Published on the 21/07/2020 | Written by Heather Wright
Or perhaps you’d like to ‘rent’ a stolen identity…
There’s a treasure trove of account details to be found on the dark web’s criminal marketplaces – some 15 billion credentials for accounts including banking, video streaming and social media, to be specific – and that’s before we even get to the option of ‘renting’ stolen identities.
That’s according to a new report from Digital Shadows, which also shows Australian account details were among the most advertised, behind the US and Canada.
While much of the data is available free, and the average price is just US$15.53, the From Exposure to Takeover study provides an insight into the value of black market data.
“We’ve seen these accesses sold or auctioned for an average of $3,139 and up to $140,000.”
The report found the number of stolen and exposed credentials has risen 300 percent since 2018 with more than 100,000 data breaches in two years aiding that growth. Of the 15 billion credentials in circulation, five billion were assessed to be ‘unique’ and were advertised only once on criminal forums.
Rick Holland, Digital Shadows CISO and VP of strategy, says the sheer number of credentials available is ‘staggering’.
“Some of these exposed accounts can have – or have access to – incredibly sensitive information. Details exposed from one breach could be reused to compromise accounts used elsewhere,” he says.
Digital Shadows says it’s also seeing criminal advertisements for domain administrator accesses, including login details, credentials or sensitive files from an organisation or individuals machine, used to access systems/infrastructure, data, bank accounts and other accounts.
“This takes the conversation from ‘simple’ account compromise to complete network compromise, and we’ve seen these accesses sold or auctioned for an average of $3,139 and up to $140,000.
“The data may not always be valid, but just the concept of a large corporation or government network administrator’s access being sold on criminal marketplaces is, to say the least, unnerving.”
Digital Shadows also found two million accounting emails addresses exposed, with addresses with ‘invoice’ or ‘invoices’ by far the most commonly advertised.
Credentials for banking and financial accounts – many including US social security numbers, physical addresses, birthdates and answers to security questions – were the most common, accounting for 25 percent of all the advertisements Digital Shadows saw. Unsurprisingly, they also garnered the highest value when it comes to personal credentials, selling for an average of US$70.91 and with some going for upwards of $500.
“The price can be influenced by many factors: If it’s confirmed to have certain amounts of funds, if it has personally identifiable information attached, its age (older accounts tend to be cheaper).”
Many of the higher priced ads also advertise ‘drop’ accounts, meaning they can be used to facilitate money laundering or cash-out schemes.
Streaming and VPN accounts made up 13 percent and 12 percent, respectively, of all the listings, but along with social media (which makes up five percent of listings), file sharing (seven percent) and adult content sites (seven percent), trade for ‘significantly’ under $10.
“Many of the categories are for services that can be quite pricey if purchased legitimately,” the report notes. “Would you rather pay $10 a month for yet another streaming service, or pay $5 for lifetime access?” (Or at least until the genuine owner notices.)
And, of course, in the case of adult websites, there are other ‘added benefits’ to the information, given that buyers may not want their real names or financial information associated with the services, Digital Shadows notes.
Account accesses for antivirus programs garnered the second highest prices at $21.67, but made up just five percent of listings.
The report also notes a growth market in ‘account takeover-as-a-service’ – ‘a happy medium between harvesting your own credentials and purchasing stolen credentials’. Rather than buying a credential, account takeover-as-a-service enables criminals to ‘rent’ an identity for a given period, often for less than $10.
The ‘service’ also collects digital fingerprint data such as cookies, IP addresses and time zones from an individual – or target – making it considerably easier to perform account takeovers and transactions that go unnoticed.
Apparently forum users are ‘desperate’ to acquire invite codes to access the leading account takeover-as-a-service provider, Genesis Market.
Digital Shadows findings are mirrored in those of PrivacyAffairs, which also sent researchers into the dark web on a data-gathering mission, returning with a comprehensive ‘price index’ for available data.
It found a cloned Mastercard with Pin was worth US$15. Make it a cloned Visa with Pin and the figure jumps to $25, but it’s American Express, at $35 which tops the market.
PrivacyAffairs notes that ‘vendors’ even offer a guarantee – generally of 80 percent of cards being valid and having the advertised balance – though it was at pains to point out that it didn’t order and so couldn’t verify whether that was true.
“But the prevalence of these claims alongside the well documented increase in identify fraud suggests that there is a high turnover of such data,” Privacy Affair’s Miguel Gomez, a cybersecurity consultant and analyst, says.
PayPal account details were ‘easily’ the most common items listed and extremely cheap. More expensive were actual transfers from a hacked account A PayPal transfer from a stolen account, $3000+ will set a criminal back $155.94.
As for the social media accounts, Gomez says offers to hack accounts or sell them were relatively scarce. “Hackers trying o get the social media credentials from victims mostly have to resort to using social engineering techniques, which have a very high effort input for relatively low success ratio.”
Details for a hacked Gmail account come out on top, value-wise, at $155.73, well ahead of hacked Facebook accounts which came in at an average of $74.50.
Buying LinkedIn followers, for both personal and company accounts, costs just $10 for 1,000, with 1000 Twitter retweets costing $25 and 1000 Instagram likes just $6, leading Gomez to note that the low cost should seriously make us question an account’s validity before blindly trusting their wealth of social currency.