Tag Archives: dark web

How much is your stolen data worth on the dark web?

A new report reveals how much cyber criminals are willing to pay for stolen data on the dark web

Ever wondered how much your stolen data could be worth? A new report reveals the market value of all the most common types of stolen data available for sale to criminals on the dark web.

The “Hidden Data Economy” report by Intel Security Group’s McAfee Labs draws on years of close work with law enforcement, and ongoing monitoring of online platforms, communities and marketplaces where stolen data is hidden and sold – such as Alphabay and Crypto Market.

The report provides examples of how different types of stolen data are being packaged, and offers an illustration of average prices for different types of data. A few examples include:

  • Average estimated price for stolen credit and debit cards: $5 to $30 in the US; $20 to $35 in the UK; $20 to $40 in Canada; $21 to $40 in Australia; and $25 to $45 in the European Union
  • Bank login credentials for a $2,200 balance bank account: $190
  • Bank login credentials plus stealth funds transfers to US banks:from $500 for a $6,000 account balance, to $1,200 for a $20,000 account balance
  • Bank login credentials and stealth funds transfers to UK banks:from $700 for a $10,000 account balance, to $900 for a $16,000 account balance
  • Login credentials for online payment services such as PayPal:between $20 and $50 for account balances from $400 to $1,000; between $200 and $300 for balances from $5,000 to $8,000
  • Login credentials to hotel loyalty programs and online auction accounts: $20 to $1,400
  • Login credentials for online premium content services such as Netflix: as little as $0.55

Payment card data is perhaps the most well-known data type stolen and sold. A basic offering includes a software-generated, valid number that combines a primary account number, an expiration date, and a CVV2 number.

Valid credit card number generators can be purchased or found for free online. Prices rise based on additional information that allows criminals to accomplish more things with the core data.

This includes data such as the bank account ID number, the victim’s date of birth, and information categorised as “Fullzinfo”, including the victim’s billing address, PIN number, social security number, date of birth, the mother’s maiden name, and even the username and password used to access, manage, and alter the cardholder’s account online.

Online payment service accounts – like PayPal accounts for example – are also sold on the open market, with their prices determined by additional factors.

The report claims that illegal sellers list adverts in the same way as any legitimate seller would – offering guarantees on stolen credit cards – and forums name and shame “bad sellers” who have sold stolen cards that don’t have offer up what was promised

“Like any unregulated, efficient economy, the cybercrime ecosystem has quickly evolved to deliver many tools and services to anyone aspiring to criminal behaviour,” said Raj Samani, chief technology officer for Intel Security in Europe, the Middle East and Africa.

“This ‘cybercrime-as-a-service’ marketplace has been a primary driver for the explosion in the size, frequency, and severity of cyber attacks. The same can be said for the proliferation of business models established to sell stolen data and make cybercrime pay.”

A selection of credit cards in a fan.

The news coincides with the publication of new figures from the Office for National Statistics, showing that cyber crime is now the UK’s most common offence, with 2.5m incidents in the last year.

Cyber crime was previously excluded from official statistics but its inclusion in this latest report has resulted in an overall surge in crime rates of 107 pc – over double.

The most common cyber crimes, offences committed under the Computer Misuse Act, were where the victim’s device was infected by a virus.

Tagged , , , , , ,

T-Mobile customer data stolen from Experian is already for sale on the dark web

The consequences of 15m customer records for sale could be far larger than just financial theft – watch out for your health data

It’s easy to dismiss the recent theft of 15m T-Mobile customers’ personal data from credit checking organisation Experian’s servers, and turn away. After all, large scale data theft is becoming almost commonplace now. Just recently, the US government’s personnel office was hacked, leaking the highly personal information of 22m government employees.

But records stolen from the servers of credit bureau Experian are already showing up for sale on the dark web, alleges Irish security startup Trustev.

“This morning they saw listings go up for “FULLZ” data that matches the same types of information that just came out of the Experian hack,” the security firm’s spokesperson wrote in an email to tech website VentureBeat.

“Fullz” is a slang term used by hackers and data brokers to refer to a full package of an individual’s personal identifying information. Such data sets typically include an individual’s name, social security number, birth date, account numbers, and other data.

This matches exactly the data stolen from Experian last week: for each of 15m people who applied for a T-Mobile contract between September 1, 2013 and September 16, 2015, data accessed by hackers included their name, address, Social Security number, date of birth, identification number (typically a driver’s license, military ID, or passport number) and additional information used in T- Mobile’s own credit assessment (the nature of this information remains undisclosed).

Experian said no payment card or banking information was obtained – but that’s not necessarily the most sensitive data that you own.

Experian is more than just a credit-checking agency, it is also one of the world’s largest data brokers – companies that track, collect and compile realms of personalised data about individuals around the world and package it as a saleable product for the highest bidder.

Customers for this sort of anonymised but ultra-accurate personal data package range from retailers to employers, hospitals, universities and insurance companies.

The danger here is not just identity theft (although that will be straightforward with the type and sensitivity of the data stolen from Experian) – there is also the possibility that this could be cross-referenced with more sensitive datasets like health records or genetic information, which usually don’t have names attached to them.

In the UK, for instance the NHS has a “pseudonymised” set of records called the Hospital Episode Statistics (HES) database that it shares with commercial organisations, including Experian. This contains every instance of a patient in England using a hospital-based service since 2001, covering 47 million patients, identified by date of birth, gender and address – but not name.

If a hacker can gain access to these health records, or any anonymised health datasets made available to commercial and academic research organisations, they can easily cross-reference the date of birth or address records from, say, the T-Mobile dataset (which does contain names), and find a person’s entire health record within minutes.

The result of having your health or genetic data stolen has far more wide-ranging consequences than your financial identity, starting with simple blackmail. And it is also irreversible and permanent, unlike your financial data.

The theft of T-Mobile’s customer details is not the first time hackers have hit a data broker – after all they are centralized founts of personal information, gathered from diverse sources ranging from credit card purchases to public voter registration records. Experian itself was hacked by a Vietnamese identity theft service, which stole more than 200 million customers’ data just last year. And the year before, hackers hit credit agency Equifax and tried to sell the credit history data of celebrities, politicians, and even first lady Michelle Obama.

Tagged , , , , , , ,