Once a scammer tricks their victim out of web credentials, credit card details, or online access to a bank account, the details collected are worth plenty by simply selling them on the dark web.
The cybercriminal industry is much like regular businesses; each one specializes in a particular product or service and has no interest in doing “everything”. For example, when a phishing attack successfully yields online credentials to Office 365, in many cases, the credentials are sold by the initial attacker, rather than utilized by them to further launch attacks.
Why? Because it’s a lot easier to make a quick buck and repeat the process using automated tools than to develop a complex multi-step attack campaign.
According to the 2020 Dark Market Report: The New Economy report from security vendor Armor, those stolen details are worth quite a bit on the dark web:
- A credit card in the US can fetch as much as $12. One in the EU is worth as much as $35.
- The value of cloned ATM cards are based on the bank account balance. For example, the ATM card associated with an account worth $10K in it would be worth between $600-800.
- Paypal account credential values follow the account’s balance, with credentials to a $1000 account valued at $100.
- Even social media accounts have value, with Twitter leading the pack at $16 per account
In every case above, the details purchased are used to then be used by the next bad guy. It’s an ecosystem where many cybercriminals have found a way to plug themselves in by simply doing the work of fooling victims into giving up information and then selling it off to the highest bidder.
Phishing attacks remain one of the most prevalent ways attackers steal these details. Teaching user to be vigilant while at work and home (which, for many, is the same place today) is a necessary step using new school Security Awareness Training. Those that undergo training are mindful of the potential harm an email or website can cause and are constantly watching for anything that appears to be abnormal, suspicious, or downright malicious in nature – avoiding the attack and keeping their details secure.