Stolen healthcare data such as health insurance credentials, Social Security numbers, bank account information, and other personally identifiable information about patients are readily available in underground markets, researchers at Dell SecureWorks found.
Criminals can purchase “fullz,” an electronic dossier on a specific individual, for about $500 each, according to a Dell SecureWorks blog post. They can then use the fullz information counterfeit identities and documents for individuals, or just buy “kitz,” a complete identity theft kit containing ready-made counterfeit documents, for between $1,200 to $1,300 each.
A number of these marketplaces are serving as a one-stop shop for identity theft and fraud, found Don Jackson, senior security researcher with the SecureWorks’ Counter Threat Unit research team.
Fullz usually contain personal identifiable information for the victim, including full names, addresses, phone numbers, email addresses with corresponding passwords, dates of birth, Social Security numbers, Employer ID Numbers, and financial data such as bank account information, such as routing numbers, account numbers, online banking credentials (which may be incomplete), and credit card information such as magnetic stripe data and PINs.
Jackson did not specify who was behind the sales, but said he believed at least one major operation was based in the United States. He based his suspicions on computer network information and specific clues in how criminals communicated.
While the Health Insurance Portability and Accountability Act (HIPAA) requires hospitals, clinics, and other healthcare organizations to implement security measures to protect personally identifiable information and patient records, data breaches still happen. Rogue employees and careless mistakes are frequently the cause of data leakage within the industry. Healthcare-focused malware can steal the information necessary to conduct fraud.
Earlier this year, Dell SecureWorks’ Incident Response Team investigated a possible cyber-intrusion at a large healthcare company and discovered more than 25 unique versions of the Gatak Trojan across the network. Gatak is a credential- stealing Trojan that harvests names, addresses, credit card numbers, and bank account numbers. While this organization luckily hadn’t lost any data to the attackers, other organizations may not be so lucky.
Dell SecureWorks recommends companies take a layered approach to security. On the network level, administrators should install network and Web application firewalls and intrusion prevention and detection systems (IPS/IDS) that inspect outbound and inbound traffic. All endpoints should run advanced malware protection and vulnerability scanners. Employees should be trained to detect and avoid primary infection vectors when using email and encrypting their email communications.
CTU “frequently” discovers caches of stolen data, Jackson said. With the cost of medical care and insurance policies going up, stolen health insurance credentials will likely rise in value on these underground markets, he said.
“It is not surprising that we are seeing health insurance credentials being sold in the underground hacker markets, along with other financial and PPI data,” said Jackson.
Unlike credit cards and other financial data, stolen health care information can last a long time. If the scammer is careful, much of the activity can flies under the radar so that the victim doesn’t realize what is going on.
Jackson and other CTU researchers found other credentials for sale, such as US-based credit cards (with the three-digit CVV code) for $1 to $2 apiece, PayPal accounts with a verified balance for $20 to $200, and even premium Skype accounts, between $1 and $10. Online bank account credentials with accounts less than $10,000 in balance veer wildly in pricing, from $250 to $1,000.
Features such as the ability to wire transfer or ACH bill-pay make the accounts more valuable, while two-factor authentication hurts the value of a stolen account, Jackson said. Credentials for bank accounts with password information for the associated email address were more valuable to criminals than just regular bank account information.
This way, the scammer can stop the victim from receiving email alerts sent by the bank, or to change account information and confirm to the bank the changes are correct, Jackson said.
Game accounts, such as those for Steam, Minecraft, World of Warcraft, PlayStation Network, and Xbox Live, ranged from $5 to $1,000, CTU found. Steam, PSN, and Xbox Live accounts linked to other accounts, or containing multiple game titles and characters, or having payment information saved, were valuable on the market. “There is more realized value in virtual items and currency,” the researchers wrote in the post.