After crashing in 2019, Dark Web markets for stolen credentials rebounded during the first half of 2020, largely due to major shifts in consumer behavior caused by the global pandemic.
According to the latest analysis of Dark Web trade by Top10VPN.com, populations locked down during the pandemic were forced to change their behavior patterns. That has resulted in new kinds of accounts being hacked with the ability to command higher prices.
Hacked accounts for delivery services and physical fitness brands are some of the highest-priced items on the market, with credentials for a compromised Instacart account selling for an average of US$22, Peloton for $18, Postmates for $15, and Amazon for $14.50.
Prior to the pandemic, a combination of massive law enforcement actions and a data glut cratered the price of stolen credentials on the Dark Web.
“Overall, credential prices seem to be falling year over year, with several password databases being sold at the cost of tens of dollars,” observed Fausto Oliveira, a principal security architect at Acceptto, a cybersecurity company in Portland, Ore., focused on cognitive authentication.
“This is partially due to a glut of databases being available for resale in the Dark Web markets,” he told TechNewsWorld.
While there’s still a glut in some brands, a new crop of targets has invigorated the market.
“As the world has moved to a new normal, that new normal is largely digital and remote,” explained Mike Lopez, vice president and general manager for total fraud protection at AppGate, a developer and provider of cloud security and analytics products and services, located in Coral Gables, Fla.
“Activities and tasks that involved individuals leaving their house, such as grocery shopping, are replaced with apps and services,” he told TechNewsWorld.
As the majority of people have been forced to spend more time indoors due to increased social restrictions around the world, consumer behavior has changed significantly, observed Simon Migliano, head of research at Top10VPN.com, the VPN review website that published the index.
“Anyone looking for social interaction, entertainment, keeping fit or even maintaining their mental health has been forced to turn in greater numbers than ever before to online services and apps,” he told TechNewsWorld. “Many new users of these services may be less tech-savvy and fail to keep their new accounts secure.”
For online scammers, those newbies are low-hanging fruit.
“Higher prices for the kinds of accounts opened during lockdown reflect that they are more likely to contain active payment details and fresh personal data, ripe for identity theft,” Migliano said.
The pandemic has forced users to create more online accounts, which increases an individual’s digital attack surface, explained Kacey Clark, a threat researcher for Digital Shadows, a San Francisco-based provider of digital risk protection solutions.
“The criminal ecosystem is likely rich with newly compromised credentials,” she told TechNewsWorld. “The price of credentials is based on many factors, including the freshness of credentials, the perceived value of the account, and the value of a particular subscription.
On the other hand, Migliano pointed out that the glut of streaming accounts, such as Netflix and Hulu, has driven prices down as supply exceeds demand.
According to the Top10VPN report, which compares hacked credential prices from February 2019 with August, compromised Netflix credentials dropped to $6.35 from $10.73, while Hulu fell to $5.43 from $5.01.
Finding the Right Price
Top10VPN noted that of the 25 services making up its Dark Web index, 19 of them are new to the list, which means their credentials weren’t being sold on the Dark Web last year.
That can be contributing to the premium asking prices for hacked accounts for those services, maintained Jason Ortiz, a senior product engineer at Pondurance, a managed detection and response company in Indianapolis.
“Why not try premium prices for premium services?” he asked.
“If nobody buys,” he told TechNewsWorld, “then you can lower the price over time to find the right point. As a seller, you could leave a lot of money on the table if you start out pricing a new product too low.”
Because these brands haven’t been targeted for account theft in the past, they could be vulnerable to attack in the present.
“These are new accounts on the market and most likely have not been targeted for more substantial account theft,” explained James McQuiggan, security awareness advocate at KnowBe4, a security awareness training provider in Clearwater, Fla.
“The cybercriminals hope that the organizations, when creating the user account interface, did not implement any multi-factor authentication to strengthen and secure the accounts,” he told TechNewsWorld.
The report also found hacked credentials for a number of health and fitness brands selling at relatively high prices. Daily Yoga ($9.50), Ten Percent Happier ($8.50), Aaptiv ($8.50), and Headspace ($7) accounts were more valuable than those of many streaming services and online stores, it noted.
Migliano maintained that those premium prices are connected to the demographics of the targets.
“Peloton users are likely to have a high income, given that they must purchase a $2,000 bike to use the app,” he said. “This makes them a valuable target for fraud.”
“Similarly,” he continued, “Daily Yoga, Ten Percent Happier, and other wellness brands are also marketed towards those with disposable incomes whose identities could be worth a lot to buyers on the dark web. “
Identity fraud is the primary way fraudsters leverage stolen consumer data from phishing and other social engineering schemes, explained Melissa Gaddis, senior director of customer success, Global Fraud Solutions at TransUnion.
“It can have long-term impacts for consumers, such as the compromise of multiple online accounts and bringing down credit scores, which we anticipate will increase during pandemic reconstruction,” she told TechNewsWorld.
How to Protect Your Credentials
McQuiggan recommended a number of ways for consumers to protect their credentials so they don’t see them being sold on the Dark Web.
- Use a password manager. This tool will let you keep track of unique and strong passwords for each of your accounts. If an account has security questions, answer the questions incorrectly — correct answers are too easy to guess — and store the incorrect answers in the password manager.
- Use multi-factor or two-factor authentication if it’s available from the application or website. This methodology, while known to be vulnerable in some cases, increases security and reduces the chance of someone who buys the credentials from the Dark Web from being able to access your account easily.
- Avoid accessing your accounts from links inside emails. Cybercriminals can make the emails appear legitimate and provide a link that might look real. Always use the app or a bookmark, and never click the links in the email.
Top10VPN.com added a disclaimer that its report “does not suggest in any shape or form that the companies included or referenced have suffered security breaches.
“Furthermore, we have not purchased any of the credentials being sold on the Dark Web,” the company stated on its website.