Cyber-Criminals Selling Fraudulent Identity 'Kitz' on Web Black Market

By Robert Lemos | Posted 2013-07-17 Email Print

Researchers at Dell Secureworks find criminals combining drivers' licenses, health insurance and credit-card accounts into counterfeit documents, or "kitz," which are then sold online.

Brokers of stolen information are increasingly combining disparate data on consumers, verifying the information and then selling the "kitz" to others as a turnkey identity fraud service, according to researchers from managed security firm Dell Secureworks.

While run-of-the-mill U.S. credit cards sell for less than $2, health insurance credentials for less than $20 and access to compromised computers for less than $100, packaging up a complete profile of a consumer—known as "fullz"—and creating a set of physical identity documents can fetch more than $1,200, Dell Secureworks stated in research sent to media on July 15.

A full dossier on a consumer—including verified health insurance information, Social Security numbers, financial account information, bank log-in credentials and driver's license data—sells for about $500 each, without the actual physical documents, the company said.

With all the information leaked in data breaches in the past decade, information brokers have a lot of raw material with which to work, Don Jackson, senior security researcher with Dell Secureworks, told eWEEK.

"They put a lot of work into these databases," Jackson said. "These guys have accumulated some huge databases. It's going to be hard to find people whose information is not out there."

Identity theft has become an increasing concern among consumers. In its annual measure of security concerns of Americans, technology firm Unisys found that citizens' overall concern with security had lessened in 2013, but that identity theft and credit-card theft had topped the lists of worries.

And with health care becoming less affordable for the average American, the industry has suffered some of the greatest increases in fraud, according to a recent report published by the Ponemon Institute.

Dell Secureworks has also seen an increase in online criminals targeting health insurers and health care organizations. Along with financial institutions, health care is one of the most targeted industries, the company stated.

Yet, those are not the only types of credentials or digital data that online thieves have targeted. Game accounts also fetch premium prices, according to Secureworks' research. In fact, the online gaming accounts of the owners of premium in-game items are some of the most valuable, selling for up to $1,000, the same price as a well-funded bank account and twice as much as a high credit-limit—or "prestige"—credit card.

"The [researchers] found the biggest jump in value among stolen credentials was in game accounts," the research summary stated. "There is more realized value in virtual items and currency."

Dell Secureworks believes the market for stolen information is expanding, highlighted by the increase in price for many types of data. Many more sellers and middlemen have appeared in the market, Jackson said.

While the criminal rings behind the sale of stolen information appear to be spread out over the globe, Jackson found evidence that one of the sellers was based in the United States.

Wednesday, July 17, 2013