Identity thieves are offering a person's credit-card number, date of birth and other sensitive information for as little as US$14 over the Internet, said a new report on online threats released Monday.\nThe data is sold on so-called "underground economy servers," used by criminal organizations to hawk information they've captured through hacking, Symantec said in its Internet Security Threat Report, which tracked online trends from June to December 2006. The information can then be used for identity scams such as opening a bank account in a false name.\n"U.S.-based credit cards with a card verification number were available for between US$1 to $6, while an identity\u2014including a U.S. bank account, credit card, date of birth and government-issued identification number\u2014was available for between $14 to $18," the report said.\nSome 51 percent of the servers hosting the information were in the United States, in part because the growth in broadband Internet access in the country has created new opportunities for criminals, Symantec said. About 86 percent of the credit and debit card numbers available on those servers were issued by U.S. banks, it said.\nOne way that criminals have gained access to computers is by exploiting zero-day vulnerabilities, or software flaws that are being exploited as soon as they are revealed and before a patch has been released.\nSymantec documented 12 zero-day vulnerabilities in the period from June to December 2006. Only one was found in its two prior six-month reporting periods, the company said.\nHackers have exploited some of those vulnerabilities by creating malicious documents in Microsoft Office and other software, said Ollie Whitehouse, a security architect at Symantec. \nA malicious Word or Excel document, when attached to a spam e-mail, has a greater chance of being opened by someone since it may appear legitimate and be targeted at an employee of a specific company.\nWhile security software programs will often block executable programs attached to e-mail, common Office documents are allowed to go through, Whitehouse said.\n"A business isn't going to say, 'We will no longer accept Office documents received via e-mail,' " Whitehouse said. "I think productivity would go through the floor at that point. Unfortunately, this is where the security requirement and the business requirement do really clash."\nA video posted on Symantec's blog shows a sophisticated attack where a malicious document is opened that puts a harmful executable onto the system and then opens a regular Word document. The attack is almost invisible to the user, apart from a flicker on the screen before the Word document opens.\n"Office documents\u2014PowerPoint presentations, Excel spreadsheets\u2014and graphics like JPEGs aren't necessarily considered malicious file formats, so the user is more inclined to open them," Whitehouse said.