Cybercriminals sell users’ data on the dark web for dirt-cheap prices – often less than the price of a Big Mac in the US.
For instance, a batch of American mobile phone numbers costs $4.50, US payment card data can be bought for around $5.80, and the Twitter login for a single account costs just $2.00 on average.
New research by NordVPN looked into a $17,3-million dark web market to find out what criminals can buy there for the price of a Big Mac, which currently costs $5.15 in the US.
“The list goes on and on. A hacked HBO account is sold for $3.50; Grammarly or Scribd accounts for a similar price,” says Daniel Markuson, a cybersecurity expert at NordVPN. “Dark web markets work like common e-shops, and the market rules are similar here. The easier it is to get an item, the cheaper it costs.
And people do a huge favour to hackers by not protecting their accounts and credentials properly.”
Once a criminal purchases a user’s data, they try to reuse it for their own benefit, Makuson adds.
“In the best-case scenario, a criminal will use the victim’s service account (like HBO or Grammarly) without a user noticing. However, the more likely scenario is that they will try to use the same login details to take over other accounts that a user owns.”
Social media accounts open the gates for social engineering. A criminal can try to reach out to a user’s friends or family to trick them into giving up their personal information or even transferring money to the criminal’s account.
When it comes to the financial information that criminals can buy on the dark web, hackers can use it directly to steal money or purchase something using the victim’s credit card.
It is important to remember that the items sold on the dark web are usually sold multiple times – so a user’s credentials can get into the hands of thousands of criminals.
“Between 2008 and 2021, the FBI recorded a 207% increase in cybercrime reports. Cybercrime is booming, and we need to educate ourselves if we want to stay safe,” says Markuson.
He lists the most common ways criminals use to steal user’s data with tips on how users can protect themselves:
* Brute forcing. Brute forcing is difficult to prevent because a criminal needs to guess the payment card number, CVV, or mobile number by trying different combinations of numbers. The attack is done using special software and can be executed in as little as six seconds. After that, a criminal can try to steal money from a payment card or just sell it to other criminals. Even though users cannot prevent someone from guessing their financial data or phone number, they can check their bank statements regularly and avoid answering unknown numbers to prevent losses.
* Credential stuffing. Credential stuffing includes exploiting emails and passwords that were leaked in big data breaches. Once criminals get them, they try the same credentials for other accounts a person owns and then sell the newly acquired logins on the dark web marketplaces. The best way to prevent that is to use different and sophisticated passwords for different online accounts. The expert also recommends using password managers to store those passwords securely.
* Social engineering. Social engineering is a method in which a scammer will try and entice or trick a victim into revealing their sensitive data themselves. Many social engineering scams rely on phishing emails with an invitation to fill in a form or to reply to the email with some personal information that can later be sold on the dark web. The main tip here is to question everything a user receives from an unknown sender, especially if an email domain looks suspicious or a user notices grammar mistakes in the email.