Got $50? That's Enough to Buy Someone's Online Identity

Personal Information is Worth $50

Having your online identity compromised can bring you a lot of grief, and in some cases, financial damages. Few people think about this when they're signing up for various online services using weak passwords or when they're sharing way too much information. Even fewer people think about why their data might be so valuable to some criminals. The answer is simple: cybercrooks make a living out of it.

While there are still hackers that wreak havoc on the internet to support a political cause or just for the fun of it, most crooks are motivated by cold, hard cash. How much do they earn exactly?

Considering the stories we've heard of crooks making millions of dollars from a single ransomware strain, we can safely conclude that the paycheck isn't bad. What is more surprising is how little money they need to invest in order to buy some information that can facilitate a profitable attack.

Personal data is traded on the cheap on the underground forums

David Jacoby, a self-confessed IT security evangelist working for Kaspersky, was wondering just how much money our details are worth after they get stolen. To find out, he broke out the Tor browser and went to the DarkWeb's online marketplaces. His findings were rather shocking.

Different types of information come at different costs, but it's fair to say that our whole digital life can be bought and sold quite cheaply. Accounts for gaming platforms like Steam or PlayStation Network, as well as streaming services like Netflix, and Spotify go for between $1 and $5, but Jacoby noted that if you buy in bulk, you can get them cheaper. Our Facebook profiles are also worth about $1 a pop, despite the tons of personal information they contain.

For slightly more, about $10 per account, you can get access to other people's profiles on various e-commerce websites, some of which host, among other things, credit card details. The price of email accounts and dumps of login credentials stolen during data breaches varies wildly and is dependent on a number of factors such as the volume of stolen credentials and their age.

More or less the same goes for compromised login data for internet-facing desktop machines and servers. Remote Desktop Protocol (RDP) credentials, an infection vector that's quite popular with ransomware operators, can go for anything from $5 to $50 per set. SSH and Telnet login data which helps hackers compromise entire servers are in a similar price bracket.

What do criminals do with the data?

When it comes to things like RDP or SSH credentials, the goal is to launch either targeted or indiscriminate attacks on individuals and organizations. Usually, the aim is spreading malware, often not just on a single computer, but on an entire network.

When personal information is traded, the motives are various, and in his post, David Jacoby described some of them. People that want to stream content from Netflix or Spotify but want to save a few dollars per month, for example, can go on the underground forums and buy compromised accounts for a lot less money. Some of the sellers even offer guarantees, saying that if the hacked account stops working, they'll replace it with another one.

There are also cases when the personal information is abused for elaborate scams. As an example, Jacoby told us about the links between stolen data and Tinder bots. The crooks use compromised Facebook and Instagram accounts to create fake Tinder profiles which try to engage male users. Using direct messages, they lure people into clicking links, promising the victim a collection of nude photos. In reality, the link puts the user through a series of redirects which collect information about his geolocation. Based on the IP address, the redirects eventually present a fishy-looking dating website or a landing page which asks for more personal or credit card information. So far, David Jacoby has seen no malware being distributed with this sort of mechanisms, but in the world of cybercrime, things tend to be rather unpredictable, so we wouldn't bet against it happening in the future.

Why is our data so cheap?

It's an interesting paradox. Having our data compromised can cost us plenty of emotional and physical pain as well as thousands of dollars in financial damages. Yet, it's bought and sold on the dark web for as little as the price of a couple of cans of Coke. There are a few good reasons for this.

First of all, thanks to a variety of different factors, hackers don't have such a hard time compromising people's account. Sometimes, the fault lies with the user, sometimes, it's with the vendor, and occasionally, the blame is shared. Regardless of who is at fault, data isn't always secured as well as it should be.

The second factor that drags the price of sensitive information down is the sheer volume of data that is flying around. As Troy Hunt recently demonstrated, getting your hands on millions upon millions of usernames and passwords could be as easy as clicking a link and waiting for the download to finish. With so much data available for free, the people who try to charge for it don't really have much choice but to lower the price.

The situation is less than ideal. Criminals steal, sell and buy data all the time. Our online lives are dependent on a few dollars' worth of cryptocurrency, and often, the whole thing is outside our control. There are some things that we can improve, however, and we have no excuses for not doing it.

January 17, 2019

Leave a Reply