How much are you worth on the dark web? Davey reveals the surprising answer, before explaining how to tackle some less than tasty cookies.
How much are you worth on the dark web? Davey reveals the surprising answer, before explaining how to tackle some less than tasty cookies
Ever wondered how much your stolen data is actually worth? Not to you, but in cold hard cash to the criminals who are buying it? The answer, according to the latest research of dark web marketplace pricing, would appear to be not a lot – and would be in cryptocurrency, not cash. This appears especially true if you’re from the US or the UK.
The dark web, the part of the internet that’s invisible to your average user and mainstream search engines, is home to many criminal marketplaces. Accessible through a Tor (The Onion Router) browser, these occasionally make the news when they get taken down by law enforcement. In January 2021, for example, the world’s largest such marketplace, DarkMarket, was taken offline following an operation that included the FBI, IRS, Europol and the UK National Crime Agency.
But behind the headline-hitting big names there are numerous smaller marketplaces trading in stolen data and, often, drugs and firearms as well. When the biggest gets busted, users will migrate to the one with the next highest trading volume and the broken one is quickly replaced like shark teeth. One recent report in Nature ( pcpro.link/319dark1) found that individual marketplaces can appear fragile, but “coordinated user migration guarantees overall systemic resilience”. Resilient indeed, with Bitcoin transactions on the dark market being worth $872 million in 2018, according to some reports I’ve seen. Even with the ongoing success of global law enforcement operations, I’d be very surprised if that number hasn’t jumped the billion-dollar barrier by now – and then some.
Guns and drugs aren’t my thing, unless you’re talking painkillers, but let’s return to my initial question: if you focus on the stolen data, just how much are you worth to these cybercriminal markets? According to research from Comparitech ( pcpro.link/319dark2) – which saw researchers analyse the cost of stolen identities, credit cards, bank accounts, PayPal logins and the like from more than 40 marketplaces – the answer is not very much. At least not, as I mentioned above, if you happen to be American or British. Country of origin is just one factor in pricing stolen data, along with the balance of a hacked account, credit limits on payment cards and exactly how much information is wrapped up in any particular “fullz” bundle.
Fullz are full credentials bundles and usually contain a minimum of national ID and/or social security numbers (in the US), full name, date of birth, address, phone number, banking details and so on. These are the basis for identity fraud covering everything from account takeovers to loan applications. The cheapest fullz belonged to Americans at an average cost of just $8 per file. Europe, Japan and the UAE were the most expensive at $25 a pop. The UK, incidentally, was among those sitting in secondcheapest territory on $14.
When it came to credit cards, these were far less valuable than hacked
PayPal accounts, the researchers found. That said, the price ranges for both are truly gargantuan: stolen credit card data varied between 11 cents and $986, while PayPal accounts ranged from $5 to $1,767. As far as credit cards are concerned, country of origin once again impacts that pricing. And, once more, the US is at the cheap end of the scale with an average of $1.50 and the UK isn’t a lot better at $2.50, while those originating in the EU command an average of $8. The researchers weren’t able to make similar comparisons with PayPal accounts as countries of origin weren’t typically listed.
As Comparitech’s Paul Bischoff points out, the price range of credit cards is down to the detail. “How could a credit card number only be worth 11 cents?” Bischoff asked. Because “it’s only a number”. The more details that come with the number, the more valuable the data is as a whole. To be used in cardholder not present (CNP) transactions, the go-to for credit card fraud, a criminal needs the cardholder’s name, expiry date, card verification value (CVV) number and postcode.
You’d think that credit limits would also make a difference. The median limit for a stolen card comes out as 24 times the cost of that card, while the median for a hacked PayPal account is 32 times the price. Yet the researchers found that while there was a “slight” correlation between credit limit and pricing, there was none at all for credit cards. “It seems paying a higher price for a credit card with a higher limit is not worth it to cybercriminals,” Bischoff said.
What does make a difference is vendor trust, and those offering guarantees (backed up by customer feedback loops) of credit limits with 48-hour replacements for chargebacks can charge a premium price. If you don’t want to become just another product on the dark web, all the usual and oft-repeated cybersecurity basics come into play: strong and unique passwords coupled with two-factor authentication (2FA), be that of the software app or hardware key variety, and avoid SMS-based codes wherever possible.
“Price ranges are gargantuan: stolen credit card data varied between 11 cents and $986”
Pass the cookie ’pon the left-hand side
It came as something of a shock when I had reason to do a quick search on reggae
band Musical Youth (don’t ask) and discovered that the fresh-faced 15-year-old singer of Pass the Dutchie is now 53. I wasn’t as shocked when reading a US Cybersecurity and Infrastructure Security Agency (CISA) analysis report on cloud services security to see that 2FA – or multifactor authentication (MFA), if you prefer – isn’t as foolproof as many folk believe. Which isn’t to say it’s a pointless addition to your security armoury, but being aware of potential weaknesses in any cybersecurity resource only serves to strengthen your overall posture.
