Your entire online identity could be worth little more than £800, according to brand new research into the illicit sale of stolen personal info on the dark web (or just $1,200 if you are in the United States, according to the US edition of the index). While it may be no surprise to learn that credit card details are the most traded, did you know that fraudsters are hacking Uber, Airbnb, Spotify and Netflix accounts and selling them for little more than £5 each?
Everything has a price on the dark web it seems. Paypal accounts with a healthy balance attract the highest prices (£280 on average). At the other end of the scale though, hacked Deliveroo or Tesco accounts sell for less than £5. Cybercriminals can easily spend more on their lunchtime sandwich than buying up stolen credentials for online shopping accounts like Argos (£3) and ASOS (£1.50).
The average person has dozens of accounts that form their online identity, all of which can be hacked and sold. Our team of security experts reviewed tens of thousands of listings on three of the most popular dark web markets, Dream, Point and Wall Street Market. These encrypted websites, which can only be reached using the Tor browser, allow criminals to anonymously sell stolen personal info, along with all sorts of other contraband, such as illicit drugs and weapons.
We focused on listings featuring stolen ID, hacked accounts and personal info relevant to the UK to create the Dark Web Market Price Index. We calculated average sale prices for each items and were shocked to see that £820 is all it would cost to buy up someone’s entire identity if they were to have all the listed items.
To help the UK public understand just how much their personal data is worth we created the following price index.
Sale Prices Explained
Hacked financial details are by far the most commonly listed items, credit cards in particular, and the most valuable. Selling prices tend to be 10% of the available credit balance, however we found credible examples of Paypal listings asking double that, suggesting high current demand for these accounts.
A popular type of listing here is what are known as “Fullz”. These bundles of “full” identifying information, sometimes are either packaged with financial details or sold separately. We found listings featuring individuals’ name, billing address, mother’s maiden name, NI number, date of birth and other personal data.
Proof of Identity
A preferred tactic of cybercriminals is to set up lines of credit in someone else’s name. That’s why we see all sorts of digital proof of identity being traded, such as passports scans, selfies and utility bills. The high prices reflect the ease with which such items can be used to commit fraud.
There may be a big step down in price but hacked online shopping accounts offer plenty of opportunity for fraud. Most change hands for less than £5, some for much less than that. Storing payment details in Amazon or Tesco accounts may be very convenient but it leaves account holders open to a range of scams, such fraudsters ordering expensive items and stealing them.
The highest prices are commanded by accounts that are more likely to provide access to the most stored personal info, as well as by the value of goods that can be fraudulently acquired. Hacked eBay accounts are also particularly attractive as not only do they allow criminals to dupe buyers into sending them money for fake listings but also to buy expensive goods with the account owner’s funds to intercept and sell on.
Despite an average sale price of less than £6, hacked Airbnb accounts open up a world of scams to the buyer. There have been reports of hackers changing hosts payment details in order to steal their earnings. Fraudsters also hijack accounts of highly-rated guests to book stays in premium properties and even burgle the hosts. Airbnb has introduced new security measures but horror stories continue to be posted in its community forums.
There have also been reports of Russians using hacked Uber accounts, selling here for little more than £5, to run up big bills for Uber journeys the true owner has never taken, sometimes on the other side of the world.
Gaining access to other travel accounts, such as Booking.com, gives criminals the opportunity to send bogus emails tricking people into making high value payments related to their travel arrangements, as well stealing their credit card details.
As with most of the hacked accounts we found for sale on the dark web, these log-ins offer a route into potential identity theft. An added bonus is that the opportunistic criminals can also stream content for free, at least until the true owner notices their Netflix or Spotify account has been compromised. The low cost of these items reflects the limited capacity for re-use.
Hacked Skype accounts have been used to send spam even when two-factor authentication has been in place. The spam messages sometimes contain phishing links to popular sites like LinkedIn and Baidu. Mobile phone accounts are a treasure trove of fraud opportunities, especially given the use of SMS messages for bank account verification for example. T-Mobile, featured here with an average price of £7.57, was recently hacked.
Fraudsters have been caught setting up complex scams involving stolen Paypal and eBay accounts that they use to buy expensive electronics. A hacked DHL account for £7.49 could be the missing piece of the puzzle that allows them to get their hands on the goods, which they would usually resell.
Facebook logins at £3.74 sell for more than double other social media accounts due to the greater potential for offering up enough personal data to help gain access to more directly lucrative accounts or commit identity theft.
The selfies and food porn of Instagram may not seem have any value whatsoever to fraudsters but hacked accounts on the platform remain on sale, albeit for less than £1. For such a low investment, it can be appealing for cybercriminals to log in and see what they might find that could be useful for identity theft.
Supply and demand plays the same role on the dark web markets as it does in the regular economy. The dark web is awash with literally millions of hacked email accounts and the prices are accordingly low. Although gaining access to a victim’s email is often a critical aspect of an online scam, it’s not as useful on its own as other accounts. Credit card details are not typically stored there, while trawling through thousands of emails looking for personal info is not as efficient as other methods.
Strong security on Gmail, such as two-factor authentication and suspicious login warnings, push the price down to just 75p compared to other providers, as access can be swiftly revoked, rendering the hacked details useless.
It seems scammers get hungry too, hacking food delivery services like Deliveroo to fraudulently order expensive food and alcohol. There are reports of more than £500 being charged to hacked accounts, which sell for just £3.74 on the dark web.
These types of listings came out with the lowest average price in our index, which reflects their limited use to criminals. While hacked dating accounts could certainly be used for “catfishing”, a classic con where the scammer adopts a fictional identity to lure their victim into a relationship in order to take advantage of them financially, it’s cheaper and easier to just create fake accounts.
Of course as with most items in our index, there is the potential to mine the account for personal info to enable identity theft. The bottom line though is that hackers will try to sell whatever they have got in the hope of realising some value from their criminal activity.
Check If Your Data Has Been Stolen
Firstly, see if your login credentials have been hacked in a breach. Use the Have I Been Pwned tool to check if your email addresses and passwords have been stolen. If they come up, change your passwords straight away.
Get a Secure VPN
When you’re online, we recommend being as secure and private as possible. A virtual private network (VPN) helps with that: it masks your IP address and secures your data communications. The most secure VPNs are built to keep you safe on insecure networks, such as free public WiFi. Keep your VPN running and hackers will find it very hard to hijack sensitive data transfers.
Use a Password Manager
Stop typing in passwords to log into web services, and start using a password manager. This software generates secure passwords, and saves your login credentials, which it will autofill into login forms. This way you no longer need to type in your username and password, which is how keylogging malware steals this valuable information.
Delete Inactive Accounts
Delete old and unused online accounts. Close them and request their deletion from the companies. The information contained in these accounts (e.g. social media profiles) could be used for identity theft, or to log into accounts that you still use.
Enable Two-factor Authentication
You need to enable two-factor authentication (2FA) as much as possible. 2FA requests confirmation of a login attempt, typically using an Authenticator app. This feature adds strong protection against unauthorized login attemps into your online accounts.
Our team reviewed all fraud-related listings on three of the largest dark web markets, Dream, Point and Wall Street Market over 5-11 February, 2018. Relevant listings were collated and categorised in order to calculate average sale prices. Prices were collected in USD and converted to GBP at the current exchange rate at the time of listing ($1.39 rate). Dark Web Market Price Index – Feb 2018 – Raw Data