By Robert Booth
November 24 2007
It took just 19 hours from first contact with the anonymous Russian
fraudster until he collected my $240 (116.50 U.K.P.) payment from a
I had sent a wire transfer to his frozen Siberian home town in exchange
for details that would, in theory, grant access to more than 10,000 from
the bank account of an unsuspecting British Halifax customer.
He offered a choice of British accounts held at Lloyds TSB or HSBC and
for more money, the balances could have been fatter - anything up to
35,000, the fraudster promised. For a fee of 1% of the balance he
promised the name, branch, account number, sort code and internet login.
The encounter with the anonymous Russian in an internet chatroom was one
of scores like it going on at the time. In a separate private message,
another vendor promised: "I will give you HSBC full info with 26k
Pounds...for $500...When can you wire money?"
The account I had chosen could be almost cleared out in one day without
hitting its transfer limit and alerting the account holder or bank, I
The exchanges are likely to increase concerns about the security of
Britain's banking and identity data. This weekend, the computerised bank
details of millions of people remain missing, after the Treasury blunder
in which two discs containing the data of 25 million individuals were
lost in transit between HM Revenue & Customs and the National Audit
The details of similar British bank accounts are already being offered
for sale by internet fraudsters in America, Russia, China and west
Africa. According to security experts they have been hacked from
computers, gathered in "phishing" expeditions where fraudsters
masquerade as trustworthy entities, and burgled from offices before
being circulated among the internet banking fraud community.
On one publicly accessible website selling everything from stolen credit
card details to fully operating pornographic websites, scores of vendors
are lined up selling UK, European, US and Canadian bank details. It is a
marketplace which illustrates the international nature of the illegal
trade. The website is registered to the Cocos Islands, an Australian
territory in the Indian Ocean consisting of two atolls, 27 coral islands
and fewer than 1,000 residents. The salespeople are contactable through
email addresses routed through servers in Russia and the USA. Most use
Yahoo accounts or communicate through ICQ, an untraceable instant
"If the Treasury data gets into the wrong hands these are exactly the
illegal markets where it will end up," said Daniel Harrison, an identity
theft expert. "Whoever has it will break the details down into small
chunks to sell on quickly and without detection. The data is crossing
borders incredibly quickly and there is very little that can be done to
track it down. It is like an underground eBay."
"The resale of bank account details is mainly managed by Russian
organised crime," said Marc Kirby, the former head of computer forensics
at the National Hi-Tech Crime Unit, which is now part of the Serious and
Organised Crime Agency. "This is a highly organised black market that
mirrors legitimate business dealings."
The attempts to defraud British bank customers witnessed by the Guardian
were of "great concern", said Brian Mairs, spokesman for the British
Banking Association. "Customers have every right to be concerned and
this is a double whammy for them after the bad news from HM Revenue &
Customs earlier in the week," he said. "But they have the assurance that
they will not lose out financially if they have not been responsible for
the data being compromised."
The investigation began with Google searches. After a few attempts, a
forum emerged for vendors offering skimmed credit card details. Among
them were some selling bank details. Each vendor offered an email and a
chatroom contact for private negotiations.
Once talking one on one, the sellers unpacked their wares. One seller
offered bank account details, complete with their internet logins, for
$75. "All live and fresh, contact me now," he urged. Another pushed
blocks of Visa card details for $80. "Stuff will be sent out to u in
1-24 hours after payment," he said. "Have system of good discounts for
A Russian-registered vendor offered UK and US bank logins with "good
price and service!"
The community has developed a high level of sophistication so that
trusted parties can trade efficiently. In one posting on a forum selling
card details a fraudster reports to the rest of the community on the
"review" he has conducted of a new entrant to the market.
He has tested his speed of response and accuracy of information supplied
and marks him out of 10 for communication, timing and product. "Total:
9/10 nice score," he concludes and awards the status of "trial vendor".
Many vendors offer discounts for bulk buyers and even display a
replacement policy. If the account details do not work most vendors will
replace the data with a different lead. SOCA, which has responsibility
for fighting organised internet fraud, has set up a series of
cross-border alliances to tackle the problem, but declined to comment on
As sobering as the trade in stolen identities has become, there was a
crumb of comfort last night for the Halifax account holder whose details
the Russian fraudster was peddling. Twelve hours after the payment had
been withdrawn from a Siberian wire office, the Guardian was still
waiting for the promised bank details.
Copyright Guardian News and Media Limited 2007
Visit InfoSec News