Billions of stolen login credentials are being circulated and sold on dark web forums, according to a new study.
Research conducted by cybersecurity firm Digital Shadows revealed that a staggering 15 billion usernames and passwords are available on the dark web.
Traditionally, the majority of compromised user details are given away for free by cybercriminals. However, researchers said the study underlines both the scale of the problem and the significant prices which certain credentials can be sold for.
On average, stolen consumer credentials are sold for $15.43. Banking credentials and other financial details are considered to be the most valuable consumer information, selling for an average of $70.91 each, while account access for antivirus software garners the second-highest prices at roughly $21.
Accounts for media streaming sites, social media profiles and adult content credentials all trade for “significantly under” $10 on average.
Unsurprisingly, the study revealed that financial and banking credentials account for one-quarter of all the dark web advertisements researchers analysed.
Going after the purse strings
Researchers said that cybercriminals are increasingly targeting revenue streams at a range of organisations. More than two million accounting email addresses were exposed on dark web forums.
“Email addresses with ‘invoice’ or ‘invoices’ were, by far, the most commonly advertised,” the report said.
Access to key systems at big businesses are also being sold for significant sums, with dozens of advertisements offering domain administrator access through auctions.
The average price of domain access was $3,139, the study found, while some were advertised for fees of up to $140,000.
“Privileged accounts, like administrator accounts, are considered extremely valuable in the criminal underworld,” the report stated.
“Not only do they give access to a network, but they feature the highest levels of control and trust, and their permissions are nigh unlimited,” it added.
Ads for domain administrator access were found to include descriptions such as “petrochemical company”, “cybersecurity company” and “big university”.
Vendors also included details on the number of machines featured on a specific network, the number of employees at individual organisations and even the site’s Alexa ranking.
- Police crack top-secret comms system to bust major crime network
- Major data leak exposes FBI & US police documents online
- Businesses hit with six-fold increase in cybersecurity losses in past year
United States-based accounts were among the most frequently advertised on criminal forums and marketplaces, the report found. Accounts in Canada, Australia, the United Kingdom and Germany were also the most sought after.
Researchers suggested that cybercriminals “very likely perceive North American accounts as being the most profitable” and, as such, proactively seek out or target these credentials.
Staying safe online
The Digital Shadows report noted that multi-factor authentication (MFA) is the “best of a range of imperfect steps” to mitigate risks for both organisations and individuals.
Researchers founded that attackers are increasingly bypassing two-factor authentication (2FA), and “not just those that are SMS message based”.
Bill Buchanan OBE, Professor of Cryptography at Edinburgh Napier University, echoed the report advice and insisted that passwords as a single form of authentication should be “deprecated from the internet”.
He said: “It is a legacy thing from the days of mainframe computers. Users need to be careful in using services which only have a login and a password as the main authentication method.
“For most of the services I use now, there is normally a second factor that I use to authenticate, and normally through my smart phone. Increasingly it is the mobile phone which is securing the internet.”
Buchanan added: “We thus need to move to a world which uses MFA. It seems obvious that it massively improves security, and recently Microsoft found that 99.9% of the user accounts that were compromised did not use MFA.”