Every day, you log in to your email and your social media accounts to interact with your friends, family, and coworkers online. Perhaps less frequently, you log in to your favorite e-commerce platform, or your bank account to check the ebbs and flows of your funds. And every once in a while, you input your social security number, credit card information, and your mother’s maiden name into those sites.
And all of this information, in the hands of the right hacker, can be bundled up and sold in packages on the online black market. While you might not be surprised at the notion that people are willing to pay for personal information, you might be a bit taken aback at how much social-media activity is worth.
Social media data is just the tip of the iceberg
Earlier this week, Reuters spotlighted an important trend in cyber-hacking, which utilized the sophisticated online virus Zeus — developed to lift critical credit card data — to create bogus “Likes” on Instagram. The article claims that fake buzz on Instagram could be worth up to five times as much as a bundle of credit card numbers in internet hacker forums.
That number piqued my interest. It’s interesting to imagine hacker forums like a menu at a fast food restaurant, with certain “premium” items and lesser, dollar-menu data. Does social media reign supreme? What’s the most expensive thing a hacker can sell about its victims?
How much is your data really worth?
I contacted the people behind those numbers, the cyber security experts at RSA, the security division of EMC, to give me ballpark pricing on some of our most common and valuable pieces of online information. While Idan Aharoni, Head of RSA Cyber Intelligence, would not disclose how he and his team gather the prices of our most important online information, he assured me that the sources are as invisible and seedy as I expected them to be.
“Our team monitors the major online channels of the fraud underground including deep web venues where criminals and blackhats exchange knowledge, offer tools and fraud-related services and trade compromised information,” Aharoni said. ”As part of that process, we regularly view data that helps us identify trends like this within the cyber underground.”
Price comparisons for stolen data
So what social media platform is the most valuable? While Aharoni indicated that while it’s difficult to make apples to apples comparisons between them, Twitter remains on top. If you’re in the market for followers, 10,000 followers cost about $15 and 100,000 followers can go for around $115. Facebook isn’t too far behind, with 1,000 “Likes” going for $15, up to 10,000 likes for $100. These packages are more expensive than a pack of 1,000 credit card numbers, which can cost only $6.
“Based on what we’ve been seeing lately, while the financial fraud is still the main goal of many hackers, there is an increased interest in social media accounts,” Aharoni said. “Interesting, but not surprising — cybercriminals go where the money is and if they can make money by selling social media followers and ‘Likes’, we’ll definitely see some of them move in that direction.”
The most expensive is just four data points or less
But financial information still remains the most valuable over time. Aharoni said that one of the most expensive commodities is a package of “fulls” — a single package with a victim’s credit card number, social security number, expiration date and mother’s maiden name — that can be $4 to $5 per victim. These are so expensive because they can earn a big “cashout,” particularly because the purchasing fraudster can take a single full and open multiple credit lines or loans in addition to maxing out a credit card. Another expensive item is access to a full bank account, which goes on the black market for 5 percent to 10 percent of its total balance.
However, as with any economy, there are subtle differences and caveats to pricing of similar items. As further detailed in a blog post by RSA, prices can ebb and flow depending on how easy a “cashout” can be, how common a particular piece of information (like numbers related to a certain credit card brand or bank) can be obtained, and other factors contribute to prices of packages. Platinum cards and high balances, of course, are always king.
So think twice before you click that suspect email or give your credit card number on a fishy website. Someone could buy your information for less than a dollar.