Hackers selling IDs for US$14, Symantec says

Identity thieves are offering a person's credit-card number, date of birth and other sensitive information for as little as US$14 over the internet, says a new report on online threats released this week.

The data is sold on so-called "underground economy servers," used by criminal organisations to hawk information they've captured through hacking, Symantec says in its Internet Security Threat Report, which tracked online trends from June to December 2006. The information can then be used for identity scams such as opening a bank account in a false name.

"US-based credit cards with a card verification number were available for between US$1 to US$6, while an identity -- including a US bank account, credit card, date of birth and government-issued identification number -- was available for between US$14 to US$18," says the report.

Some 51% of the servers hosting the information were in the US, in part because the growth in broadband internet access in the US has created new opportunities for criminals, Symantec says. About 86% of the credit and debit card numbers available on those servers were issued by US banks, it says.

One way that criminals have gained access to computers is by exploiting zero-day vulnerabilities, or software flaws that are being exploited as soon as they are revealed and before a patch has been released.

Symantec documented 12 zero-day vulnerabilities in the period from June to December 2006. Only one was found in its two prior six-month reporting periods, the company says.

Hackers have exploited some of those vulnerabilities by creating malicious documents in Microsoft Office and other software, says Ollie Whitehouse, a security architect at Symantec.

A malicious Word or Excel document, when attached to a spam email, has a greater chance of being opened by someone since it may appear legitimate and be targeted at an employee of a specific company.

While security software programs will often block executable programs attached to email, common Office documents are allowed to go through, Whitehouse says.

"A business isn't going to say 'We will no longer accept Office documents received via email,'" says Whitehouse. "I think productivity would go through the floor at that point. Unfortunately, this is where the security requirement and the business requirement do really clash."

A video posted on Symantec's blog, shows a sophisticated attack where a malicious document is opened that puts a harmful executable onto the system and then opens a regular Word document. The attack is almost invisible to the user, apart from a flicker on the screen before the Word document opens.

"Office documents -- PowerPoint presentations, Excel spreadsheets -- and graphics like JPEGs aren't necessarily considered malicious file formats, so the user is more inclined to open them," says Whitehouse.