Woburn, MA – December 1, 2020 – Kaspersky researchers dug into the dark web to find out the sale price for users’ private information online, finding that a driver’s license can cost as little as $5 and credit card details start around $6. Such information can be used for financial gain or for doxing, which is the public de-anonymization of a person online.
Even though people’s awareness of privacy issues is rising, most of us still only have a general understanding of why it matters, with 37% of millennials thinking that they are too boring to be the victim of cybercrime. Doxing shows why this is not the case, with the potential to affect any user who is vocal online or does not conform to subjective standards of other users.
Doxing occurs when a person shares private information about another person, without their consent, in order to embarrass, hurt or otherwise put the target in danger. Users typically do not expect personal information to leak out into the public domain, and even if it does, do not anticipate the kind of harm it might do. But doxing can even involve the hacking of the target’s accounts.
To get a better understading of how users’ personal information can be used in the wrong hands, Kaspersky researchers analyzed active offers on 10 international darknet forums and marketplaces. The research found that access to personal data can start as low as 50 cents for an ID, depending on the depth and breadth of the data offered. Some personal information remains as in-demand as it was almost a decade ago. Credit card data, banking and e-payment service access have seen their respective prices unchanged in recent years.
The price range in USD for different types of data identified as a result of analysis of offers on the dark market forums
However, new types of data have also emerged. This now includes personal medical records and selfies with personal identification documents, which cost up to $40. The growth in the number of photos with documents in hand and schemes using them also reflects a trend in the cybergoods game. Abuse of this data potentially results in significant consequences, such as identity theft.
Consequences of abuse of other types of personal data are also significant. Data sold on the dark market can be used for extortion, execution of scams and phishing schemes, and direct theft of money. Certain types of data, such as access to personal accounts or password databases, can be also be abused for reputational harm and other types of social damage, including doxing.
“In the past few years many areas of our lives have become digitized – and some of them, such us our health, for instance, are especially private,” Dmitry Galov, security researcher at Kaspersky’s GReAT. “As we see by the increasing number of leaks, this leads to more risks for users. However, there are positive developments too – many organizations are taking extra steps to secure their users’ data. Social media platforms have made especially significant progress in this regard as it is much harder now to steal an account of a specific user. That said, I believe our research highlights how important it is to be aware that your data is in fact in demand and can be used for malicious purposes even if you do not especially have lots of money, do not voice controversial opinions and are generally not very active online.”
“The internet has given us an opportunity to express our individualities and share our stories and that is fantastic,” said Vladislav Tushkanov, privacy expert at Kaspersky. “Yet, one has to understand that being and expressing yourself online is not exactly a private endeavor – it is more like shouting on a crowded street and you never know who might come your way, disagree with you and how they might react. With this, comes risks. This does not mean that we should all delete and close our social media accounts, of course. It is all about understanding potential consequences and risks and being prepared for them. The best course of action when it comes to your data is this: know what they know, remove what you can and take control of what information about you goes online. It is that simple, but does require effort.”
Read the full Dox, steal, reveal. Where does your personal data end up? report to learn more about doxing practices and data abuse on Securelist.
To minimize the risks of having your personal information stolen, Kaspersky recommends:
Kaspersky is a global cybersecurity company founded in 1997. Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky technologies and we help 270,000 corporate clients protect what matters most to them. Learn more at usa.kaspersky.com.
Sawyer Van Horn