It's not really news that the motivation behind most cybercrime is financial, but many people are surprised how exactly our data is valued. No one account is worth all that much to a cyber criminal, so they're typically sold in bulk. This excellent article by Dancho Danchev from a couple years ago gives a thorough account of what price credit card information goes for on the various "carding" sites. Most cards go for less than $15, some go for less than $2. And yet, undeniably, there is no small amount of interest in stolen credit card data. In short: If you add up enough accounts, it quickly adds up to a big payday.
In light of this, how much interest do you think there would be in a Gmail account that's worth almost $30? Brian Krebs' latest article talks about a tool called Cloudsweeper that will tell users how much their Gmail accounts are worth to criminals. He examined one of his less commonly used email addresses and found that, with the various other online accounts that are linked to it, the account was cumulatively worth $28.90 to a hacker. How do they figure it's worth so much more than a credit card that could have a limit of many thousands of dollars?
In a previous article, Krebs discusses the value of email accounts more generally, according to what other online accounts it allows access to. Each attached account's credentials was worth at least as much as most credit cards, and it adds up remarkably quickly!
One prominent credential seller in the underground peddles iTunes accounts for $8, and Fedex.com, Continental.com and United.com accounts for USD $6. Groupon.com accounts fetch $5, while $4 buys hacked credentials at registrar and hosting provider Godaddy.com, as well as wireless providers Att.com, Sprint.com, Verizonwireless.com, and Tmobile.com. Active accounts at Facebook and Twitter retail for just $2.50 apiece.
As I’ve noted in previous stories, some crime shops go even lower with their prices for hacked accounts, charging between $1 to $3 for active accounts at dell.com, overstock.com, walmart.com, tesco.com, bestbuy.com and target.com, to name just a few.
Knowing this, consider how zealously you guard your online department store password versus your credit card data? And conversely, what protections are in place against fraud on that online store versus on your credit card?
Credit card companies have vast anti-fraud departments, and are actively on the lookout for strange purchases made on your account. That same protection doesn't exist for most stores' sites. If your credit card information is saved on your Walmart account, you're likely going to have to go to your credit card company to dispute any fraudulent charges.
Social networking accounts are valuable simply because it gives cyber criminals access to so many other people, which helps spread their reach. How many people are on your friend list and on your email contact list? Each additional person they can hit is another chance for a few more bucks and a few more contacts, which could lead to a few more bucks and a few more contacts. Lather, rinse, repeat!
This is why it's important to have strong, unique passwords on all your various accounts, and to guard them all zealously. And why changes like Yahoo's redistributing of "unused" accounts are so anxiety-inducing. Email accounts are the hub that connects much of your online life, and criminals know this.