Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Over $24 billion Dollars at Risk of Theft from Spyware in US Alone - SANS Internet Storm Center SANS ISC InfoSec Forums

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Over $24 billion Dollars at Risk of Theft from Spyware in US Alone
After cleaning up an infected system and doing due diligence on the people involved, I was able to track the exploit down to a group of Mexican porn site operators who apparently also take the credit cards people give them to buy porn and sell them to others.  Porn site operators aren't the most ethical bunch, but it serves as a helpful reminder.  You need to trust the merchant of whatever product you buy to not, in turn, sell your credit card or other information.  This is true regardless of it being an online merchant or some guy in a shop on the corner.  But the point is that it got me thinking about how many accounts out there that have been stolen by spyware and how much money is impacted.  I did a quick study which came up with $24 billion of US consumer money that could be levereged by someone who is not the consumer.

This is my own estimate and you can look at the methodology here.  Essentially I took the infection rate of "system monitor" spyware infections (those that have keyloggers which grab banking account and credit card information), the percentage of people who bank and shop online, and the average balance on bank accounts and credit cards and came up with over $24 billion in assets and credit that can be levereged by "hostile entities" today.  I believe this number is an underestimate.  This does not include accounts stolen via phishing, online merchants who just take the information you give them, or other social engineering attacks.

This is a draft analysis (complete with typos, bad grammar, and probably broken HTML) and comments are welcome to bambenek -at-

248 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!