Cyber Black Market: What You Wouldn’t Think a Hacker Wants

It is not difficult to understand the value of stolen bank accounts, credit cards, and social security numbers to cybercriminals. Each of those items are pieces of the average person’s financial life, and the fact that they can easily translate to profits in the hands of sellers on the cyber black market should come as little surprise. What many may find alarming, is that these items are far from the only pieces of data that can be sold for money.

In our Black Market Report, the Armor Threat Resistance Unit (TRU) discovered that while U.S. credit card numbers could sell for as little $7, other less obvious personal data can be just as profitable, if not more. One of the biggest examples of this is online accounts. As our world has grown more digitally connected, the size of our digital footprints has grown exponentially. Social media accounts, credentials for ecommerce sites such as Amazon, logins for various video game services like Xbox Live, and much more can be used by cybercriminals to commit

fraud or be sold outright on underground markets.

Just another market

Like all markets, the cyber underground is governed by the forces of supply and demand. In many ways, the cyber underground is no different than any other marketplace you and I are used to. Sellers use marketing to get the word out about their products and how to get them.

Sales and support personnel interact with customers to get the product into the customer’s hands, help them use it, and make sure they are happy with the services – even going as far as asking satisfied customers to provide a testimonial. The sellers with the most accolades build reputations as vendors that can be trusted.

Perhaps the biggest difference is the illicit nature of the products being sold. The greater the demand for an item and the lower the supply, the higher the price, explaining why credit card information for users from certain countries is higher than for others. For example, credit card data from Australian victims was seen selling for $25 or more during the period covered by the Black Market Report while the same data from victims in the U.S. was selling for under $10.

Why would a hacker want that?

Some of the most profitable and sought out items in the black market are social media credentials, rewards points, and fake documents, such as ID’s, passports, utility bill templates, etc. Whether it’s to forge a new identity, steal money or carry out a cyberattack, each of these has a purpose and price in the underground.

All of the aforementioned items have one thing in common: acquiring them can be the first step in larger attacks. Social media accounts for example are valuable to hackers as they gain insight into a person’s life and behavior, allowing the threat actor to impersonate an individual and carry out phishing or spam campaigns, or worse, commit identity fraud.

Most of what our researchers see, however, in the cyber underground regarding social media accounts are offers to brute-force accounts, or large numbers of fake accounts as opposed to selling real ones that have already been hacked. When the sale of compromised accounts does occur, prices can vary depending on how many accounts are packaged together. Tools that enable the compromise of social media accounts are sold on the underground as well.

The amount of security associated with these accounts fluctuates based on what data or business they are associated with and the diligence of the companies and customers in securing it. The more data tied to the account that an attacker can use to assume a victim’s identity or gather bits of personally identifiable information (PII), such a birthday, place of residence or even credit card details, the more valuable it is to the threat actor to either sell or use for other purposes.

Fake documents: $10-$2,000

Tidbits of data such as birth dates and addresses can be used to create false documents. Documents of all types – green cards, insurance, passports, driver’s licenses, social security cards, etc. – are a hot commodity on the black market. These types of items can be used to perpetuate identity theft and multiple types of fraud. Packets of document templates for creating everything from fake utility bills and bank statements to driver’s licenses and social security cards were being offered for $50. Just like with credit cards, the prices of forged documents tend to vary depending on the country of origin. Armed with a stolen identity, criminals can potentially open bank accounts, acquire credit cards, and even pose as that person to travel across borders unrecognized.

Hotel and airline rewards points: $34.99-$198.88

Hiding one’s travel plans can be made even easier with stolen rewards points. While these points are intended to be used by legitimate customers who have spent time and money to obtain discounts on flights and hotel stays, black market vendors are selling them for less than an average flight ticket or one-nights hotel stay. A compromised airline rewards points account for example can be sold outright or used by underground travel agencies to book trips for unscrupulous passengers. With enough accounts of the right type, these underground travel agencies offer full travel services, including airfare and hotel rooms.

The allure of these points to vendors is simply that they’re in demand. Buyers are willing to pay for hotel and travel packages, so cybercriminals are willing to steal and sell the information requested. Pricing for these points vary based on the airline, country and number of redeemable points.

How they’re stealing accounts

Many accounts are compromised via credential-stealing malware or phishing attacks where victims are tricked into giving up their username and passwords. These attacks can take several forms, from drive-by downloads to more targeted malware attacks aimed at a particular company or victim. Once an account is compromised, attackers can analyze and monitor the account to identify the usefulness of the data and the usage patterns of the legitimate account owner.

When they find an account that either is not used often and/or has particularly useful data, the account can become a prime target for an account takeover (ATO).  At that point, the attackers will move quickly to change the communication details associated with the account to ensure that the legitimate owner does not receive notifications about their activity. From there, the attacker could use the account to launch other attacks such as spam and phishing campaigns or impersonate the victim as part of a more complex scheme.

A specific type of account takeover, known as Business Email Compromise (BEC) scams, involves attackers using malware or phishing to compromise a business executive’s email account. At that point, the threat actor will attempt to use the account to fraudulently request invoice payments or wire transfers to bank accounts they control.

Knowing what to look for and remaining up to date on the types of threats facing individuals and enterprises will help thwart an attacker’s plan to steal your identity or con you into giving them money or additional information. In the end, any piece of personally-identifiable information can have value to cybercriminals and should be safeguarded with a mix of security tools and staying vigilant.

Resource Center

More security resources at your fingertips.

Practical Content for Security, DevOps, & IT Professionals