The alert in question, Analysis
Report AR21-013A if you want to look it up, concentrates on strengthening security configurations to better defend against threat actors targeting cloud services. The paragraph that caught my attention was the one headed “Authentication”. It reveals that in one attack, CISA has verified that the hackers involved signed into an account using the correct multifactor authentication code. “In this case,” the analysis said, “CISA believes the threat actors may have used browser cookies to defeat MFA with a pass-the-cookie attack.”
So what’s that exactly? PC Pro readers don’t need an introductory spiel about what browser cookies are, given their positioning within privacy arguments across the past couple of decades. Cookies are a useful thing for the average person browsing the web, not least the ones that keep you signed in while you navigate around a site, keeping track of where you’ve been and, importantly, not asking you to log in every time you move from one page to another. These authentication cookies can, however, also be useful to those who would do you cyber harm.
A pass-the-cookie attack uses the fact that, in order to maintain that seamless movement from page to page without constant re-authentication, the browser cookie is created only after both the login and the 2FA code have been entered correctly. This authentication cookie is, quite literally, the key to the kingdom for that browsing session and rather attractive to a would-be attacker. Get hold of that cookie and they could then ultimately login to that site as that user on a different browser and system, at their leisure and without having to worry about 2FA or MFA along the way. This kind of session cookie hijacking isn’t new and is part of many, likely most, spyware threats.
These session cookies are stored locally in the target web browser cache. The attacker would need access to that browser, either physically or via a successful malware infection, for the attack to play out. Time is the main factor for success here. Most such cookies will expire within hours, if not minutes, and there are far easier ways (bogstandard phishing/social engineering) to gain access to accounts.
This doesn’t mean that you can safely ignore the pass-thecookie threat, especially when mitigation is so straightforward. From the user perspective, ensure your browser settings are configured to clear cookies when you close the thing. Oh, and make sure you do close it rather than leave the browser open for weeks on end. I have one acquaintance who only closes his browser when the computer crashes, often, I suspect, because he never closes his browser.
How often you close the browser depends upon your appetite for risk, and your aversion to logging in to accounts. In an ideal and cyber-secure world, it would be after every session: log off of whatever web app is in use and restart the browser. That provides the biggest threat surface reduction, but because security and usability have a very fragile relationship, most people won’t do this. At the very least, close your browser at the end of each day; this won’t give you as much protection but is better than not shutting it down at all.
Of course, as already mentioned, ensuring you follow the basics of good security hygiene further reduces your risk of being caught up in a pass-the-cookie attack. If you limit your potential exposure to malware and keep others locked out of physical access to your device, then session hijacking becomes all but impossible. While re-authorisation is, I admit, a total pain in the arse, you’ll end up far more “butthurt” if you get hacked.
With increasingly large numbers of people working from home, this issue isn’t going away and it requires some serious thinking from organisations about the best way to move forward. The automatic termination of inactive sessions is one method, behaviourbased threat detection solutions is another. More than anything else, though, awareness from both the user and corporate side is essential. Back in 2015, I co-authored an academic paper with the now CISO at Cyjax Threat Intelligence Ian Thornton-Trump entitled Mitigating Cybercrime Through Meaningful Measurement Methodologies.
You can download the paper at pcpro.link/319davey, but the thrust of the thing is that we should focus more on prevention and risk-analysis than attribution. That still stands today and a lack of “any meaningful and consistent measurement methodology” still seems to evade us. Measuring anything to do with cybercrime isn’t an exact science and certainly such quan tifications
shouldn’t be something that drives security policy at work or otherwise.
This doesn’t mean that attempts to put numbers onto cybercrimes isn’t interesting or informative, otherwise my opening piece about dark web values would have been a waste of typing time. Knowing the low value put on your data should serve to reinforce the fact that there’s so much of it out there, ipso facto data is easily stolen and we all need to be on top of our defensive game.
When it comes to knowing where in the UK is most hit by cybercrime, as another recent analysis ( clario.co/
blog/cybercrime-hotspots) detailed, it’s harder to accept this is anything other than an interesting diversion. If there’s more cybercrime in Somerset per 1,000 people than Kent, it makes no difference to the measures you should be taking to protect your assets. I fail to see anything concrete, from a cyber intelligence or security posture perspective, to take away from knowing that Northumberland, with a relatively small population of 319,000, has the second worst cybercrime rate on 13.4 victims per 1,000 people, while Kent has a much bigger population, 1.5 million, but far less cybercrime at just 5.8 per 1,000. All it suggests to me is that cider drinkers appear to be less successful in keeping social engineers and hackers away from their data.
And finally…
Being known as someone who writes about cybersecurity and data privacy, I get a lot of email from people asking for help. Quite honestly, I simply don’t have the time to help everyone and maintain my work-life balance. I’ve found one solution to a common question that could save some of that time for you as well: how do you delete your account at x, y or z?
Some places make it easy, others less so, but all take a bit of navigating. Which is where JustDeleteMe ( justdeleteme.xyz) comes in. It’s not foolproof, but the website search tool or installed browser extension lets you see how easy (or in some cases impossible) it is to delete an account most anywhere, and includes a direct link to the account-deletion page.