Personal details originating from different sources, including social media accounts, can cost as little as US$1 in the black market.
Messages from loved one and photos along with a person's name, email address and sometimes, credit card details are being sold for US$1 per account, being even cheaper if bought in bulk.
David Jacoby, a senior security researcher with the global research and analysis team at Kaspersky Lab decided to check exactly how much account details originated from phishing attacks are worth.
Jacoby focused, specifically, on data from popular services, involving things like stolen social media accounts, banking details, remote access to servers or desktops and even data from popular services like Uber, Netflix, Spotify and tons of gaming websites (Steam, PlayStation Network, etc.), dating apps, porn websites.
"The most common way to steal this data is via phishing campaigns or by exploiting a web-related vulnerability such as an SQL injection vulnerability," Jacoby explained in a blog post.
"The password dumps contain an email and password combination for the hacked services, but as we know most people reuse their passwords.
"So, even if a simple website has been hacked, the attackers might get access to accounts on other platforms by using the same email and password combination."
Attacks such as the ones described are not sophisticated but effective. He also explained that the people selling these accounts are likely not the hackers themselves.
In his research, Jacoby found fake passports, driving licenses and ID cards/scans being traded.
"This is where things get a bit more serious – most of the identity papers are not stolen, but they can be used to cause problems in the non-digital world," he explained.
"People can use your identity with a fake ID card to acquire, for example, phone subscriptions, open bank accounts and so on."
Examples of data being sold on black markets and its prices (Kaspersky Lab)
A registered Swedish passport was being sold for US$4,000, with the seller also offering passports for almost all European countries.
But all of this is common knowledge to Jacoby, what caught his attention was finding that stolen or fake invoices and other papers/scans such as utility bills were being sold.
"People actually steal other people’s mail and collect invoices, for example, which are then used to scam other people. They will collect and organize these invoices by industry and country. The vendors then sell these scans as part of a scammer toolbox.
"A scammer can use these scans to target victims in specific countries and even narrow their attacks down to gender, age and industry," Jacoby added.
In the blog post, Jacoby said that he often hear people saying they don't care if their account is accessed because they believe the worst that can happen is having their account shared with a stranger.
"People are generally very naive when it comes to their online identity," he said. "But we need to understand that even if it all looks very innocent, we don’t know what the criminals do with the money they earn.
"What if they are spending it on drugs or guns, which are then sold to teenagers? What if they finance platforms and servers to spread child porn?
"We need to understand that criminals often work together with other criminals, which means that maybe drugs are bought from the money they make from selling stolen Netflix accounts on the black market.
"One of the most alarming things I noticed was how cheap everything was. Just think about the information someone could gather about you if they got access to your Facebook account – there is surely no way you would be okay with someone selling access to parts of your private life for one dollar."