What your hacked account is worth on the Dark Web

Next time you sign up for a new website and it asks for a password, or your favourite social media site nags you for a phone number, or a site you use every day pesters you to set up two-factor authentication, take a pause.

What’s going through your mind?

Are you getting ready to jump at the chance to tighten up your security? Itching to drum up another impenetrable 14 character password? Reaching for your password manager? Pulling out your phone ready to read the soon-to-arrive verification code?

Hey, you’re a Naked Security reader so perhaps you are.

But what about the next person? Many of them won’t be doing any of those things. They’ll pass up 2FA and stick with their go-to password of 123456 or qwerty, even though they know what a strong password looks like.

They’ll do it and stay safe, in their own mind at least, because Elliot Alderson and his ilk aren’t interested in their Netflix account.

Hackers in popular culture are ideological, FBI-dodging cyber-swordsmen who penetrate the armour of sophisticated adversaries using precise rapier thrusts.

The problem (of course) is that real life is messy, dull and rarely telegenic. In the real world we have to worry about real criminals who aren’t carrying rapiers and aren’t interested in kudos or ideology.

The adversaries we have to worry about when we’re choosing our Twitter or eBay passwords are in it for the money and their approach isn’t so much cyber-fencing as carpet bombing – it’s untargeted and it doesn’t matter who gets hit because it’s “how many?” that matters.

Our accounts aren’t compromised one by one, they’re cracked en masse or exfiltrated in the millions and then bought and sold online.

According to account monitoring company LogDog, who recently took a fresh look at this burgeoning part of the underground economy, it’s such a lucrative trade that there are Dark Web sites selling nothing but logins, not even credit cards.

There are now stores completely dedicated to selling only online accounts, without even offering credit cards for sale. Fraudsters, it appears, have discovered the financial potential in targeting various online services instead of just banks and credit card issuers.

As you’d expect in any marketplace, prices fluctuate based on supply and demand, and the value that criminals can extract from the accounts they buy. But everything has a price:

While Paypal has, and still dominates … it is now possible to find Amazon, Uber, eBay, Netflix, Twitter, Dell and many more … Any account that can generate fraudsters money, or even help them receive a service for free, has a demand in the cyber underground.

…Uber, for example, are sought after by fraudsters simply because they provide “free taxi rides”. Demand for adult entertainment accounts is high due to interest for self ­consumption.

…eBay and Amazon are sought after … to steal money or credits from these accounts … Compromised dating site accounts are also often exploited for romance scams.

And here, according to LogDog’s research, is what your account is currently worth on the Dark Web:

Service Min. Price Max. Price
Brazzers $1
Yahoo 70c $1.20
Gmail 70c $1.20
Dell 80c $2
Uber $1 $2
Netflix $1 $2
Walmart $2.50
Twitter 10c $3
Mate1 Premium $4
Amazon 70c $6
Ebay $2 $10
eHarmony $10
PayPal $1 $80

How to get through college with your data unscathed

College is a challenging, but rewarding time of our lives. But it’s also a time when youngsters can be reckless more frequently.

To make sure that your digital life doesn’t take a hit, here’s a useful checklist of what you should have in place:

  • Data backups (yes, that’s more than one)
  • Strong passwords (never reused)
  • Avoiding online piracy (not an impossible feat)
  • Strong cyber security awareness (phishers be phishing’)
  • Never sharing your credentials
  • Installing software updates as soon as they’re available (or automating them)
  • Using robust security software to protect your data from ransomware and other threats.

Avoid international travel document scams

July 27, 2017
Bridget Small
Consumer Education Specialist, FTC

If you are planning a trip outside the US, you have probably been collecting tips on everything from great restaurants to comfortable walking shoes. Here is our contribution: when you search for information online, you may find official-looking websites that offer travel documents, information and services. But some official-looking sites are copycats — imposters — that can put your money and personal information at risk.

The FTC’s international partners say copycat visa websites are very common. One country’s ambassador said an imposter built a look-alike site with pictures, application forms and frequently asked questions copied from the government’s official site. The imposter site offered visa applications, but charged high fees, including fees for services that were free on the official site.

To avoid a copycat site, get your information about international travel, visas and passports from the U.S. Department of State. Type in a country’s name and you will get:

  • links to consulates and embassies
  • a summary of the travel documents you need
  • important local information

You also can search for travel information on websites from a country’s ministry of foreign affairs or embassy. If you find what you think is an imposter site, please report it to the FTC.

Information Sharing

Information sharing is essential to the protection of critical infrastructure and to furthering cybersecurity for the nation. As the lead federal department for the protection of critical infrastructure and the furthering of cybersecurity, the Department of Homeland Security (DHS) has developed and implemented numerous information sharing programs. Through these programs, DHS develops partnerships and shares substantive information with the private sector, which owns and operates the majority of the nation’s critical infrastructure. DHS also shares information with state, local, tribal, and territorial governments and with international partners, as cybersecurity threat actors are not constrained by geographic boundaries.



Combating Cyber Crime

Today’s world is more interconnected than ever before. Yet, for all its advantages, increased connectivity brings increased risk of theft, fraud, and abuse. As Americans become more reliant on modern technology, we also become more vulnerable to cyberattacks such as corporate security breaches, spear phishing, and social media fraud. Complementary cybersecurity and law enforcement capabilities are critical to safeguarding and securing cyberspace. Law enforcement performs an essential role in achieving our nation’s cybersecurity objectives by investigating a wide range of cyber crimes, from theft and fraud to child exploitation, and apprehending and prosecuting those responsible. The Department of Homeland Security (DHS) works with other federal agencies to conduct high-impact criminal investigations to disrupt and defeat cyber criminals, prioritize the recruitment and training of technical experts, develop standardized methods, and broadly share cyber response best practices and tools. Criminal investigators and network security experts with deep understanding of the technologies malicious actors are using and the specific vulnerabilities they are targeting work to effectively respond to and investigate cyber incidents.

