Spammers, for example, might get a fresh list of email addresses to which they can send Viagra and Cialis offers. They make money (say $1 per click) off response rates or website/pop-up ad impressions. Meanwhile, identity thieves could use the email addresses to create a phishing scheme designed to trick people into giving up their bank account or credit card numbers.
Rod Rasmussen, president and CTO of Internet Identity, a Tacoma, Wash.-based Internet security company, says cybercriminals trade this information among each other to create a more complete picture of an individual. "The idea is, you put together more information on people so you can do more damage. You get their name, credit card number, PIN number, email address, phone number from different sources to get their full information."
What's the actual monetary value of this information?
A name or email address is worth anywhere from fractions of a cent to $1 per record, depending on the quality and freshness of the data, information security experts say.
"There's so much data flowing around, you have to have lots of it in order to get money for it in the underground," says Rasmussen. "Even credit card numbers are going for under $1."
That may not sound like a windfall, but when you multiply it by millions of records, it quickly adds up. Take the Zappos breach as an example: If hackers in fact obtained data on 24 million customers, even if they sell only 5 million email addresses at five cents a pop--cha-ching--they've just made $250,000 off of one hack.
Botnet operators make even more money. Say you own a botnet that consists of 100,000 computers. You may rent it out to spammers for $1,000 per hour, says Stu Sjouwerman, founder and CEO of KnowB4, a provider of Internet security awareness training based in Clearwater, Fla. If you rent or buy the 24 million records from Zappos' so that you can then send malware to those email addresses, even if only 20% of recipients get infected with your malware that takes control of their computer, you've still grown your botnet by about 5 million computers with very little work, he adds.
"Now you can charge $5,000 an hour instead of $1,000 per hour for 5 million bots that start sending spam," says Sjouwerman. "These guys make money hand over fist." Of course, their illegal activity also means criminal charges, jail time and financial restitution.
What's the minimum amount of information cybercriminals need to perpetrate their misdeeds?
Sjouwerman says all cybercriminals require to start doing damage is an individual's email address. With that, they can inundate victims' inboxes with spam.