Over the last couple of years, we’ve all had our attention fixed on one of two things: the global pandemic and the previous year’s presidential elections.
Both issues are essential, and the pandemic has changed the practical lives of almost every human being on the planet, so it’s only natural for the world’s news services to focus on those two issues.
But while the world is “burning,” the world’s hackers are having a picnic, and hardly anybody is paying any attention. 2020 is a case in point. It was one of the worst years (if not the worst) for cyber attacks.
The victim list includes world-class institutions and corporations such as Lockheed Martin, T-Mobile, Microsoft, McDonald’s, NASA. Even FireEye and SolarWinds got hit, and those last two are digital security companies.
Almost none of the known attacks ended up stealing money but information. The natural question is, what use is that information to the hackers? How can they profit from it? Where does it all end up? The answer, of course, is the Dark Web.
PrivacyAffairs previously released a Dark Web Price Index for last year. It’s a menu of sorts. By reading it, you begin to understand why hackers are so active and how they can make a buck.
Let’s see some examples for this year’s index. The information for a cloned Mastercard (pin included) is worth 25 USD. An American Express, though, is 35 USD. A person’s credit card details and account balance are sold for 150 USD if the account balance is under 1000 USD, but 240 if it is under 5000 USD.
The list is quite extensive, and it goes on. It includes stolen online banking logins (price varies depending on the account’s worth), Walmart credit cards, global credit cards with CVV from the USA, the UK, Australia, Israel, Spain, or Japan. Stolen Paypal account details, Neteller, PerfectMoney, TransferGo, and other payment services are also on the list.
Cryptocurrencies are represented in hacked accounts to trading sites. A Kraken verified account’s info is worth 810 USD, for instance, but a Binance one is half as expensive.
Stolen social media accounts are also for sale: Facebook, Instagram, Twitter, Gmail, Instagram, Spotify, Twitch, LinkedIn, Pinterest, Soundcloud are all listed with prices that vary from 5USD to 80USD, the specific platform, the number of followers, and other variables.
What about services? You can buy an Uber account or bet for “free” at Bet365. Lykke, FedEx, Netflix, Kaspersky, NBA League Pass, Orange TV, Hulu, and HBO are available. The most expensive product in this category is a stolen eBay account with a good reputation (that means positive feedback from more than a thousand users) at 1000 USD.
But not all the stolen information on offer is strictly digital in origin. You can buy a Minnesota driver’s license for 20USD. The New York one is four times more expensive. Passports and IDs from different American states and European countries are on offer as well.
And there are even more specialized products such as DDoS attacks, email databases, and malware.
The illegal market in the Dark Web has grown significantly from last year. Trading volumes are higher, and product variety is wider, too –uber accounts and crypto accounts are a new thing. Fake IDs and stolen credit cards are selling by thousands.
And there are hundreds of vendors who feel confident enough to give their customers commercial offers like “buy a couple of cloned credit cards and get the third one for free!”
The Dark Web users, of course, are very aware of digital security and that law enforcement agencies around the world want to bring them down. So they have high-security practices in all ends. Many vendors do not take Bitcoin as payment. Monero is the cryptocurrency of choice, instead, and all communications must be PGP encrypted.
The Cloned Credit Card and Cardholder Data Market
Do you know about the law of supply and demand? It’s supposed to be the cornerstone mechanics of free markets. Well, it doesn’t apply here. The supply in this market has increased markedly. But so have the prices. The chances are that the higher prices are linked to the increased risk of obtaining them.
Also, the stolen information is of higher quality, so it is more valuable to the buyer. It could also be just inflation, of course, but calculating economic indicators in black markets such as this one is exceedingly difficult.
Vendors even have guarantee policies. They assure their clients that eight out of every ten cards will work fine and have the advertised balance.
PayPal accounts are the most frequent item in this market, and they can be pretty expensive. The highest price is for an actual transfer from a hacked account. That’s a trend: accounts have gone down in price, but transfers are more expensive.
So a PayPal account, for instance, cost 200 USD last year, and it’s currently priced at 30USD. On the other hand, a PayPal transfer was worth 320 USD, and it’s now at 340 USD.
If you buy one of these products, you will also get instructions on proceeding without informing the authorities. The guides add a cost of cents to the purchase, and it’s anybody’s guess if they work at all.
With the pandemic pushing so many people to have economic activities on the internet, payment processors are now more relevant than ever before. More retailers accept several forms of online payments.
