Stolen Twitter accounts now fetch more than credit cards on the cybercrime black market, according to a new report released by the RAND Corporation. The report is the first in a series commissioned by Juniper Networks.
"Markets for Cybercrime Tools and Stolen Data: Hacker's Bazaar" explains that a Twitter account now costs more to purchase than a stolen credit card, because Twitter account credentials potentially have a greater yield.
See also: Hackonomics: 'Cyber Black Market' more profitable than illegal drug trade
The black market for stolen credit card data isn't what it used to be.
According to RAND, that's hackonomics at work: The plummet in credit card sale value to criminal data dealers is thanks, in large part, to huge data breaches such as the recent Target hack.
The report, published Monday, used Twitter accounts as an example of how the yield of a black market product influences its price.
Immediately after a large breach, freshly acquired credit cards command a higher price -- as there is greater possibility for the credit cards to still be active.
But after time, prices fall because the market becomes flooded -- e.g., the Target case (Kirk, 2014) -- leveling off as the data becomes stale, or if there has been significant time since the last breach.
The December 2013 breach of retail giant Target saw data from an estimated 40 million credit cards and 70 million user accounts hijacked.
Within days, the customer data -- including home addresses and login information -- appeared for sale on black-market sites. What began as a reported range of $20–$135 per account plummeted to $0.75/record.
Juniper Networks employee Michael Callahan explained that social media accounts are now becoming more valuable than the cash cow of yore, credit cards.
He elaborated on the RAND report's findings saying, "Although prices range widely, RAND found hacked accounts can be worth anywhere from $16 to $325+ depending on the account type."
Twitter accounts have become high-yield on the black market for both the access the account provides to a user's other accounts, and the increased value of a "real" account to spammers.
Even spam Twitter accounts are worth five times the value of a spam Yahoo account, according to the RAND report's citation "The Role of the Underground Market in Twitter Spam and Abuse" (.PDF).
Rand's report says the overall change in social media account value is part of a larger trend in the evolution of the black market for hacks, cracks and data.
Black-market evolution mirrors the normal evolution of a free market, with both innovation and growth.
In the early to mid- 2000s, they focused on goods and services surrounding credit card data. Then, they expanded to broker credentials for eCommerce accounts, social media, and beyond.
(…) Prices for credit cards, for example, are falling because the market is flooded with records, and botnets and DDoS capabilities are cheaper because so many more options are available.
The focus of these new options for cash has increasingly become social media accounts because they serve as gateways to so many more valuable things a criminal can harvest.
Callahan elaborated in his post, Why Your Twitter Account May Be More Valuable Than Your Credit Card:
Given the number of people that tend to use the same username and passwords, hacking one account can often yield other valuable information such as online banking or e-commerce accounts.
By stealing Joe Smith’s account information on one site, the criminal might gain access to his information on 10 sites.
(…) An individual’s stolen account information can be used to spear-phish the accounts of friends, family and co-workers for additional financial gain.
Callahan explained the usual cautions against social media account loss and exploitation, including password variety across different sites, not clicking on strange or unexpected links, and monitoring accounts closely for fraud.
However, I'd also add a review of accounts attached to your social media accounts (like Twitter and Facebook) to your checklist. This is something you can do right away -- cautious employers, tell your employees to do this as well.
Many of us have allowed any number of apps to connect to our social media accounts. Quickly check the apps in each social media account, and remove any that are not in use.
These apps have a lot of permissions to access our account's information and functions, some they need, and many they don't. These apps are often built quickly, and usually have terrible security. In addition, apps get sold, and get hacked -- so you may not know what's going on with all those apps.
RAND's report is not without its criticisms. While RAND accessed experts within law enforcement (as well as other handpicked experts), the report didn't appear to be able to include equally the other side of that equation -- criminal hackers, their fences, and most importantly, the buyers.
At any rate, it's a good reminder to go turn on Twitter's two-factor authentication. Now!