, but they also sell the supporting (counterfeit) documentation or ("dox") for an extra charge. Although Jackson did not identify specifically who was behind the underground marketplaces, he does suspect that the criminals involved in one major operation were located in the United States. This was based on specific computer network information and tell-tale signs in usage of English in electronic communications.
Hacker Pricing for Stolen Credentials:
"Kitz" – these particular Kitz contained verified health insurance, SSN, bank account info /logins (account & routing numbers, account type), driver's license, full name, address, phone, etc. and counterfeit physical documents and hardware related to the identity data in the package (eg: credit cards, driver's license, insurance cards, etc)—- ranging between $1200 – $1300 per Kitz. Add $100 – $500 for rush orders and other miscellaneous fees like wire transfer, escrow, etc.
"Fullz" – If these records also include health insurance credentials for a US victim, then they were negotiated for about $500 each, based on what was included: full names, addresses, phone numbers, email addresses (with passwords), dates of birth, SSN or EIN, one or more of: bank account information (account & routing numbers, account type), online banking credentials (varying degrees of completeness), or credit card information (including full track2 data and any associated PINs).
Health Insurance Credentials - Health insurance credentials are $20 each. They include names (more than one for spouse & family coverage), date(s) of birth, contract number, group number, type of plan (Individual/Group, HMO/PPO, deductible and copay information), and insurer contact information for customer service and filing claims). Note: when there is a dental, vision, or chiropractic plan associated with the health plan, each of those was an additional $20.
Fees for Additional Stolen Credentials
US credit card with CVV Code– $1 – $2
Non-US credit card with CVV– $2 – $10
Credit card with full track 2 and PIN– $5 – $50
Prestige credit cards (include Platinum, Diamond, Black) with verified available balance– $20 – $400*
Online bank account, < $10K— $250 – $1000*
Compromised computer– $1 – $100
PayPal, verified balance– $20 – $200*
Game accounts (Steam, Minecraft, WoW, PSN, XBOX Live/Microsoft)– $5 – $1000**
Skype account (premium)– $1 – $10
* Some hackers' prices are based on 4% – 12% of verified current balance
** Rare items are often "parted out' or fenced separately
Bank Accounts with Attached Email Accounts – Jackson also found that credentials for bank accounts, which also included the credentials for the email account associated with the bank account, , were more valuable; as the scammer can stop the victim from receiving email alerts sent by the bank, allows a hacker to change account information and confirm back to the bank that the changes are correct.
Bank Accounts with ACH Bill Pay or Wire Transfer Features - additional features matter in the value of an account. For example, the ability to wire transfer or ACH bill-pay brings a higher value; whereas, two-factor authorization, like SMS sent to the account owners' phone to confirm wire transfers, etc. hurts the value of a stolen account.
Compromised computer - bulk with only proxy- access is cheap; specific selection criteria (speed, bandwidth, location) and full interactive admin/root access is premium.
Game Accounts – The CTU found the biggest jump in value among stolen credentials was in game accounts. There is more realized value in virtual items and currency. Steam and PSN and XBOX live linked to other accounts, multiple game titles and characters, payment information, and other services — $10/hour) or $1000+ for rare/uniqe top-level items. Important to "launder" stolen items through other shill characters.
"It is not surprising that we are seeing health insurance credentials being sold in the underground hacker markets, along with other financial and PPI data," said Jackson. "Our CTU researchers discover caches of stolen data frequently, and we have found that the hackers will steal anything they think they can sell on the underground. Health insurance credentials continue to rise in value as we see the cost of health insurance and the cost of medical services continue to rise."
Earlier this year, Dell SecureWorks' Incident Response Team was called into a large healthcare company to investigate a possible cyber intrusion. The security experts discovered that one of the company's computer systems had been infected with the Gatak Trojan, a credential- stealing Trojan (one that typically looks for names, addresses, credit card numbers, bank account numbers). The Incident Response Team found more than 25 additional unique versions of the malware across their network. Luckily, it was determined that the hackers had not gotten away with any protected health information (PHI), financial or PII data. However, Dell SecureWorks' experts made sure that the company's infected systems were removed from the network and cleaned or rebuilt. They also made recommendations on how the organization could fix the vulnerabilities in their network so the hackers could not reenter.
Key Security Steps for Protecting Healthcare, Financial and PPI Data
Dell SecureWorks advises a layered approach to security. Organizations should consider implementing the following:
- Firewalls around your network and Web applications
- Intrusion Prevention Systems or Intrusion Detection Systems (IPS/IDS). These inspect inbound and outbound traffic for cyber threats and detect and/or block those threats
- Host Intrusion Prevention Systems (IPS)
- Advanced Malware Protection Solution
- Vulnerability scanning
- 24 hours a day x7 days a week x365 days a year log monitoring, and Web application and network scanning
- Security Intelligence around the latest threats (people working on the latest threats in real-time, human intelligence)
- Encrypted email
- Educating your Employees on Computer Security. A key protective measure is to educate your employees to never click on links or attachments in emails, even if they know the sender. Employees should check with the sender prior to clicking on the email links or attachments. Email and surfing the web are the two major infection vectors.