Sensitive financial account credentials, valued highly by cyber criminals, make up approximately a quarter of the 15 billion username and password combinations advertised online since 2018.
Highly lucrative and in-demand financial account username and password combinations are being traded for an average of £56 online, including over the dark web, against the average price of £12.18 for account credentials.
For supposedly high-quality individuals, bank and financial accounts can trade upwards of £395, according to research by Digital Shadows.
The number of stolen account credentials represents a 300% surge since 2018, with the 15 billion figure arising from 100,000 breaches. More than five billion of the account details are ‘unique’, meaning they have not been advertising on more than one criminal forum.
“The sheer number of credentials available is staggering and in just over the past 1.5 years, we’ve identified and alerted our customers to some 27 million credentials – which could directly affect them,” said Digital Shadows CISO and VP of strategy Rick Holland.
“Some of these exposed accounts can have (or have access to) incredibly sensitive information. Details exposed from one breach could be re-used to compromise accounts used elsewhere. The message is simple – consumers should use different passwords for every account and organizations should stay ahead of the criminals by tracking where the details of their employees and customers could be compromised.”
The majority of compromised accounts belong to consumers, including usernames and passwords from several services ranging from video and music streaming sites to bank accounts. The latter accounted for 25% of all account credentials advertised.
While financial accounts are the most expensive, some accounts are being sold for less than £1.50, such as file-sharing or video games accounts. Streaming accounts were the second most popular, comprising 13% of those advertised, followed by 12% being VPN accounts.
US-based accounts were the most frequently advertised, followed by Canadian, Australian, UK and German accounts.
The reason that financial or bank accounts are so expensive, of course, is because when they’re compromised, cyber criminals would have access to their funds, plus any sensitive personal information tied to that account.
The price, however, is influenced by several factors, including how much personal information can also be gleaned, while many high-priced accounts also serve as “drop” accounts that can be used in money laundering schemes.
Account takeover has never been easier or cheaper for cyber criminals than it is now, according to Digital Shadows, with a myriad of brute force tools and account checkers available on criminal marketplaces. Alarmingly, these are available for an average of £3.16 and can be deployed without much technical expertise.
Although multi-factor authentication (MFA) can serve as a barrier to hackers, there is evidence that methods to bypass this additional security step are often discussed on forums.
Digital Shadows found evidence in December 2019, for example, that hackers were developing and selling a method to bypass MFA systems. One mechanism being developed was claimed to allow seven to nine out of ten accounts to be accessed without requiring SMS verification and was valued at approximately £4000.
