Online, a bazaar bursting with stolen credit card information

September 21, 2014, 3:37 PM UTC
Credit Crunch Threatens Economy
LONDON - DECEMBER 06: In this photo illustration a man holds up some credit and debit cards on December 6, 2007 in Glasgow,Scotland.The British economy is beginning to feel the effects of the credit crisis which began this year. House prices have begun to fall and the retail sector is predicting a difficult Christmas period. (Photo by Jeff J Mitchell/Getty Images)
Photograph by Jeff J. Mitchell—Getty Images

The latest Target for retail cyber robbers? Home Depot. (At least, that we know of.) The home improvement retailer recently acknowledged a five-month data breach at its payment terminals that may have compromised 56 million payment cards.

Some have characterized the Home Depot (HD) data breach the largest to date. (This year’s Target breach: 26 million cards over three weeks.) If you’ve shopped at the big-box retailer, though, you’re probably wondering: What happens to all that personal information once it gets into the hands of cyber thieves?

They take it to market, of course. is one of several underground markets where black-hat hackers (that is, the bad ones) go to move product—”product” in this case being your personal information. According to Brian Krebs, a journalist-turned cyber security analyst, Rescator received two gigantic dumps of stolen card numbers on Sept. 2—including a significant score from Home Depot. (“USA and World Dumps update!” the update cheerily proclaimed.) In the next few days, more illicit shipments followed.

If the site’s name sounds vaguely familiar, it’s because Rescator is the same place where the Target (TGT) breach’s spoils first emerged last December. Both hacks exploited the same vulnerabilities using similar malware. Coincidence?

In the latest case, the hackers’ reputation preceded them. “They were throwing out all different kinds of alerts on criminal forums that there’s a big, huge batch coming,” says Krebs, who first broke news of the Target and Home Depot breaches. “These guys have a brand. They got famous with Target.”

Anyone can sign up at underground markets like Rescator. Transactions are often conducted through a digital currency platform like Bitcoin to preserve anonymity. What follows: a rainbow-colored pilfer party. Shop ’till you drop!

“Credit cards are typically graded and packaged into large tranches by type, freshness, or other factors,”says Dan Guido, co-founder and CEO of the New York-based cyber security firm Trail of Bits. Cards with a later expiration date and higher credit limit may be worth more. A purchaser can also sort by country, state or city of origin, zip code, and issuing bank. “Criminals sometimes offer a few cards as a sample to a prospective buyer to charge and verify they work. It’s coordinated via forums on the regular Internet.”

Once the buyer secures a cardholder’s information from the seller, they can make purchases with funds from the victim’s account. With a little ingenuity—the kind on display during the recent leak of private celebrity photos hosted on Apple’s iCloud—the buyer can reset a cardholder’s PIN and withdraw money from their account. Sayonara, identity.

About 60% of the stolen Home Depot card information will be sold in dumps like this, says Tom Kellermann, chief cybersecurity officer at Trend Micro. That’s a conservative estimate. “You can buy 100 platinum cards for less than $1,000.” Do the math: A buyer can commit at least one act of fraud per card, he says. “Good deal, huh?”

Black markets are subject to the same economic forces that legal markets are, though. A glut of stolen credit card information has led to depressed prices for stolen personal information. According to a recent Trend Micro report, the average price for a stolen U.S. credit card was $1 in 2013, down from $3 in 2011.

Still, substantial profit can be made at scale. Hackers behind the Home Depot and Target breaches aren’t interested in stealing card information for their personal use; they’re far more interested in selling it to others. “You can safely call sites like Rescator like the big box credit card theft stores,” Krebs says. “They’re like the Best Buys of the underground.”

Like consumer electronics, stolen personal information is a rapidly depreciating asset. Once the looters put data up for sale, the clock starts ticking. It’s only a matter of time before law enforcement, banks, and journalists swoop in and spoil the fun. Sure, sellers can buy a little time by hosting the information on servers in countries unfriendly to the U.S. But as any retailer knows—Home Depot above all—it’s all about turning inventory into sales. Quickly.

Correction, September 22, 2014: An earlier version of this article misstated Tom Kellermann’s title. He is chief cybersecurity officer at Trend Micro.