Stolen credentials, including bank details, are currently priced at $ 70 to $ 500 in deep web markets, depending on the “quality and timeliness” of the information.
More than 15 billion usernames and passwords for online services, including banking, video streaming and social media accounts, are being offered to cybercriminals, according to a new study by Digital Shadows.
The threat intelligence firm found that the number of stolen and disclosed credentials has quadrupled (up 300%) in the past two years as a result of more than 100,000 separate data breaches.
A study by Digital Shadows found that the number of compromised credentials in circulation in cybercriminal markets, many of which are on the dark web, is the equivalent of more than two for every person on the planet.
Of these, more than five billion were considered “unique”, which means they have not been advertised more than once on the deep web forums.
Account hijacking as a service
Account hijacking has never been easier (and cheap) for cybercriminals. Accounts are sold on deep web markets. Traditional DIY approaches based on malware to steal credentials and phishing campaigns have been expanded with new services and products.
First, there are many brute force and account verification tools available in the criminal markets – and they can be used without much technical knowledge – for an average price of just $ 4.
Instead of buying compromised credentials, criminals can “rent” an identity for a specified period thanks to the rise of so-called account hijacking offers as a service in various underground markets.
These services offer fingerprint data (such as cookies or IP addresses) from the target person – information that makes it easier to ensure that transactions go unnoticed or otherwise abuse compromised login information.
Many account details are offered free of charge, but of those on sale, bank and financial accounts were the most expensive, with an average price of £ 56 ($ 70.91).
According to Digital Shadows, depending on the quality and timeliness of the information, this price could be much higher, reaching £ 395 ($ 500).
These costly bank and financial accounts accounted for a quarter of all advertisements analyzed by the UK-based threat analysis firm.
Accounts for streaming and take-out services are just as popular, but on lower-tier sites. VPN and adult website subscriptions are other popular categories for selling compromised credentials.
US accounts were most often advertised on crime forums and marketplaces, followed by Canada, Australia, the United Kingdom and Germany.