Stolen credit and debit card data, along with bank and online payment account details, remain the most popular items for sale on the dark web markets. The lure of high account balances to cash out and access to new lines of credit understandably allows these items to always command the highest prices.
An emerging trend at the very highest end of the pricing spectrum is where vendors are selling hacked debit card data for high-balance accounts bundled with SIM cards and cryptocurrency accounts. These all-in-one fraud packages permit scammers to SIM-jack the account and drain the funds into the intermediary crypto account, where the stolen cash is easily laundered.
These bundles change hands for up to $4,600 compared to just $17 for standard debit card details. This has really ratcheted up the average price ($1,307) as the vast majority of debit card details are now part of expensive bundles, unlike in previous years.
The value of hacked PayPal accounts ($11) continues to drop due to the scarcity of high balances compared to previous years amid the overall glut in listings for this venerable brand.
Instead, hacked account details for newer instant cash transfer services such as Cash App ($47) and to a lesser extent, Venmo ($14) have become more appealing as they become increasingly popular with small businesses and consumers.
Regardless of the individual service, hacked web wallets remain a mainstay of the dark web markets as they are central to so many scams. Fraudsters can cash them out directly, or use them for middleman accounts in any number of more complex schemes.
Cell phone accounts are perenially appealing to fraudsters as they are useful for a whole range of scams. With a successful account takeover, a hacker gains access, for example, to a utility bill that can be used to support a fraudulent credit application. The compromised account can also be used to circumvent two-factor authentication.
Hacked Verizon accounts ($102.50) are almost ten times more expensive than last year as they are currently being bundled with associated personal data, such as Social Security Number (SSN), Zip Code, and date of birth, and therefore tailor made for identity theft and account takeovers.
Prior to the pandemic, Skype accounts ($7) were worth little more than a dollar. However, with the newfound reliance around the world on video calls, Skype log-ins are suddenly much more appealing to cybercriminals.
The longstanding scam where phishing links are sent via hacked Skype accounts to the account holder’s entire contact list, has more potential to be lucrative given the increased use of the platform.
Criminals typically buy hacked online shopping accounts to commit credit card fraud, either by buying high-end goods using payment details stored on the account or by harvesting account information that can be used for identity theft.
With the world population in varying states of lockdown since March 2020, online shopping activity has soared, with two-and-a-half times more orders than before the pandemic.
This increased activity is a boon to would-be fraudsters, with consumers more likely to create accounts with individual retailers and store payment details for more frequent orders. With more overall activity, fraudulent orders are less easy to spot, especially if account holders are less experienced online shoppers forced into new behavior by the pandemic.
Online retail accounts are currently selling for between $4 and $15, with the most expensive being Wowcher ($15), eBay and Amazon (both $14.50).
The 53% drop in price of hacked Amazon accounts compared to last year may well be due to Amazon tightening its controls following the discovery of a massive fraud last year. Despite this, Amazon accounts remain valuable to would-be fraudsters due to the high likelihood of stored payment details and sheer scope for scams.
Note the average price for Amazon accounts in general is slightly higher than for Amazon Prime Video ($13), as a number of cheaper listings for the streaming-only version of the service (ie lacking the full Prime membership benefits) brought down its average.
eBay remains highly popular with fraudsters as the company tends to side with the buyer during any dispute. One scheme involves a scammer impersonating a trusted buyer who buys goods only to request a refund. The scammer then ships an empty package with an altered Ebay returns label, to a random address in the seller’s Zip Code area. The seller is then left without the item, and without their money.
The collapse of the international travel industry due to the global pandemic may have killed off the trade in hacked airline accounts, however the rise in staycations in its place means that compromised Airbnb ($13.50) accounts have actually increased in value to scammers.
Hacked Airbnb guest accounts have previously been used to create bookings for houses which criminals then burgle, while host accounts can be used for phishing and other scams, such as fake listings.
There have also been reports of scammers using hacked Uber accounts for their everyday travel, in places as far afield as Russia and Arizona.
