A recent dark web investigation has revealed the black-market value of stolen personal data – and the results should give CISOs and IT leaders pause for thought.
PrivacyAffairs, a collective of cybersecurity professionals that conducts privacy and cybersecurity research, decided to delve deeper by examining how easy it is to obtain someone else’s personal information, documents and account details, with a focus on the prevalence of stolen personal data and the prices hackers are charging.
Researchers from the cybersecurity hub looked at credit card data, payment processing services, forged documents, social media, malware and DDOS attacks to give a general overview of personal data theft and how much each piece of information is worth. Average prices, listed in USD, ranged from as little as $1 for 1,000 fabricated Soundcloud plays to $6,000 for 1,000 installs of “premium” malware.
Stolen Financial & Social Media Data Most Prominent Find in Dark Web Investigation
However, some of the most prevalent personal data available on the dark web by far included financial information, with stolen credit card details and online banking logins featuring heavily. Stolen PayPal account details were also common.
But it is the low price of this personal data that is most revealing. For stolen credit card details with an account balance up to $5,000, hackers are only asking for around $20 for the information. Meanwhile, online banking logins with a minimum of $2,000 in the account fetch around $65. A PayPal transfer from a stolen account of between $1,000 and $3,000 costs up to $320, but a PayPal transfer from a stolen account of over $3,000 only costs around $155.
Less common were offers to hack social media accounts, mainly because the social engineering techniques required to obtain social media credentials “have a very high effort input for relatively low success ratio.” But a hacked Gmail account was still priced at a surprisingly low $155, while a hacked Facebook account was valued at $74.50. To fabricate followers and social engagement was much cheaper, with retweets, views and follower manipulation costing between $1 and $25.
The value of personal data on the dark web is much lower than the actual sums hackers could obtain by exploiting the data themselves.
Hackers Passing the Buck on Personal Data
PrivacyAffairs revealed that, across the board, the value of personal data on the dark web is much lower than the actual sums hackers could obtain by exploiting the data themselves. What this suggests is that hackers are fraudulently and illegally obtaining personal data to sell on the dark web for quick and easy cash.
The reason for this is simple: while they have committed one crime by obtaining the personal data, hackers are absolving themselves of responsibility for even more serious crimes by selling the data on to other malicious agents. It is much more likely that victims and organisations alike will be alerted to a data breach only once the data is exploited and attempts at fund extraction have taken place. At that point, it would be relatively easy for the authorities to track the individual responsible – but not necessarily the hacker who originally obtained the personal data.
Malware and DDOS attacks complicate matters somewhat on who is responsible, with hackers more culpable in these situations. But the Dark Web Price Index showed that it is still relatively cheap for malicious agents to coordinate debilitating cyber attacks through the dark web.
Malware is sold per 1,000 installs and range in price and quality, with the lowest and weakest malware costing $70 per 1,000 installs and “premium” malware costing $6,000 per 1,000 installs. DDOS attacks, meanwhile, cost anything up to $200 per 24 hours for a DDOS attack on a “premium protected website [with] 20-50K requests [sent] per second [via] multiple elite proxies”. Cheaper alternatives for a DDOS attack cost around $10 for an hour-long attack on an “unprotected website [with] 10-50K requests per second”.
All in all, there is little financial obstacle to malicious agents who are willing to use personal data to inflict damage on businesses and individuals. Similarly, there is little stopping them from employing a hacker to carry out a DDOS or malware attack.
What Does This Mean for Cybersecurity?
Cybersecurity leaders may take some solace in the fact that the dark web is full of scammers, with many dark web marketplaces hosting fake and worthless personal data.
Nevertheless, the PrivacyAffairs dark web investigation has shown that to a hacker, personal data is worth only one thing: quick cash. The damage that a malicious agent could inflict upon a person or business by obtaining this information could be worth tens of thousands – but the hacker who facilitated this damage could walk away with as little as $100.
Protecting the organisation and the customer costs far less than the damage a hacker could inflict, or even the lower sums a hacker could amass by selling personal data on. The onus is on CISOs and IT leaders to convince their colleagues on the board of the risks posed by data breaches, and to put protections in place. Now that we rely on digital channels more than ever before, time is of the essence.