How do hackers make money from your stolen data?
Cybercriminals will go to great lengths to steal your data – but what do they actually do with your information once they get their hands on it?
In most cases, data theft is financially driven. After stealing your information, bad actors can use a variety of shady channels to monetize your data, including taking out loans and making purchases under your name, holding your data to ransom and selling your data on dark web marketplaces to the highest bidder.
In this article, we’ll show you exactly how hackers steal and monetize your data, and how much it sells for on the black market.
How hackers steal your data
There are many methods hackers can use to steal your data. The following is not an exhaustive list, but it does include some of the most common techniques:
1. Malware
There are many types of malware that can be used to steal your personal information, including keyloggers, info stealers, banking malware and more.
Most strains typically focus on login credentials, credit card information, browser autofill data and cryptocurrency wallets. Certain breeds, such as the infamous Vega Stealer, sniff out specific file types such as PDF, Word, Excel and text files and exfiltrate (transfer the data without authorization) them to a remote command and control server.
Emsisoft Enterprise Security + EDR
Robust and proven endpoint security solution for organizations of all sizes. Start free trialMalware typically spreads via malicious email attachments, malvertising, drive-by downloads and pirated software. You can keep your system safe from malware with a proven antivirus solution like Emsisoft Anti-Malware.
2. Phishing
Phishing is a form of low-tech social engineering in which cybercriminals attempt to extract sensitive information such as login credentials, credit card information and personally identifiable information (PII).
In a typical phishing scam, attackers pose as a reputable company such as Microsoft, Amazon or Netflix and claim there’s an issue with your account. The message encourages you to click on a link where you can supposedly resolve the issue by confirming your password or entering your credit card information. This data is sent directly to the hackers, who can then gain access to your real account and the information stored within.
Phishing attacks are typically delivered via email, but they can also be implemented through social media, text messages and phone calls.
3. Weak passwords
Hackers can also steal your data by cracking the passwords of your online accounts. There are a few ways this can be accomplished:
- Password leaks: When major service providers are hacked, it often results in millions of passwords being leaked, which may be sold or dumped on the web for all to see. Because so many people use the same password for multiple services, attackers can simply use the leaked login credentials to try to gain access to the users’ other accounts. You can check if one of your accounts has been involved in a leak by entering your email address at Have I Been Pwned.
- Brute force attacks: Hackers use purpose-made tools to input every possible combination of characters until the correct password is guessed. The shorter and weaker the password, the quicker it will be cracked by a brute force attack.
- Keyloggers: Attackers use data-stealing malware such as keyloggers to track keyboard input data and steal your passwords.
- Phishing: Hackers use social engineering to get you to willingly divulge your username and password. Phishing attacks can appear very convincing and may be sent from a legitimate account that has been compromised.
- Post-exploitation tools: Some tools are made to harvest passwords and other valuable information stored on systems that have already been compromised. If your system has been compromised (e.g. by malware), an attacker can deploy post-exploitation tools like the infamous Mimikatz to view and steal login credentials that are stored deep within your system.
See this blog post for more advice on how to securely manage your passwords.
4. Unsecured connections
Attackers can also steal your data by preying on unsecured connections such as public Wi-Fi networks. Public Wi-Fi is often unsecured and unencrypted, leaving users vulnerable to a variety of attacks, including:
- Man-in-the-middle attacks: Hackers intercept your data by positioning themselves in the middle of your connection to the public Wi-Fi. Attackers can access any information that passes between you and the websites you visit while connected to the Wi-Fi network, including your passwords and financial data.
- Rogue hotspot: Attackers set up a Wi-Fi access point that resembles a legitimate hotspot, enabling them to eavesdrop on network traffic. Attacks may also be able to use the rogue hotspot to distribute malware or direct you to malicious websites.
How hackers monetize stolen data
Once a hacker has successfully stolen your data, the first step is to inventory it. They comb through your data for valuable information such as your login credentials, financial information, names, phone numbers, addresses and social security number, and organize it in a database. After the data has been collated, hackers have a variety of ways to monetize it.
