While some folks may consider a trip to the local Woolworths for a week’s groceries a good shopping trip, criminals on the dark web have a rather darker take on what makes a good trip to the shops.
Cyber security firm NordVPN and threat exposure company NordStellar conducted a sweep of more than 75,000 dark web market listings and found a raft of Australian personal data for sale, including payment cards and media streaming accounts, all going for bargain prices.
An Aussie credit card could cost just US$10, while a Netflix account can often be found for less than US$5.
And if you, as an enterprising scammer, might want to purchase a “complete identity package”, all it will set you back is US$200 – that’s just shy of $280 in Australian dollars.
“Every online account you own has a price tag on the dark web,” Marijus Briedis, chief technology officer (CTO) at NordVPN, said in a 21 April statement.
“Your streaming subscriptions, your email, your bank login, your social media profiles. Most people would be shocked at how little it costs a criminal to buy their entire digital identity.”
The market decides
Personal data ranges in cost depending on the source of the data being sold. Cards and other identity-based documents from Singapore or Japan, where data theft is less common, cost more. But data from countries such as Australia and the US, where data is commonly compromised by data breaches and ransomware attacks, is cheaper.
Your average Australian payment card costs on average US$10, much the same as US cards, while passport scans cost around US$32 and driver’s licenses just US$39.
But it’s what hackers call “fullz” that usually garner the highest prices. Sold either singly or in massive, curated collections, these feature enough identity documents belonging to one individual that it is entirely possible to steal their identity.
Just one such set, for an Australian individual, costs about US$200. This set would include Tax File Number, date of birth, and address at least, and quite often much more personally identifiable information (PII) as well.
By comparison, a set of US fullz data costs six times less, suggesting complete sets of Australian data are harder to find on the dark web, and thus much more valuable.
Social media accounts are also valuable. Compromised Facebook accounts make up 40 per cent of all social media accounts sold on the dark web, with an average cost of around US$38. Just one Facebook account can lead to the compromise of business pages, advertising tools, and Instagram accounts.
TikTok accounts for US$60, and Snapchat accounts for US$34.50.
Crypto exchange accounts, however, are considered a jackpot. These often cost in excess of US$100, with Binance accounts costing up to US$160. While a credit card often needs to be laundered first, a compromised crypto account may provide direct access to actual crypto funds, there for the taking.
Bad for business
While personal data, such as email accounts, can be cheap as chips on dark web marketplaces, it’s work emails and data that cost a premium.
A single stolen Australian Office 365 account could cost US$26.50. During the dark web audit, NordVPN found 227 Australian corporate email listings.
Each one could lead to the compromise of an entire business. Initial access brokers’ entire business is to take such data and create a foothold inside an organisation, which is then sold to hackers, such as ransomware actors.
“Most people think of identity theft as something that either won’t happen to them or something they’ll notice when it does,” Briedis said.
“The reality is that your data could already be for sale, and you’d have no way of knowing unless you actively check.”
Want to see more stories from trusted news sources?Make Cyber Daily a preferred news source on Google.
David Hollingworth
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.