Health & Wellness
Unable to visit gyms and stuck at home for months on end, locked down populations around the world have increasingly turned to a range of apps and services to maintain their physical and mental health.
High-end subscriptions, such as increasingly popular Peloton ($18) that also requires a $2,000 exercise bike, mark out the owner as a potentially lucrative target for fraud and are priced accordingly on the dark web markets.
Wellness apps like Headspace ($7) are proving popular with scammers, partly because they are “fresh blood” but also due to the demographic of their users, who have the disposable income to pay for such services even during these economically uncertain times, making them appealing targets for identity theft.
Fitbit ($4) accounts are a potential treasure trove of intimate personal information and health data uploaded from users’ wearable devices. Compromised account owners even become vulnerable to burglary or home invasion once criminals gain access to live and historical GPS location data.
These services have an added appeal for hackers: as well as opportunities for identity theft and swiping stored credit card details, they can also enjoy expensive blowouts, often with top shelf alcohol jacking up the bill, on someone else’s dime.
Food delivery is another category of stolen log-ins now commanding higher prices on the dark web as usage of these services soars due to the coronavirus pandemic keeping people indoors.
Instacart ($22) accounts are the most expensive, which could be due to shoppers being more likely to store payment details for convenience’ sake when they are making multiple orders per week, as well as the range of stores from which it delivers.
Services like Drizly ($13.50) give scammers free alcohol as well as users’ personal data.
Facebook ($8) accounts with their wealth of personal information offer perfect source material for social engineering attacks on more lucrative accounts.
Social engineering is the technique of manipulating individuals, such as customer service agents, into providing access to accounts. One recent example was the hack of the high-profile Twitter users, including Jeff Bezos and Barack Obama.
Despite a major breach earlier this year, the price of hacked individual Facebook accounts is relatively stable at $8 on the dark web marketplaces.
Hacked streaming and gaming accounts continue to proliferate on the dark web with prices correcting to around the $7 mark after the temporary squeeze on supply forced up prices last year.
While identity theft is one motivator for buying up hacked Netflix ($6), Disney+ ($7) and YouTube Premium ($7.50) accounts, they are also being used to actually watch content too. The explosion in services also makes it easier for rogue streamers to go undetected for longer as users with multiple subscriptions are less likely to closely monitor their accounts.
Hacked Spotify ($3.50) accounts can also be used in click fraud. A Bulgarian scammer notoriously gamed the Spotify royalties system in 2017 to pocket $1M, however there is evidence that similar schemes continue to operate using compromised Spotify accounts.
Interesting outliers in the category include the subscription-based content platform OnlyFans ($16), most known for people charging their followers a monthly fee for adult content. It’s been flooded with new content creators hoping to make a living since the pandemic caused mass layoffs.
Hacked email accounts tend to be sold either in massive dumps from large scale data breaches or as individual verified emails. As with previous editions of the Price Index, we disregarded dumps as unit prices work out at tiny fractions of a cent each while the accounts constituting these dumps are not guaranteed to be accessible or even valid.
Verified emails on the other hand trade for anything up to ten dollars each. Gmail ($6) in particular can be used in dot account scams or as part of more complex fraud and identity theft, thanks to the use of email as security for so many third-party accounts.
We are also seeing student emails ($6) specifically due to the authority of the “.edu” address.
Subscription-based security software that we found is typically for personal use rather than for further fraud. Hackers use stolen VPN accounts that can’t be tracked back to them to disguise their IP addresses whilst they are carrying out illegal activities.
Hacked anti-virus software appeals to cheapskates who don’t want to pay for their own license and those who want to avoid signing up with their own details.
With millions of people around the world stuck at home, with many on furlough, online learning and self-improvement platforms have enjoyed a surge in popularity as people look for new ways to relieve the tedium.
At one end of the spectrum is MasterClass ($6), whose glossy, star-studded platform and expensive annual subscription has been attracting increasing numbers from a highly appealing demographic for hackers looking for potentially lucrative identity theft.
At the other is the more prosaic Udemy ($3), whose technical courses cost as little as $10 and thus attract a more diverse user base.