Stolen credit card details are being sold by cyber criminals on the Dark Web (part of the internet which requires specialist software or authentication to access, and used by cyber criminals) for as little as $5 (£3.20), while login details for online bank accounts are available from $190, a new report by McAfee Labs has claimed.
Information on sale as “crime-as-a-service” also includes online payment service login credentials, premium content service login credentials and enterprise network login credentials.
Europol has previously warned about the growing threat of “cyber-crime-as-a-service” as cyber criminals are increasingly selling their skills to traditional criminal gangs which otherwise lack the technical knowledge to engage in hacking and cyber theft.
Released by Intel Security, The Hidden Data Economy report provides examples of how cyber criminals and hackers are making money from stolen data, with prices for stolen information ranging from $5 to more than $1,000, depending on the bank balance of the victim.
The average estimated price for stolen credit and debit cards is between $5 and $30 in the US and $20 to $35 in the UK.
The value of this information rises when it includes further details which allow cyber criminals to achieve more, such as a bank account number, the victim’s date of birth, their PIN or other personal details which enable nefarious individuals to conduct more advanced criminal activity.
However, bank login credentials are where the real money is on the Dark Web, with hackers able to sell information about victims for thousands if a large amount is stored in the account.
McAfee Labs found login credentials for a $2,200 balance account selling for $190, but the prices in this trade rise quickly. There were cases of $500 being paid for a bank balance which contained $6,000, while accounts with a balance of more than $20,000 could be sold for over $1000.
“Like any unregulated, efficient economy, the cyber crime ecosystem has quickly evolved to deliver many tools and services to anyone aspiring to criminal behaviour,” said Raj Samani, chief technology officer at Intel Security EMEA.
“This ‘cyber-crime-as-a-service’ marketplace has been a primary driver for the explosion in the size, frequency and severity of cyber attacks. The same can be said for the proliferation of business models established to sell stolen data and make cyber crime pay.”
Samani explained that with this stolen information, a cyber criminal can do as they please until the victim realises that they have been a target of cyber crime.
A criminal in possession of the digital equivalent of the physical card can make purchases or withdrawals until the victim contacts the card issuer and challenges the charges,” he said.
“Provide that criminal with extensive personal information which can be used to ‘verify’ the identity of a card holder, or worse yet allow the thief to access the account and change the information, and the potential for extensive financial harm goes up dramatically for the individual,” Samani added.
With data breaches – such as those which affected Hilton Hotels and Anthem – such a regular occurrence, McAfee suggests that there is some apathy towards the incidents. However, the report argues that cyber crime must be reacted to in the same way traditional theft is reported and investigated.
“Cyber crime is merely an evolution of traditional crime. We must conquer our apathy and pay attention to advice for fighting malware and other threats. Otherwise information from our digital lives may appear for resale to anyone with an internet connection,” the report concludes.
Computing’s Enterprise Security and Risk Management Summit takes place later this year and is free to attend for qualified end users. Register here.