Last week, Australian iPhone and iPad owners found themselves locked out of their devices – held hostage by a faraway attacker that promised to hand back control, but only after being paid.
How did it happen? It's possible that, as with other things online, the attacker simply bought the targets' user information from a black market site.
That your personal data can be bought and sold on the Internet shouldn't come as a surprise. Academics and security researchers have been charting the sale of credit card information, bank credentials and online payment logins for years – and the glut of recent breaches and hacks, from Target to eBay, have actually driven down black market prices for stolen data.
In this market of oversupply, attackers are now finding ways to exploit information with no inherent financial value for monetary gain, and leveraging plentiful caches of stolen data in new and frustrating ways.
Ransomware, as the Australian iPad scheme is called, isn't new. Attackers have been holding compromised computers and electronic devices hostage for about as long as we've exchanged money online – even longer, if you count offline schemes. Rather, what's puzzling here is the attacker's technique.
He, she – a group, perhaps – exploited some Apple devices using a built-in feature for disabling and locating stolen devices called Find My iPhone, turning the feature against rightful device owners instead. The question is, how did the attacker choose which devices to hit? And why were they all seemingly based in Australia? Theories abound, Ars Technica has a good one here.
But a new paper says it is plausible that, rather than simply dump a trove of usernames and passwords obtained in a website breach, some enterprising attackers could figure out which of those credentials belong to iPhone or iPad users, and sell them in a specially priced bundle on their own. Dr. Thomas J. Holt, an associate professor an in the School of Criminal Justice at Michigan State University who specializes in the study of cybercrime, worked with Olga Smirnova from Eastern Carolina University to analyze 13 online forums where the sale of hacked user data is commonly advertised. Mr. Holt "The guys who have the ability to actually sieve [analyze] data ... are the types of guys who are going to say 'Wow, there are ways to monetize this information above and beyond simply selling it,' " he said.
"Market actors commonly sell credit card and debit card accounts, PIN numbers, and supporting customer information from around the world in bulk lot," the paper reads, while "a limited number of sellers also offer spam lists and malicious software tools that can be used to engage in fraud."
Advertisements for "dumps" – bank account and/or credit card numbers – made up almost half all of information advertised for sale in the pair's study. Credit Verification Values – the numbers typically printed on the back of a credit card to verify online transactions – accounted for nearly 35 per cent. Because financial information remains the most lucrative types of information they make up the largest share of items sold.
But the price of dumps and CCVs has been trending significantly downward over time – largely because there's too many troves of stolen cards and accounts on the market now, cannibalizing sales. Mr. Holt and Ms. Smirnova found the average price of a stolen bank or credit card could be as low as four cents, for example, but as high as $8,000 for a higher limit executive-type card, with the average selling price just over $100.
The myriad ways in which financial information can be stolen – and the value associated with how a card or account was obtained – makes pricing trends hard to track according to Lillian Ablon, who published a similar report earlier this year for the policy research and analysis firm RAND Corporation.
"How fresh is it? From which data breach did it come from?" said Ms. Ablon. "Did it come from a big one that everyone knows about and everyone's aware and they're going to be checking their credit cards because a lot of breaches have happened and their mind is on it? Or is it a one off that isn't on the news and I might not notice if there's an extra $200 [charge] on my account?"
As the price of more traditional financial information has gone down, more novel types of information have accrued value instead. PayPal and eBay accounts have grown in popularity, now costing on average just $27. E-mail lists for spams and scams average just under $100.
Dr. Holt says you can buy "virtually anything that has currency attached to it" online, from Skype accounts to high-value Twitter user names. Earlier this year, for example, the Twitter user @N was actually stolen due to its status as one of the service's earliest names. Though the owner eventually regained control, he claims to have been offered as much as $50,000 for the handle in the past.
Whether this type of targeted information buying – a leaked or stolen database of known Australian iPhone and iPad owners, says – is what enabled last week's attack is hard to say. But it's certainly not unheard of.
It's sometimes useful to remember that our personal information is often less personal than we might like to think – much of it distributed, packaged and sold in black markets online, a cornucopia of credit cards, bank accounts, even high value Twitter handles and more.
But more importantly, things that we might think have no value – e-mail addresses, in this case, and passwords acquired from who knows where – have more value to attackers looking for novel modes of attack that most of us would never conceive.