Stolen Twitter accounts now fetch more than credit cards on the cybercrime black market, according to a new report released by the RAND Corporation. The report is the first in a series commissioned by Juniper Networks.
The black market for stolen credit card data isn't what it used to be.
According to RAND, that's hackonomics at work: The plummet in credit card sale value to criminal data dealers is thanks, in large part, to huge data breaches such as the recent Target hack.
The report, published Monday, used Twitter accounts as an example of how the yield of a black market product influences its price.
Immediately after a large breach, freshly acquired credit cards command a higher price -- as there is greater possibility for the credit cards to still be active.
But after time, prices fall because the market becomes flooded -- e.g., the Target case (Kirk, 2014) -- leveling off as the data becomes stale, or if there has been significant time since the last breach.
Within days, the customer data -- including home addresses and login information -- appeared for sale on black-market sites. What began as a reported range of $20–$135 per account plummeted to $0.75/record.
Juniper Networks employee Michael Callahan explained that social media accounts are now becoming more valuable than the cash cow of yore, credit cards.
He elaborated on the RAND report's findings saying, "Although prices range widely, RAND found hacked accounts can be worth anywhere from $16 to $325+ depending on the account type."
Twitter accounts have become high-yield on the black market for both the access the account provides to a user's other accounts, and the increased value of a "real" account to spammers.
Given the number of people that tend to use the same username and passwords, hacking one account can often yield other valuable information such as online banking or e-commerce accounts.
By stealing Joe Smith’s account information on one site, the criminal might gain access to his information on 10 sites.
(…) An individual’s stolen account information can be used to spear-phish the accounts of friends, family and co-workers for additional financial gain.
Callahan explained the usual cautions against social media account loss and exploitation, including password variety across different sites, not clicking on strange or unexpected links, and monitoring accounts closely for fraud.
However, I'd also add a review of accounts attached to your social media accounts (like Twitter and Facebook) to your checklist. This is something you can do right away -- cautious employers, tell your employees to do this as well.
Many of us have allowed any number of apps to connect to our social media accounts. Quickly check the apps in each social media account, and remove any that are not in use.
These apps have a lot of permissions to access our account's information and functions, some they need, and many they don't. These apps are often built quickly, and usually have terrible security. In addition, apps get sold, and get hacked -- so you may not know what's going on with all those apps.
RAND's report is not without its criticisms. While RAND accessed experts within law enforcement (as well as other handpicked experts), the report didn't appear to be able to include equally the other side of that equation -- criminal hackers, their fences, and most importantly, the buyers.