What To Do with That Found USB Stick

I found a USB stick in the street the other day. This is not the first thumb drive I have found, and apparently this is not an unusual event, as some reports indicate that dry cleaners find thousands of them (along with some more unsavory items) each year.

The ability to write malware code onto USB sticks is not a new phenomenon, and the “USB drop” technique is used by some security assessment companies to test staff awareness. There is even a smartly priced commercially available version of a USB onto which one can load customized code.

Curiosity killed the cat, the famous saying goes.
Curiosity may also get your computer infected with malware if you can’t resist it.

It turns out that most people would plug a USB stick they found on the street into their computers and will look at what’s on it.

Needless to say, this is WRONG.


Fake Publishers Clearinghouse scams | Consumer Information

by Lisa Lake

Most of us have seen those ads with Publishers Clearing House knocking on someone’s door with balloons and a big check for millions. It’s a life-changing moment marked by joyous tears. Dreams are about to come true.

But the FTC wants to be sure your tears are not sad ones and the dream doesn’t wind up being a nightmare, because scammers are pretending to be Publishers Clearing House and tricking people into sending them money.

Publishers Clearing House and the FTC have both gotten many reports about scammers using the Publishers Clearing House name to deceive people. Scammers call, claiming you’ve won the sweepstakes – but, to collect your prize, you need to send money to pay for so-called fees and taxes.

Paying to collect a prize is a scam. Every time. And scammers like to ask you to send money by Western Union or MoneyGram, or by getting a prepaid card or gift card. Why? Because it’s nearly impossible to trace that money – and you’ll almost never get your money back.

If you think you’ve won a prize, here are a few things to know:

  • Publishers Clearing House will never ask you to pay a fee to collect a prize. In fact, no legit prize promoter will ever charge you to win.
  • If anyone calls asking you to pay for a prize, hang up and report it to the FTC.
  • Never send money to collect a prize. It’s a scam.

And here’s another insider tip: Publisher’s Clearing House doesn’t call ahead to say you’ve won.

Did you send money to a prize scammer, or know someone who has? Report the loss immediately to the company you paid through (Western Union, MoneyGram, the prepaid or gift card company). And then tell the FTC.

The difference between malware, viruses and ransomware explained

It’s easy to get caught up in cyber security lingo, so we wanted to explain 3 key terms you often hear, so you’ll always know what they mean. Here goes:

Virus = a type of malicious software capable of self-replication. A virus needs human intervention to be ran and it can copy itself into other computer programs, data files, or in certain sections of your computer, such as the boot sector of the hard drive. Once this happens, these elements will become infected. Computer viruses are designed to harm computers and information systems and can spread through the Internet, through malicious downloads, infected email attachments, malicious programs, files or documents. Viruses can steal data, destroy information, log keystrokes and more.

Malware = (short for “malicious software”) is an umbrella term that refers to software that is defined by malicious intent. This type of ill-intentioned software can disrupt normal computer operations, harvest confidential information, obtain unauthorized access to computer systems, display unwanted advertising and more.

Ransomware = a type of malware which encrypts all the data on a PC or mobile device, blocking the data owner’s access to it. After the infection happens, the victim receives a message that tells him/her that a certain amount of money must be paid (usually in Bitcoins) in order to get the decryption key. Usually, there is also a time-limit for the ransom to be paid. There is no guarantee that the, if the victim pays the ransom, he/she will get the decryption key. The most reliable solution is to back up your data in at least 3 different places (for redundancy) and keep those backups up to date, so you don’t lose important progress.

Learn about “sim swap fraud”, so you can avoid it

This new fraud technique can cause terrible damage to victims. Here’s how it happens:

“SIM Swap is the process of replacing your mobile’s existing SIM card with a new one. SIM swapping is often useful, letting you to keep your existing mobile number when you change to a handset requiring a different SIM card type. However, financially-motivated criminals have found a loophole in this process.

Armed with a mobile phone and a blank SIM card, attackers pretend to be the victim when they contact the victim’s telecommunication provider saying the mobile has been stolen. The plan is to get the operator to cancel the existing SIM card, on the victim’s phone, and activate the new SIM on the criminal’s phone.

The window of opportunity starts to close as soon as the SIM Swap victim notices that his/her mobile is no longer working and raises the alarm.

Once texts and calls are rerouted to the fraudster’s handset, the criminals work quickly to reset passwords, locking the victim out of his/her accounts, before authorising bank transactions or securing loans in the victim’s name.”

Hit by ransomware?

Ransomware is a thorny issue for today’s Internet users and it’s spreading like wildfire.

I have friends, acquaintances and relatives who have had their data encrypted. Now they take my advice to do data backups regularly, but they wish they had listened before ransomware hit.

Although the only way to save your data after such an attack is to restore it from a backup, there are a few decryptors that you can use to get your files back and avoid paying the ransom.

However, do keep in mind that some of these decryption tools may become obsolete quite fast, as cyber criminals improve the ransomware fast and fix the vulnerabilities that allowed data decryption.

Only some ransomware types can be decrypted, but it’s worth a try. Here is the list of existing decryptors: