14 DAY TRIAL // Perhaps you remember that piece of news yesterday about the hackers that just browsed a huge part of a data base and didn't retrieve one piece of info from it. To say it short, malicious users bypassed TD Ameritrade's security systems and breached their database. You would expect them to acquire all the sensitive info there, but they only cared for e-mail addresses, names and home addresses. Now, after seeing that, I said that this will lead to a huge spam campaign and it seems that some security experts agreed with me. In any case, why would they do just that?
Well, today I read this blog on SANS in which the author, John Bambenek was wondering if pump-and-dump is more effective than ID theft. That got me thinking. If I were a hacker, which method would I choose? Well, after pondering on what each scheme implies and which is more complicated than the other and also which would get me more money, I decided I'd go with the pump-and-dump. And now, I see why the hackers didn't bother with the whole database.
So, let me explain it to you: after you steal an ID, you can either sell it on the web or make counterfeit credit cards and get money out of them. The dough you could make is something around thousands of dollars, and there is a lot of stress and also, you have to work with a lot of cards, and generally work a lot on this one. But, let's take a look at pump-and-dump - you buy some shares, really cheap from some small firm, then you get several bots to spam all day long, sending users messages in order to persuade them to buy stocks at the same company as you did. Of course, that would make the stock price rise, so the $1.000 you invested will turn into $1 million if all goes right. All you have to do is sit at home, and cash in at the right moment.
Pump-and-dump seems more lucrative to me, so I can say that I finally understand why they had no interest in the whole database.