Thieves Can Now Nab Your Data in a Few Minutes for a Few Bucks

In the aftermath of big breaches like Marriott’s, investigators scour criminal marketplaces for clues. If a large number of credit-card numbers used at a particular hotel chain pop up, for example, that is a possible sign that criminals, and not nation-state hackers, were behind the hack.

With the Marriott breach and Equifax attack, which was disclosed last year and affected 148 million people, sellers haven’t yet appeared—which could indicate foreign governments are behind those two break-ins.

Alex Holden, chief information security officer of Hold Security LLC, said a recent investigation found hackers last month offering to produce fake passport and identification cards based on data in a cache of 4,600 purloined documents. By using image-editing software to marry photos with the stolen data, hackers were producing fake IDs that could be used to gain access to online accounts, he said.

Providers of online accounts sometimes will reset a password for someone if that person can produce a passport, he said.

Fake passports are only one of many products made from stolen consumer information. Criminals also assemble comprehensive victim files called “fullz”—internet slang for a full listing of someone’s data—that sell for about $100 each, Mr. Barysevich said. Fullz can include a victim’s date of birth, Social Security number, telephone number, driver’s license number, banking information and more.

This type of information is feeding a new form of fraud known as SIM hijacking, in which criminals use stolen data to persuade mobile-phone operators they are legitimate customers who have lost their phones and are in need of a new SIM card. When the new SIM card is activated, criminals gain control of the victim’s phone number and quickly use it to reset online passwords and empty bank accounts.

For accounts that require only a user name and password, hackers turn to free downloadable tools such as Sentry MBA or Hitman, known as credential stuffers. The software takes a bulk list of email addresses and passwords stolen from a site and tries, through a network of computers, to use them one by one to log into different websites. Stolen email addresses and passwords from LinkedIn, for example, could be tried against Amazon. Up to 2% of passwords found on any one site work elsewhere, according to the security company SpyCloud Inc. That can turn a single $100 record into a valuable skeleton key for a buyer.

There are criminal tutorials for sale for neophyte thieves. For $300, a would-be hacker can buy a “Bank Account Takeover Guide” for step-by-step instructions on how to use fullz information to obtain a bank loan. Lower-cost guides can go for $50, Mr. Barysevich said.

Corporate data commands a premium. Login information for specific company email addresses on a variety of forums, for example, sells for $400 to $500, said Corey Milligan, a researcher with the security-service provider Armor Defense Inc.

Access to an online bank account, which gives a hacker a way to siphon cash directly from a victim, is worth more. And the more money in the account, the more it is worth. For the keys to a banking account with $15,000 in cash, hackers can charge as much as $1,000, according to research firms that track such activity.