The value of stolen credentials

The rapid evolution of Web 2.0 services and the parallel world of cybercrime is driving a revolution in the price that criminals charge each other for user credentials.

The price of a file of user credentials – known as a `dump’ in hacking circles – depends greatly on the Internet service(s) where they can be used, says Amichai Shulman, CTO of Imperva.

“Just five years ago, the illegal trade in credit card details was a rising problem for the financial services industry, as well as their customers, with platinum and corporate cards being highly prized by the fraudsters,” he said.

“Today, however, there are reports of Twitter credentials changing hands for up to $1,000 owing to the revenue generation that is possible from a Web 2.0 services account. This confirms our observations that credentials can fetch a high sum according to both the popularity of the application, and the `popularity’ of the account in question,” he added.

This is clearly illustrated by the `going rate’ of $1.50 for a Hotmail account, and $80.00-plus for a Gmail account. As a service, Hotmail has fallen out of favour of serious Internet users, while Gmail’s all-round flexibility means it is central service for business users, he went on to say.

According to the Shulman, this means that Gmail credentials can also give access to a range of Google cloud services, including Google Docs and Adword accounts.

Google Docs, he explained, can contain valuable additional information on the legitimate owner, while an Adwords account can allow criminals to manipulate existing and trusted search engine results.

And it’s a similar story with Twitter accounts, but with the added dimension of the immediacy of a rapid-fire social networking connection, said Shulman.

This, he went on to say, is almost certainly the reason why some newswires were reporting earlier this week (http://tcrn.ch/cFN21T) that Twitter had blocked the accounts of some users whilst they changed their passwords.

“Twitter accounts are valuable to criminals that they will use almost any technique to harvest user credentials, including targeted phishing attacks. Once a fraudster gains access to a Twitter account, they can misuse it in a variety of ways to further their fraudulent activities,” he said.

“If this isn’t a wake-up call to anyone with multiple IDs that use the same password, I don’t know what is. Internet users – especially those with business accounts – need to use different passwords for different services, or they could face the disastrous consequences of taking a slack approach to their credentials,” he added.

Don't miss