Your entire online identity could be worth little more than £800, according to brand new research into the illicit sale of stolen personal info on the dark web (or just $1,200 if you are in the United States, according to the US edition of the index). While it may be no surprise to learn that credit card details are the most traded, did you know that fraudsters are hacking Uber, Airbnb, Spotify and Netflix accounts and selling them for little more than £5 each?
Everything has a price on the dark web it seems. Paypal accounts with a healthy balance attract the highest prices (£280 on average). At the other end of the scale though, hacked Deliveroo or Tesco accounts sell for less than £5. Cybercriminals can easily spend more on their lunchtime sandwich than buying up stolen credentials for online shopping accounts like Argos (£3) and ASOS (£1.50).
The average person has dozens of accounts that form their online identity, all of which can be hacked and sold. Our team of security experts reviewed tens of thousands of listings on three of the most popular dark web markets, Dream, Point and Wall Street Market. These encrypted websites, which can only be reached using the Tor browser, allow criminals to anonymously sell stolen personal info, along with all sorts of other contraband, such as illicit drugs and weapons.
We focused on listings featuring stolen ID, hacked accounts and personal info relevant to the UK to create the Dark Web Market Price Index. We calculated average sale prices for each items and were shocked to see that £820 is all it would cost to buy up someone’s entire identity if they were to have all the listed items.
To help the UK public understand just how much their personal data is worth we created the following price index.
Sale Prices Explained
Hacked financial details are by far the most commonly listed items, credit cards in particular, and the most valuable. Selling prices tend to be 10% of the available credit balance, however we found credible examples of Paypal listings asking double that, suggesting high current demand for these accounts.
A popular type of listing here is what are known as “Fullz”. These bundles of “full” identifying information, sometimes are either packaged with financial details or sold separately. We found listings featuring individuals’ name, billing address, mother’s maiden name, NI number, date of birth and other personal data.
Proof of Identity
A preferred tactic of cybercriminals is to set up lines of credit in someone else’s name. That’s why we see all sorts of digital proof of identity being traded, such as passports scans, selfies and utility bills. The high prices reflect the ease with which such items can be used to commit fraud.
There may be a big step down in price but hacked online shopping accounts offer plenty of opportunity for fraud. Most change hands for less than £5, some for much less than that. Storing payment details in Amazon or Tesco accounts may be very convenient but it leaves account holders open to a range of scams, such fraudsters ordering expensive items and stealing them.
The highest prices are commanded by accounts that are more likely to provide access to the most stored personal info, as well as by the value of goods that can be fraudulently acquired. Hacked eBay accounts are also particularly attractive as not only do they allow criminals to dupe buyers into sending them money for fake listings but also to buy expensive goods with the account owner’s funds to intercept and sell on.
Despite an average sale price of less than £6, hacked Airbnb accounts open up a world of scams to the buyer. There have been reports of hackers changing hosts payment details in order to steal their earnings. Fraudsters also hijack accounts of highly-rated guests to book stays in premium properties and even burgle the hosts. Airbnb has introduced new security measures but horror stories continue to be posted in its community forums.
There have also been reports of Russians using hacked Uber accounts, selling here for little more than £5, to run up big bills for Uber journeys the true owner has never taken, sometimes on the other side of the world.
Gaining access to other travel accounts, such as Booking.com, gives criminals the opportunity to send bogus emails tricking people into making high value payments related to their travel arrangements, as well stealing their credit card details.
As with most of the hacked accounts we found for sale on the dark web, these log-ins offer a route into potential identity theft. An added bonus is that the opportunistic criminals can also stream content for free, at least until the true owner notices their Netflix or Spotify account has been compromised. The low cost of these items reflects the limited capacity for re-use.
Hacked Skype accounts have been used to send spam even when two-factor authentication has been in place. The spam messages sometimes contain phishing links to popular sites like LinkedIn and Baidu. Mobile phone accounts are a treasure trove of fraud opportunities, especially given the use of SMS messages for bank account verification for example. T-Mobile, featured here with an average price of £7.57, was recently hacked.
Fraudsters have been caught setting up complex scams involving stolen Paypal and eBay accounts that they use to buy expensive electronics. A hacked DHL account for £7.49 could be the missing piece of the puzzle that allows them to get their hands on the goods, which they would usually resell.
Facebook logins at £3.74 sell for more than double other social media accounts due to the greater potential for offering up enough personal data to help gain access to more directly lucrative accounts or commit identity theft.
The selfies and food porn of Instagram may not seem have any value whatsoever to fraudsters but hacked accounts on the platform remain on sale, albeit for less than £1. For such a low investment, it can be appealing for cybercriminals to log in and see what they might find that could be useful for identity theft.
Supply and demand plays the same role on the dark web markets as it does in the regular economy. The dark web is awash with literally millions of hacked email accounts and the prices are accordingly low. Although gaining access to a victim’s email is often a critical aspect of an online scam, it’s not as useful on its own as other accounts. Credit card details are not typically stored there, while trawling through thousands of emails looking for personal info is not as efficient as other methods.
Strong security on Gmail, such as two-factor authentication and suspicious login warnings, push the price down to just 75p compared to other providers, as access can be swiftly revoked, rendering the hacked details useless.
It seems scammers get hungry too, hacking food delivery services like Deliveroo to fraudulently order expensive food and alcohol. There are reports of more than £500 being charged to hacked accounts, which sell for just £3.74 on the dark web.
These types of listings came out with the lowest average price in our index, which reflects their limited use to criminals. While hacked dating accounts could certainly be used for “catfishing”, a classic con where the scammer adopts a fictional identity to lure their victim into a relationship in order to take advantage of them financially, it’s cheaper and easier to just create fake accounts.
Of course as with most items in our index, there is the potential to mine the account for personal info to enable identity theft. The bottom line though is that hackers will try to sell whatever they have got in the hope of realising some value from their criminal activity.
Our team reviewed all fraud-related listings on three of the largest dark web markets, Dream, Point and Wall Street Market over 5-11 February, 2018. Relevant listings were collated and categorised in order to calculate average sale prices. Prices were collected in USD and converted to GBP at the current exchange rate at the time of listing ($1.39 rate). Dark Web Market Price Index – Feb 2018 – Raw Data
Top10VPN.com is the world’s largest VPN review website. We recommend the best VPN services to help protect consumers’ privacy online. We also aim to educate the general public about digital privacy and cybersecurity risks through our free online resources and research.
For more information on issues related to online security and privacy, check out our original Risk Index for Free Android VPNs, 2019 Free VPN Ownership Investigation, Hacking Tools Market Price Index (UK edition) or our updated edition of the Dark Web Market Price Index (UK).