A recent study cataloging prices across English- and Russian-language fraudster forums examined 320 purchases for stolen payment, identity and log-in information earning hackers between $1 million and $2 million, while the fraudsters using this information from less than half of these transactions were able to steal between $1.7 million and $3.4 million.
These estimates came from a study conducted by a criminal justice professor at Michigan State University, analyzing posts from the dark web on ten Russian and three English-language fraudster forums. The report detailed the marketplace nature of these sites, where fraudsters posted dumps for sale and buyers rated sellers on product quality. The price estimated for the 320 black market transactions was given as a range because the volume discounts and price negotiations between buyers and sellers were unknown, and only 141 of these transactions provided enough information to estimate the buying parties’ yield, which was estimated to be as high as $3.4 million.
Other sources scouting the cost of stolen credentials, payment and identity information show that it is much more than payment card credentials fraudsters are after. According to black market sales data curated by Avast Software, PayPal login credentials sell for $1.50 per account, 50 percent more than the cost of a Social Security number. Email address and password combinations sell between $0.70 and $2.30 each, while Driver’s license scans, which can be used for new account fraud, average around $20 apiece.
Fraudsters are also willing to pay to target account takeovers against specific online organizations. According to research from Trend Micro, streaming media accounts sell for more than a Social Security number. Spotify and Hulu accounts sell for $2.75 per compromised account, while Netflix accounts range from one to three dollars. Account credentials to access money transfer service Western Union go for more than twice as much, at $6.80 per account.
Some of the highest value accounts Trend Micro identified are government organization (.gov) email addresses. Postal Service and Center of Disease Control emails sell for $660 and $340 per account, respectively. According to the company fraudsters try to uses these credentials to steal data or compromise servers as a means of launching secondary attacks. These email accounts could also be used for spear phishing campaigns to infect or compromise many government employee devices.
While there tends to be a focus on card dumps that hackers post for sale on the dark web, the variety of account credentials and their going rate underscore the fact that account takeover is a profitable endeavor for many hackers and fraudsters, and it is still a growing threat.
For more information: