How Hackers Make Big Bucks Stealing, Selling Personal Information

Personal information was stolen 30 times a minute in 2016. While people are becoming more aware that failing to properly password-protect access to sensitive digital materials can have severe consequences, many are still in the dark. The damage of having one’s identity stolen or having financial or health records purloined can take months or years to repair. On average, hackers make $40.75 per hour. Working 40 hours each week, that’s nearly $85,000 tax-free per year. These data purchases by hackers happen in the dark web. In this eWEEK slide show, password manager and secure digital vault provider

 explains how hackers make their money and how much stolen data is worth.

Accessed only by using special software that hides the identity of visitors, the dark web is a vast marketplace for anything and everything illegal. Much of it looks very familiar, like any other e-commerce site. Sellers often have ratings given by previous buyers, and you can even purchase software to set up your own hacking business.

Since 2010, it’s been estimated that hackers have stolen more than $107 billion, with $16 billion of that being in 2016 alone. The rise of ransomware has been a major factor in the level of funds that have been stolen. This is because 70 percent of ransomware victims pay to unlock their device, and this payment can average more than $1,000 (up 266 percent from 2015).

Email addresses provide hackers with a wide variety of opportunities. If criminals obtain access to this information, they can conduct a full email account takeover and push a targeted phishing campaign to the user’s contact list. Although emails are normally connected to other, more valuable accounts, these attacks can be easily discovered and can also be shut down quickly. As such, email addresses and passwords run between 70 cents to $2.30 per credential.

As when buying anything else online, when purchasing stolen credit cards on the dark web, hackers can specify the type of card (Amex, Visa, etc.); the CVVs, or three-digit code on the backs of cards; whether you want associated login and password information; names; expiration dates; credit scores; Social Security numbers; mother’s maiden name; credit limits; date of birth; specific geographies of usage; and so on. The cost varies with the information the buyer wants but averages between $8 to $22 per card. Criminals can click “buy now,” download the stolen goods, and off they go.         

Increasingly, hackers are targeting password-protected online payment service accounts. Unlike with credit cards where the cost per card is determined by the different factors the buyer selects, the cost of this stolen data is related largely to the balances in the online accounts. Average PayPal credentials can cost hackers $1.50 per login, and, as you might expect, the price for bank login credentials is another matter. They can be had for as little as $100 for access to accounts with $2,000 or less. Or they can cost upward of $1,000 for access to accounts with $15,000 or more.

Compared with bank and credit card details, medical records have more permanent information. These contain highly sensitive material about an individual’s health history. As such, they can be used to blackmail individuals; to publicly humiliate certain people; to undertake massive insurance fraud with fake claims; and to create many other forms of chaos and harm to victims. Like other stolen digital data, the cost of health records is subject to the same supply-demand dynamics as any other traded goods. In fact, a stolen electronic medical record can fetch as little as $100 and up to $1,000 on the dark web.

A lost driver’s license may not appear to be dangerous. But what people might not understand is that a license number is unique and similar to a passport number. These documents come with access to birthdays, addresses and personal characteristics, and they can fetch $20 on the dark web.

While most consumers worry that Social Security numbers are the holy grail, this information is readily available to cyber-criminals and, as such, only cost $1 on the black market. This is because they can only be used in the United States, and while they offer access to the majority of a person’s information, they are not globally acceptable to hackers.

Social media profiles are normally free accounts and do not have any payment information associated. Streaming services, on the other hand, require a monthly fee. When stolen, this gives criminals potential access to credit card or banking information. Spotify and Hulu accounts run on average $2.75, while Netflix login details can reach up to $3.

Incentives for stealing this data and then selling it to the highest bidders will remain in place for the foreseeable future. Perhaps the single best defense for individuals seeking to protect these assets remains high-quality, virtually bullet-proof passwords, and the right security “hygiene” to stop the hackers cold.