Your entire online identity could be worth less than $1,200, according to brand new research into the illicit sale of stolen personal info on the dark web. While it may be no surprise to learn credit card details are among the most traded, did you know that fraudsters are hacking Uber, Airbnb and Netflix accounts and selling them for not even $10 each?
We also created a UK edition of the dark web market price index that found the value of a British online identity to be just £800.
Everything has a price on the dark web it seems. Paypal accounts with a healthy balance attract the highest prices ($247 on average). At the other end of the scale though, hacked Grubhub or Walmart accounts sell for less than $10. Would-be scammers can easily spend more on their lunchtime sandwich than buying up stolen customer logins for online stores like Costco ($5) and ASOS ($2).
The average person has dozens of accounts that form their online identity, all of which can be hacked and sold. Our team of security experts reviewed tens of thousands of listings on three of the most popular dark web markets, Dream, Point and Wall Street Market. These encrypted websites, which can only be reached using the Tor browser, allow criminals to anonymously sell stolen personal info, along with all sorts of other contraband, such as illicit drugs and weapons.
We focused on listings featuring stolen ID, hacked accounts and personal info relevant to the US to create the Dark Web Market Price Index. We calculated average sale prices for each items and were shocked to see that $1,170 is all it would cost to buy up someone’s entire identity if they were to have all the listed items.
To help the US public understand just how much their personal data is worth we created the following price index.
Sale Prices Explained
Hacked financial details are by far the most commonly listed items, credit cards in particular, and the most valuable. Selling prices tend to be 10% of the available credit balance, however we found credible examples of Paypal listings asking double that, suggesting high current demand for these accounts.
A popular type of listing here is what are known as “Fullz”. These bundles of “full” identifying information, sometimes are either packaged with financial details or sold separately. We found listings featuring individuals’ name, billing address, mother’s maiden name, social security number, date of birth and other personal data.
Proof of Identity
A preferred tactic of cybercriminals is to set up lines of credit in someone else’s name. That’s why we see all sorts of digital proof of identity being traded, such as passports scans, selfies and utility bills. The high prices reflect the ease with which such items can be used to commit fraud.
There may be a big step down in price but hacked online shopping accounts offer plenty of opportunity for fraud. Most change hands for less than $10, some for much less than that. Storing payment details in Amazon or Bestbuy accounts may be very convenient but it leaves account holders open to a range of scams, such fraudsters ordering expensive items in order to sell them on and pocket the cash.
The highest prices are commanded by accounts that are more likely to provide access to the most stored personal info, as well as by the value of goods that can be fraudulently acquired. Hacked eBay accounts are also particularly attractive as not only do they allow criminals to dupe buyers into sending them money for fake listings but also to buy expensive goods with the account owner’s funds to intercept and sell on.
Despite an average sale price of less than $8, hacked Airbnb accounts open up a world of scams to the buyer. There have been reports of hackers changing hosts payment details in order to steal their earnings. Fraudsters also hijack accounts of highly-rated guests to book stays in premium properties and even burglarize the hosts. Airbnb has introduced new security measures but horror stories continue to be posted in its community forums.
There have also been reports of Russians using hacked Uber accounts, selling here for just $7, to run up big bills for Uber journeys the true owner has never taken, sometimes on the other side of the world.
Gaining access to other travel accounts, such as Booking.com, gives criminals the opportunity to send bogus emails tricking people into making high value payments related to their travel arrangements, as well stealing their credit card details.
As with most of the hacked accounts we found for sale on the dark web, these log-ins offer a route into potential identity theft. An added bonus is that the opportunistic criminals can also stream content for free, at least until the true owner notices their Netflix or Spotify account has been compromised. The low cost of these items reflects the limited capacity for re-use.
Hacked Skype accounts have been used to send spam even when two-factor authentication has been in place. The spam messages sometimes contain phishing links to popular sites like LinkedIn and Baidu. Mobile phone accounts are a treasure trove of fraud opportunities, especially given the use of SMS messages for bank account verification for example. T-Mobile, featured here with an average price of $10.51, was recently hacked.
Fraudsters have been caught setting up complex scams involving stolen Paypal and eBay accounts that they use to buy expensive electronics. A hacked DHL account for $10.40 could be the missing piece of the puzzle that allows them to get their hands on the goods, which they would usually resell.
Facebook logins at $5.20 sell for more than double other social media accounts due to the greater potential for offering up enough personal data to help gain access to more directly lucrative accounts or commit identity theft.
The selfies and food porn of Instagram may not seem have any value whatsoever to fraudsters but hacked accounts on the platform remain on sale, albeit for a dollar and change. For such a low investment, it can be appealing for cybercriminals to log in and see what they might find that could be useful for identity theft.
Supply and demand plays the same role on the dark web markets as it does in the regular economy. The dark web is awash with literally millions of hacked email accounts and the prices are accordingly low. Although gaining access to a victim’s email is often a critical aspect of an online scam, it’s not as useful on its own as other accounts. Credit card details are not typically stored there, while trawling through thousands of emails looking for personal info is not as efficient as other methods.
Strong security on Gmail, such as two-factor authentication and suspicious login warnings, push the price down to just $1 compared to other providers, as access can be swiftly revoked, rendering the hacked details useless.
It seems scammers get hungry too, hacking food delivery services like Grubhub to fraudulently order expensive food and alcohol. There are reports of orders of almost $180 being racked up on hacked accounts, which sell for just over $9 on the dark web.
These types of listings came out with the lowest average price in our index, which reflects their limited use to criminals. While hacked dating accounts could certainly be used for “catfishing”, a classic con where the scammer adopts a fictional identity to lure their victim into a relationship in order to take advantage of them financially, it’s cheaper and easier to just create fake accounts.
Of course as with most items in our index, there is the potential to mine the account for personal info to help with identity theft. The bottom line though is that hackers will try to sell whatever they have got in the hope of realising some value from their criminal activity.
Protecting Your Data
Check If You’ve Been Hacked
The first thing to do is check if your personal data has been stolen. Head over to Have I Been Pwned and see which of your email accounts and old passwords have been compromised. If you find your current passwords there, you must update them immediately.
Use a VPN Service
Using a VPN service helps with your online privacy and security. It conceals your IP address and encrypts web data transfers. Trustworthy VPNs make using free public WiFi a lot more secure, by preventing hackers from intercepting sensitive online data.
Use a Password Manager
If you’re still typing in passwords to log into websites and apps, you’re at risk. A good password manager generates secure passwords that are hard to crack, which you can save within the software. Whenever you need to use your login credentials, the password manager will autofill your username and password for you. This protects you against keyloggers capturing data you type into login forms.
Delete Unused Accounts
If you still have old online accounts that you never use, close them and ask for your data to be deleted from the company’s servers. These accounts don’t hold any use to you, but they contain information that could be used to steal valuable sensitive data from other websites.
Enable two-factor authentication (2FA) on as many websites and mobile apps as possible. This feature forces you to confirm a login attempt on a second device you own e.g. your smartphone. This extra layer of security goes a long way to protect unauthorized access to your online accounts.
Our team reviewed all fraud-related listings on three of the largest dark web markets, Dream, Point and Wall Street Market over 5-11 February, 2018. Relevant listings were collated and categorized in order to calculate average sale prices.