A year ago, carders could expect to reap $5 by selling fewer than a dozen stolen credit card numbers, regardless of the limit or other information the thief had about the rightful owners, said John Watters, chief executive officer of iDefense, a Reston, Va.-based online security company.
"[Phishing] has really helped this market to mature, because we're now seeing these offerings being parsed into differently priced segments according to what sorts of other information the seller has," Watters said.
Transcript: Brian Krebs hosted Dave Jevans, chairman of the Anti-Phishing Working Group.
The preferred method of payment also has shifted in a way that suggests a more organized, businesslike clientele is co-opting the once-informal marketplaces, said Marcus Sachs, a former White House cyber-security adviser who directs the Internet Storm Center, which monitors hacker trends.
For years, hackers were content to barter credit card numbers for stolen passwords, custom-made computer code or e-mail address lists. Now, Sachs said, "they just want to get paid."
Another trick that harkens back to the dawn of the World Wide Web is starting to see new life: fake online storefronts that harvest credit card information.
In these scams, thieves build Web sites hawking everything from sporting goods to contact lenses at bargain-basement prices, advertising the wares with large doses of spam. The Web sites look authentic thanks to pictures and descriptions of goods lifted from real online stores.
"We've seen a lot of really good ones that include fake testimonials and links to their privacy and security policies," said Dan Hubbard, director of security and technology research for Websense, a San Diego-based company that offers online content blocking services for businesses.
Fake e-commerce sites work so well that they recently outpaced the number of phishing sites, according to Websense. In a study released in September, the company found that there are between 800 and 1,100 fraudulent and phishing Web sites online at any time, and slightly more than half of those are pure fraud sites.
The average phishing site usually has a lifespan of a few hours to three days before banks and Internet service providers locate and scuttle them. Bogus e-commerce sites, however, generally stay in business for six to eight days before their operators close up shop and disappear, Websense found.
William Jackson's case placed him in the company of thousands of online shoppers who responded to e-mails that they thought were from eBay or PayPal. From January to October this year, almost 30 percent of all phishing attacks targeted those customers, according to the Anti-Phishing Working Group, a coalition of banks and technology companies dedicated to fighting phishing fraud.