According to Symantec
U.S.-based credit cards with a card verification number were available for between US$1 to $6, while an identityâ€ including a U.S. bank account, credit card, date of birth and government-issued identification numberâ€ was available for between $14 to $18,
To gain access to the information needed for the sale of identities hackers use a combination of social engineering, maliciously crafted word documents, and any of the zero-day exploits being announced all the time. They then send the word document with it’s dubious payload to unexpecting users. Since it is a word document commonly assumed to be safe and since most email servers don’t block these type of attachments, the user happily clicks on it and all is lost.