Cryptocurrency trading accounts
Hacked accounts for crypto are highly-priced now. This has to do with the BTC price skyrocketing after the whole Elon Musk affair. Other cryptocurrencies have increased in value as well. Hacked accounts’ wallets may hold lots of digital assets as well as fiat currency. And in many sites, the security is not that great once you pass the initial verification process.
If you pair high-value crypto accounts with BTC ATMs, you give the hackers an easy way to cash out on the information quickly. The cheapest account is from crypto.com, and the most expensive one is Kraken. But Coinbaise, Coinfield, Cex.io, Blockchain.com, and Binance are in the mix as well.
Hacked social media accounts’ prices are decreasing across all platforms. That is terrible news for the hackers because as social media corporations increase their security measures, hackers must steal the accounts through social engineering, which is labor-intensive, can’t be done from a computer in an isolated basement, and has a low success rate.
You can buy a thousand Instagram followers for 7 USD, a Facebook account for 75 USD, and a Gmail account for 156 USD, to name the best-known ones.
The menu is broad in this category. Lykke is the most expensive hacked service at 260 USD. Orange TV and some porn sites are the cheapest at about 5 USD, depending on the site. But you can get a FedEx account, Netflix, Kaspersky, Uber (driver or client), Canva Pro, HBO, Netflix 4K, Ancestry .com, Adobe Creative Cloud and, the king of all services, an eBay account with an excellent reputation that will set you back by 1000 USD.
It’s probably the most well-known black market in history, if only because of spy novels, movies, and TV shows. But it’s now a digital thing too. You can buy your fake document as a digital scan or, if you want, as a physical document too.
Specialized vendors offer highly customizable services to their buyers, so the document can be made with any details the buyer wants. Thus, a diligent criminal can create an entire file of forged documents that seem legit, starting with only a handful of personal information without breaking the bank.
But this old market is not devoid of innovative elements. Document scans with selfies are a valuable purchase as they can be used for SIM swap attacks and personal data access in Europe and California.
Last but not least is the counterfeit money market. You can buy US Dollars, Euros, British Pounds, Canadian and Australian dollars. Some are even guaranteed to pass the UV pen test. Purchasing high-quality fake money will usually set you back by about a third of a note’s face value.
This product is prevalent and cheap because it’s available in the mainstream and has meager accuracy rates. Most email dumps come from aggregating previous email breaches. Only hackers are interested in this kind of product, of course.
The malware installs itself in a system without its owners’ knowledge (or willingness) and then grants hackers almost full power over it. It can be ransomware (you need to pay a ransom to regain control over your computer) or something less intrusive that steals your information.
Hackers can steal tens of thousands of dollars for every 1000 malware installs.
A distributed denial of service attack brings a website down by overloading its traffic with false traffic. Nobody earns money through this kind of action, but bringing down a particular website can distract the public and cover other hacking activities.
How does this matter at all?
Dark web market data awareness is not just for your general edification. It gives you the perspective you need to understand that your personal data is not a nuisance but that it has value for you, concerns your security, and hackers, as they can use it for doing business. Also, it shows that exploiting you is not that hard, and it’s cheap.
You’ve undoubtedly heard the horror stories about people unsuspectingly losing their life savings or finding that hackers are selling their cam footage. Maybe you’ve thought that it could never happen to you? Think again. The personal information supply in the dark web sites is snowballing, and those who provide it are always working hard to get more. The chances of being hacked are higher every day.
It’s not personal. Not for hackers. The chances are that you will never be targeted individually. Why should they? There is so much data going around that everything is cheaper by the dozen, so they play the numbers. They know what they are doing, and so should you.
You need to adopt a secure digital lifestyle to ensure that it won’t be your credit card or your passport on offer on the Dark web next year. Again, it’s a numbers game, so a few precautions will go a long way in improving your security. After all, hackers don’t want (or need) to work that hard to collect their data with so many unsuspecting victims worldwide.
Preventing Identity Theft
Keeping yourself safe is not rocket science. Following just a few recommendations will almost nullify the probability of your personal data being stolen.
The habits explained above can be burdensome in the beginning, but they become one’s second nature quickly. You will merely be doing your part in protecting yourself, your identity online, and your very own future.
Follow me on Twitter: @securityaffairs and Facebook
|[adrotate banner=”9″]||[adrotate banner=”12″]|
(SecurityAffairs – hacking, dark web)