The Hacking Economy

Selling stolen card info online? That's the least of it

blackred | Getty Images

High-profile cyberattacks, like the one JPMorgan Chase revealed that potentially compromised 76 million households, would logically lead one to think that bank and credit card data are a hacker's primary target.

Turns out that's the least of it. The easy availability of stolen data created a thriving underground marketplace for purloined information, and some cybercriminals are even going up the value chain and selling things like they're own hacking services.

Credit card data—so widely and often stolen that there's actually an abundance of it—can sell for as little as pennies. The going rate for a social security number isn't much higher: Only about $1.

Medical records—rarer and much more data-rich—can go for $50 or more. (All of this pricing data comes from security firm RSA.)

The marketplace for all this stolen data exists on the so-called "dark web"— which is buried within the "deep web." The "deep web," also known as the "hidden web," is the part of the World Wide Web that is not indexed by normal search engines like Google and is only accessible via special software.

The software commonly used to access the "deep web" is called Tor, which stands for The Onion Router. This Internet portal basically anonymizes the user's IP address making them almost impossible to trace.

"It is pure capitalism. It is driven by the purest laws of supply and demand. As long as there is a demand someone is going to step in on the supply side. It's the same economics you see in the markets," said Christopher Budd, Trend Micro's threat communications manager. Goods are often exchanged on these forums using virtual currency, and thus the transactions are harder to trace.

Credit card data is so cheap because there's so much of it, a result of the high number of breaches, said Daniel Cohen, the head of business development for RSA's Online Threats Managed Services Group.

Documents that provide more information about a person's identity usually cost more. Thus the reason medical records—which can contain your entire identity including your address, social security number, financial information, the names of family members and perhaps even your insurance policy numbers—have become so valuable, Cohen said.

Read MoreUS should get ready for Russian cyberattacks

"They are moving away from credit card theft and to more wholesale identity theft," Budd said. "As more of our lives become more digital it becomes more lucrative to steal someones entire identity."

But cybercriminals aren't just selling credit card data and medical records on the dark web these days. They're also increasingly outsourcing their skills as a service.

"Hackers understand they don't have to work too hard to attack a certain target," Cohen said. "We have seen this rise of what we call 'cybercrime as a service.' Everything from bulk credit card data to DDOS attacks are available to you as a service. It's a very, very mature market."

And buying an attack against a website can be pretty cheap, too. For example, buying a denial-of-service attack can cost as little as $7.00 per hour, according to RSA.

Read MoreMeet NSA's Hacker recruiter

Cyber-terrorism 'is coming': Kaspersky CEO
Cyber-terrorism 'is coming': Kaspersky CEO

Full-fledged exploits, however, can cost much more, ranging from $1,000 to $300,000 depending on the complexity and what is being targeted, Cohen said.

Another hot ticket item is mobile malware. While prices for desktop malware have been dropping since 2012, mobile malware carries a premium because it's more difficult to create, Budd said.

In 2013 alone there were one million new pieces of malware discovered on the Android platform in just one year, Budd said. To put that into context, it took Windows about 15 years to go from zero to one million new types of malware, he said.

Just as there is growth and innovation going on in mobile in real businesses, there is also growth and innovation happening in mobile for cybercrime business.

"Mobile has been and will be a big growth industry for malware," Budd said. "The malicious marketplace mirrors the real world marketplace. Windows isn't going away, but it's not terribly exciting anymore."

Read More Five ways to protect yourself from data breaches

Consumers and businesses ought to assume their information will be stolen, and prepare accordingly, Trend Micro's Budd said.

"When we are talking about credit card information and debit card information, people should assume that in the next 12 to 24 months at least one credit card will end up in a breach. What people should be doing as part of their personal protection hygiene is checking statements and keeping an eye out for unknown changes," Budd said.