Symantec's "Black Market Tour" takes visitors into a criminal nether world

Symantec's Travis Wilkins, a Black Market tour guide

The black market in which criminal hackers steal credit card and bank account information from hundreds or thousands of innocent victims, and sell that data to thieves throughout the world, has undergone a dramatic transformation in recent years.

"It's not about becoming famous, or destroying your information, like in the old days," explained Travis Wilkins, a product marketing manager with Symantec Corp., who served as a guide at the "Black Market Tour" assembled by Symantec and transported to cities across the U.S., including Washington, DC, where this reporter saw it. "It's now all about making money."

The Black Market Tour attempts to recreate a hacker's "lair," where the evil-doer might use phishing software to fool victims into allowing key-logging software to track their computer's keystrokes. The hacker might then grab their victims' account numbers, passwords, security codes and the answers to a slew of security questions, all in an effort to assemble marketable "personal identities" which can be sold in bundles to nefarious buyers via the Internet.

Another portion of the tour presents on flat-screen monitors precisely the type of online chat-room dialogue that criminal sellers of personal data and criminal buyers of this data might engage in when they first meet each other, before adjourning to more-private conversations elsewhere on the Internet to consummate their illegal transactions.

Identity theft attacks, such as these, tend to originate primarily in the United States, Russia, China, Eastern Europe and Brazil, explained Wilkins. The home bases for the hackers are somewhat concentrated, but the victims can be located anywhere in the world. Hackers don't care who you are, or where you are located, said Wilkins. They are only interested in assembling and selling large bundles of complete personal identities. The only characteristic that might be noteworthy would be the credit limit on the credit card itself, because a very high credit limit might fetch a premium price for that specific card in the black market.

Typically, a buyer of personal identities will not pay cash for the ill-gotten identities, said Kevin Haley, another Symantec guide. Instead, the purchaser might compensate the seller via PayPal, Western Union, using the Web site at e-gold.com, or trading products or services. "They might trade 10 banking credential for 100 credit cards," said Haley.

Symantec has received a terrific reception for its educational exhibit when the Black Market Tour turned up in Toronto, New York City, Washington, Tokyo, London and Mountain View, CA, where Symantec and its Norton unit are headquartered.

Asked if the "good guys" are making much headway in finding, arresting and convicting the "bad guys" around the world, Haley sounded realistic. "We'll probably never shut this problem down," he lamented. "But we're working hard to keep a lid on it."