Use the data themselves
In some cases, hackers may monetize your stolen data by using it themselves to make purchases or commit fraud. This is relatively rare as committing fraud is much more likely to attract the attention of authorities than anonymously selling large batches of data online. Nevertheless, it does happen.
Attackers can use your stolen data to:
- Purchase items online
- Extract money from your bank account
- Apply for bank loans
- Apply for credit cards
- Make fraudulent health insurance claims
- Pay off debt
- Request money from your contacts using your email and social media accounts
Sell your login credentials
Usernames and passwords are often sold in bulk on the dark web. Buyers may use your login credentials to transfer money from your bank account, make online purchases and access various paid services.
Here’s how much your account credentials typically sell for, according to a Symantec report on the underground economy:
- Gaming platform accounts: $0.50-$12
- Video and music streaming accounts: $0.10-$2
- Cloud service accounts: $5-$10
- Online banking accounts: 0.5%-10% of the account’s value
Sell PII to buyers on the black market
Hackers commonly sell PII on underground marketplaces that are accessible on the dark web. Typically, PII will be sold in bulk batches. The more recently the data has been stolen, the more valuable it is.
Here’s how much your data is worth:
- Name, social security number and date of birth: $0.10-$1.50
- Medical notes and prescriptions: $15-$20
- ID/passport scans or templates: $1-$35
- Mobile phone online account: $15-$25
- Full ID packages (name, address, phone, SSN, email, bank account): $30-$100.
- It might not sound like a lot of money, but it’s important to remember that data is often sold in enormous batches. Attackers who are able to successfully breach a major company can sometimes walk away with the data of millions of users, which can collectively be sold for big bucks. In 2019, the hacker behind the Canva data breach put up for sale on the dark web the data of 932 million users, which he stole from 44 companies.
Sell your credit card information
Attackers will usually sell your credit card information in large bundles of hundreds or even thousands of stolen credit cards. This data is often purchased by “carders”, who try to avoid fraud detection by purchasing gift cards and using them to buy physical items, which may then be sold on the dark web as well as through legitimate channels such as eBay or Craigslist.
How much do hackers sell your credit card information for?
- Single credit card: $0.50-$20
- Single credit with full details: $1-$45
Hold your data to ransom
Some types of ransomware have data exfiltration functionality, which enables hackers to not only encrypt your data but also steal it via a range of channels, including FTP, HTTP, HTTPS, SSL/TLS and more.
Attackers can use your stolen data as extra leverage to encourage you to pay the ransom (the average is a whopping $84,000) and sell your PII on the black market for extra pocket money.
Sell valuable intellectual property
It’s not uncommon for hackers to launch attacks on large corporations and sell the stolen data to companies in developing nations. These are typically highly sophisticated, nation-sponsored attacks and can be incredibly lucrative for both the hackers and the country funding the attack. Chinese intellectual property theft is estimated to cost the U.S. economy $50 billion a year.
How data theft can impact victims
Being the victim of data theft can have significant repercussions. In the short-term, you’ll have to go through the time-consuming process of securing your compromised accounts, reversing fraudulent purchases and replacing stolen credit cards.
These are annoying but not life-changing effects. However, there can also be longer-lasting consequences.
For example, if your social security number is stolen and used for fraudulent activity, it could potentially impact your credit history and credit score. Undoing the damage can be very difficult, and may prevent you from making loan applications, purchasing a home or renting property. In addition, if your work-related accounts are used to deliver malware or phishing attacks, you may damage your professional reputation, cause business loss or have to face disciplinary action from superiors.
Conclusion
Data theft is usually financially driven. There are many ways for cybercriminals to get their hands on your personal data, including malware, phishing, password cracking and man-in-the-middle attacks. Once they have obtained your data, they may use it themselves to commit fraud, or they may sell it in bulk on the dark web.