Experts have found compelling evidence to show how personal identities are traded on dark web marketplaces – sensitive data belonging to U.S. citizens, ranging from Social Security numbers, banking information, and hacked payment platform credentials are being sold for about $8.
A team of researchers from Comparitech scanned through the dark web in search of prices that define the sale of personal data and information. The investigators discovered adverts for “fullz”, which refers to “full credentials” that may be used by buyers to access accounts and platforms.
The sets personal information could be traced to about 50 various darknet marketplaces, with countries such as Japan, United Arab Emirates, and a host of EU nations accounting for the most costly identities being traded at an average price of $25 on the dark web.
Researchers also noted critical price ranges in the context of stolen credit card numbers, which pointed to steep differences from about 11cents to $1,000. The same observation was made in cases involving stolen PayPal account data, which attracted figures of between $5 and and $1,767.
Various Uses at Different Values
According to findings of the 2021 Comparitech report, the prices of stolen accounts operating in the U.S. and the UK fetched the lowest prices considering that they represented majority of the accounts that were available to threat actors.
Essentially, the average price of a US-based PayPal account would be disposed for about $1.50, while the UK account would be sold for $2.50. The seemingly low prices would still lead sellers into making profit considering the volume of U.S. and UK accounts that would be involved.
The report’s authors noted that the stolen personal information would serve as sufficient fodder for notorious phishing campaigns. After a classic data breach, the dark web would serve a pivotal role in linking cybercriminal gangs to stolen databases of hacked credit and PayPal accounts.
In the context of Social Security numbers, and other forms of national identification, Comparitech researchers noted their sale on the dark web but acknowledged their lack of usefulness to cybercriminals when used on their own.
Typically, Social Security numbers are sold alongside other forms of personal information such as individual names, date of birth, address, cellphone number, and banking information that would go into identity fraud schemes. Cybercriminals employ these sets of information to create new lines of credit, hijack accounts, and make cash withdrawals from banking platforms.
Further, according to the report, cybercriminals also sold more extensive packages of stolen data that would include utility bills, bank statements, and driver’s license number. The same observation was made by researchers who noted the inclusion of victim photos that would form part of “bulk packages” that are sourced from data breaches.
The Influence of Data Privacy
As a general observation, cybersecurity experts inferred the differences in stolen data prices to the extent at which countries go to legislate data privacy. It turned out that the three countries with the highest cost in stolen credentials were, in one way or another, seeming to be strict on matters organizational data privacy and protection.
The fact that the U.S. seemed to supply the cheapest fullz pointed to a dire reality that EU and Japan have placed critical emphasis on clear privacy laws that go a long way to limit, or even punish companies that feature in data breaches that would in turn leak user credentials.
To conclude, the price differences provide a stark reminder that attacks against major institutions would not be resolved any time soon. While individual employees must work hard to protect their personal information, organizations are expected to intentionally invest in mechanisms that would protect the data they collect from users.