A new market for non-financial credentials is emerging in the cybercrime underground, thanks to mass data breaches and phishing attacks exposing billions of usernames, email addresses and passwords in the last two years. But don’t be fooled into believing this data is only being exchanged and sold in the farthest reaches of the Internet. It is available to anyone on open websites and traded in plain sight on social media.
Relying on the fact that many people use the same username+password combination across multiple accounts, cybercriminals are making money by selling stolen credentials. Naturally, verified account credentials command a premium, as they can be more readily used to take over other accounts—for example, making fraudulent e-commerce purchases – so the business of credential testing services is expanding as well. Yet, other factors are contributing to the price of stolen credentials including the brand, whether there is a credit card on file in the account, and how easy it is to resell the goods or services. Today, account credentials may sell for as little as $0.20 up to $15 USD.
An abundance of stolen account credentials, coupled with the ease in which they can be obtained by cybercriminals at a low cost, is helping to fuel a rise in account takeover attacks. In fact, according to the latest 2018 Identity Fraud Study by Javelin Strategy & Research, account takeover losses more than tripled in the last year to $5.1 billion.
Automated tools, such as (Read more...)
*** This is a Security Bloggers Network syndicated blog from RSA Blog authored by Heidi Bleau. Read the original post at: http://www.rsa.com/en-us/blog/2018-02/current-state-cybercrime-2018-account-takeover.html