Bulk Stolen User Information, Sold At A Bargain in the Deep Web

Personal information for sale? A lot of those ‘merchandise’ are available in the Deep web today. The deep web is the part of the Internet that is not indexed by search engines, as they are behind a login credential, which can only be opened by the exclusive members of the ‘club.’ Deep web cannot be reached by normal browsers, it requires the user to use a TOR-aware browser in order to enter the deep web. That area of the web for decades is known for trading illegal products and services, ranging from illegal drugs, gun for hire and sales of weapons.

However, aggregate user data is a valuable commodity too and freely traded in various Deep web sites at a huge discount. The personally identifiable bulk data sold in deep web usually contains the following:

• Information contained in online dating accounts
• Information contained in social media accounts
• Leaked account information from gaming sites
• Banking information, usually produced from phishing
• User data from online services such as Netflix.

For those engaging with identity theft will have a good shopping experience for personal information of a real-life individual, as the price of a typical single account is a mere $1. In addition, the moment the credential becomes outdated and unusable, the buyer can go back to the same deep web site and demand for a replacement identity.

“It is clear that data hacking is a major threat to us all, and this applies at both an individual and societal level, because stolen data funds many social evils. This can cause huge problems for an individual victim, who may lose money and their reputation, find themselves being chased for a debt that somebody else has incurred in their name, or even suspected of a crime that somebody else has committed using their identity as a cover,” explained Kaspersky Lab Senior Security Researcher, David Jacoby.

Just one leaked online service account may not be a big deal for the true owner of the data, however, the reality is many people use the same username and password across multiple sites. This makes user credential sold earlier usable beyond its primary purpose, as the buyer can retry the user credential in other websites like social media and public forum login.

“With many people using the same password for several accounts, attackers might be able to use this information to access accounts on other platforms too. There are steps we can take to prevent it, including by using cybersecurity software, and being aware of how much data we are giving away for free – particularly on publicly available social media profiles, or to organizations,” concluded Jacoby.

It is not clear in Kaspersky’s report if they were able to determine the source of the bulk user data being sold. But, it is not very hard to realize that only in 2018 alone, how many people fell for phishing and how many services experienced a data breach. If a user has doubts about the privacy of his/her data, it is not a luxury to sign-up for credit monitoring services which will monitor for unauthorized banking transactions under their name. The usual goal of those who pay money to buy bulk user data has something to do with identity theft activities.