Data theft is a fact of life. Cybercriminals will exploit vulnerabilities and system weaknesses to buy data. But what is that data really worth to them?
Top10VPN has set out to answer that question and says it is just £820.
According to Simon Migliano, Head of Research at Top10VPN.com: “It might come as some surprise that on the dark web your entire personal identity can be bought for significantly less than the price of a new iPhone X.”
Over the past decade, the value of certain types of data has varied substantially. Credit cards, once a serious earner, are now worth very little. In fact, hackers will sell blocks of cards and refund if any fail to work. In the 1980’s the Reader’s Digest mailing list was said to be worth over £250,000. Today, such a list would be worth substantially less.
To discover what personal data is worth, Top100VPN sent its researchers into the Dark Web. They visited three different Dark Web portals – Dream, Point and Wall Street Market between 5-11 February. They then collated the data they found.
A quick caveat. We asked if the data was UK specific. The response was: “..; the data is global but filtered for a UK audience, i.e. only accounts and items that a UK resident would typically have with prices converted to GBP. There’s no way of knowing who the data belongs to without buying it.” This caveat is important. Buying data that is country specific can come at a higher price. This is because it is easier to use in campaigns and more likely to get results.
What did Top10VPN find?
The Dark Web Market Price Index (UK Edition) shows how widespread hackers and fraudsters are casting their nets. It is not just traditional personal data such as bank accounts, passports and insurance details that they sell. Everything from Deliveroo accounts to Ticketmaster are now part of the data on sale.
There is a reason for this widespread gathering of data. The more pieces of data can be gathered, the more complete the user profile. The more complete the profile the more value it has. However, as the saying goes, the devil is in the detail. User credentials for Apple are worth £11.98 but user credentials for PlayStation are worth just £0.37. AOL email account details are worth £3.00 while Yahoo are just £1.20. Given the number of breaches and records lost by both of these companies, it’s a surprise that there is any value left at all.
The Index also goes on to give more details on why different types of data are useful to hackers. Most of this should be self explanatory but there are some interesting pieces in there. The big thing that comes across from almost all the categories is that the more data you have the easier it is to do identity theft. Ultimately, that is exactly what the hackers are after.
Migliano said: “There’s a real concern that with such valuable information changing hands so cheaply, there’s nothing to prevent would-be fraudsters from buying up much as they can in the hope of striking it lucky and draining victims’ bank accounts and credit lines.
“What’s interesting though is that everything seems to have a price on the dark web. This is because it’s not just hacked Paypal accounts and credit cards that represent opportunities for fraud. Many other online accounts contain enough personal info to enable identity theft. It’s also increasingly normal to store payment details in online shopping accounts.”
What does this mean?
The more we use online services the more data we create for hackers. There is already evidence that, like cybersecurity teams, advanced criminal gangs are using analytics and AI. These allow them to search through huge data breaches for information. They can quickly create links between sets of data that enable them to build user profiles.
The data isn’t just being used for identity theft. There are many ways to make money from personal information. According to Migliano: “Some of the accounts we found for sale open the door to even more ingenious scams. A hacked Airbnb account, for example, could allow a scammer to pocket hundreds in booking fees or even stay at high-end properties as a guest and burgle the hosts. At less than £6 initial outlay, that’s very appealing to a cybercriminal.”
While a lot of the data for sale comes from breaches, users need to rethink exactly what data they are putting online. There is also a need to better security hygiene. Changing passwords regularly and not reusing them. Taking advantage of multi-factor authentication to make it harder to hack accounts. Deleting old online accounts when they are no longer required.
Basic cybersecurity skills are also important. Being able to spot phishing attacks and not clicking on that link asking you to verify your account credentials.
While writing this story I received an email apparently from PayPal. Checking the senders address it came from PalPalkoss and the English was poor. Hovering over the button that asked for my credentials showed it would take me to a site registered to a domain in Belize. It would have been easy to lose access to my PayPal account and find a hacker charging the cost of goods to me. Just the basic details, according to Top10VPN would have been worth £26.20.