Jun
8
We humans have never been very good at focusing on more than one thing at a time. (Most people who think they can multitask are kidding themselves.) So it’s not surprising that, with the COVID 19 pandemic dominating headlines and exerting uncommon influence over our daily routines, other bits of news may slip right by.
I refer in particular to disturbing news about data for sale on the Dark Web. Take, for instance, a cyber attacked on Italian email service provider Email.it reported by TechRadarPro a few weeks ago. It seems that Email.it …
… suffered a cyber attack that saw the data of over 600,000 users put up for sale on the dark web … data included information such as passwords in plain text, security questions, email content and attachments for users who signed up or used the free email service between 2007 to 2020.
Or, how about this, reported about two weeks ago by WeLifeSecurity:
More than 500,000 Zoom accounts are now up for grabs on hacker forums hosted on the dark web. Some are going for less than a US cent apiece while others are given away for free.
In a statement provided to BleepingComputer, cyber-intelligence company Cybel said that it noticed free Zoom accounts being offered on hacker forums around April 1st as a way for hackers to increase their notoriety. The accounts were posted on text sharing sites where ne’er-do-wells offer lists of email address and password combinations.
Or this, reported about a month ago by Yahoo Finance:
Cybersecurity firm Sixgill … highlighted two devices for sale on the Dark Web, an EMV chip card skimmer and a skimming device to steal credit card information from a gas pump. The “all kind” fuel pump skimmer connects to the pump’s power and can “operate indefinitely,” the post brags. Besides devices that skim people’s data, there’s a lot of data already hacked and ready for use. There’s a trove of data of “bank employees” from a Russian hacker, and a database for sale containing emails from “various staff” at one university.
The marketplace has only grown in volume and breadth since a 2005 McAfee report entitled “The Hidden Data Economy.” “This underground marketplace has evolved to include almost every conceivable cybercrime product for sale or rent,” it said.
Just six months ago, Forbes reported that it was possible to purchase a “$20,000 bank loan for $30.” It gets worse:
Access to a compromised bank account, known as a “bank log” in cybercrime parlance, with a balance of $10,000 (£7,900), could be yours for $25 (£19.75), for example. While personal information packages that enable a criminal to steal the victim’s identity, or “fullz” as they are known, and achieve a promised $20,000 (£15,800) bank loan cash-out were on offer for just $5 (£4) more. If that sounds cheap, fullz packages start at around $4 (£3) as they are seen as a commodity item within these circles.
How much does it cost to purchase illicit, personal financial information on the Dark Web? Not much, it turns out.
VPNoverview.com did some digging and found that you purchase someone’s bank details for $50-200, social media info for $12.99 (Dark Web shoppers, it seems, as are prone as any other to view $12.99 as closer to $12 than to $13), and personal data for $40-200. The site warns,
With basic knowledge of your accounts, it can be much easier for hackers and scammers to steal your identity, but just how much would it cost for them to scam their way into your life? There are programs openly available that will force entry to multiple social media accounts for as cheap as $12.99. Using the information they gain from your social media, they can … sell the account on or transfer available funds … verify themselves as you … purchase items using linked cards … [and] steal personal information from private messages / hidden information.
Moreover, it reports, you can pick up a $2,000 Amazon gift card for $700, a PayPal account with a $12,000 balance for $1,200, and a $7,500 money transfer for a mere $1,125.
Writing for Digital Trends about VPNOverview’s report, technology reporter Anita George commented,
… hackers can also sell access to the breached databases of various companies. And the report actually lists a few companies with breached databases, the costs for access to these databases, and the number of records a person would have access to once they purchased that access …
In an emailed statement sent to Digital Trends, comments from VPNOverview’s cybersecurity analyst, David Jansen, shed a little light on why VPNOverview researched all this in the first place … “Our findings show that thieves and hackers could easily gain access to your most important accounts and spill your information on the dark web, where it is sold for next to nothing and used for all sorts of malicious purposes. The large-scale availability of stolen and counterfeit passports, driver’s licenses, and online accounts leaves us all vulnerable to identity fraud and cybercrime.”
We no longer have the (small) assurance that only the sophisticated cyber criminal can abscond with personal financial information. The above-referenced McAfee report cautions that “current tools, products, and services can allow anyone to become a cybercriminal, regardless of technical ability.” The authors warn against assuming that …
… there exists a hidden doorway into an underground marketplace for nefarious products that is not accessible to us muggles. In reality, this marketplace is not nearly as well hidden as we imagine, and it certainly does not require prior knowledge of a secret public house and its hidden courtyard.
In the economic depression that is all but certain to follow the current pandemic, let’s hope integrity wins out with the vast majority of the desperate masses.
(I would be remiss if I failed to add that TransArmor Personal Data Protection, from my employer Fiserv, lets businesses tokenize data in motion, in use, and at rest, creating a higher level of security for their customers than ever. Click here to read the Fiserv press release.)