For bank victims of identity theft or account incursion, the cost of compromised data and accounts can be quite significant in terms of time and money. However, for the cybercriminals that are accessing or selling this information, the price may be as cheap as the cost of a large latte and a pastry.
Recent research from Trustwave SpiderLabs found that, “for the price of a Starbuck’s Caramel Frappuccino Grande and a cheese Danish, about $8, a cybercriminal can obtain all the information needed to max out a person’s stolen credit card and possibly steal their identity.”
The research came as a result of a larger study into what cybercriminals charge for stolen financial records.
The team found repositories of financial and identity records along with virtual private network (VPN) and remote desktop access credentials in various darknet markets and uncovered a complicated pricing structure that sees threat actors pricing their information in the same manner as any seller on a legitimate retail site. Prices vary depending upon the country from which the information was stolen and the quality and depth of the content associated with the credentials. However, in many cases, even legitimate financial records can sell for less than $10 apiece, given the glut on the dark market.
“Criminals opt to sell credit card and driver’s license information wholesale instead to quickly cash out and to avoid the time and trouble required to use the assets,” according to the Trustwave SpiderLabs research. “Generally, threat actors’ activity is divided into business fields, someone is digging, attacking, and others are selling data or extracting user information and using it to obtain money. If the hacker or group does not know how to use the stolen information — they sell it.”
Trustwave SpiderLabs found that, in most cases, what is being sold on a forum was previously sold or used by a hacker. So, a buyer may not get first-hand hacked data; and these threat actors do cash out. For example, the FBI’s 2021 Internet Crime Report stated credit card fraud in the U.S. resulted in $172,998,385 in losses, and this only takes into account reported incidents.