The evolution of Web 2.0 services and the parallel world of cybercrime is driving up the price that criminals charge each other for user credentials. The price of a file of user credentials, aka a `dump’ in hacking circles, depends on the Internet service(s) where they can be used, Amichai Shulman, CTO of Imperva told Help Net Security.
“Just five years ago, the illegal trade in credit card details was a rising problem for the financial services industry, as well as their customers, with platinum and corporate cards being highly prized by the fraudsters,” he said. “Today, however, there are reports of Twitter credentials changing hands for up to $1,000 owing to the revenue generation that is possible from a Web 2.0 services account. This confirms our observations that credentials can fetch a high sum according to both the popularity of the application, and the `popularity’ of the account in question,” the Imperva CTO told Net Security.
This is illustrated by the `going rate’ of $1.50 for a Hotmail account, and $80.00-plus for a Gmail account. As a service, Hotmail has fallen out of favor, while Gmail’s all-round flexibility means it is central service for business users, Mr. Shulman said. This means that Gmail credentials can also give access to a range of Google cloud services, including Google Docs and Adword accounts. Mr, Shulman explained that Google Docs can contain valuable additional information on the legitimate owner, while an Adwords account can allow criminals to manipulate existing and trusted search engine results.
And it’s a similar story with Twitter accounts, but with the added dimension of the immediacy of a social networking connection, said Mr. Shulman. “Twitter accounts are valuable to criminals that they will use almost any technique to harvest user credentials, including targeted phishing attacks. Once a fraudster gains access to a Twitter account, they can misuse it in a variety of ways to further their fraudulent activities,” he said. What’s happening is that users are re-using passwords that they’ve used on other sites, and some of those other sites turn out to have not been secure.
That’s the thing; as soon as any of the sites you log in to gets compromised, the email address or username and password associated with it can be tried by the bad guy on various other services. Since most people re-use passwords, there’s a high likelihood that they will gain access to your account. From there, who knows what kind of damage they might cause. If you’re lucky, you’ll notice something’s amiss. Twitter advised that people are continuing to use the same email address and password (or a variant) on multiple sites. We strongly suggest that you use different passwords for each service you sign up for.
In a related article, Trusteer reports that most of online banking customers reuse their login credentials to use non-financial and much less secure websites. Trusteer found that 73 percent of bank customers use their online account password to get access to other websites, and that 47 percent use both their online banking user ID and password to login elsewhere on the Internet.
Cybercriminals are exploiting the widespread reuse of online banking credentials. These criminals have devised various methods to harvest login credentials from less secure sources, such as webmail and social network websites. Once acquired, these usernames and passwords are tested on financial services sites to commit fraud.
The report’s key findings include:
- 73% of users share the passwords which they use for online banking, with at least one nonfinancial website
- 47% of users share both their user ID and password with at least one nonfinancial website
- When a bank allows users to choose their own user ID, 65% of users share this ID with nonfinancial websites
- When a bank chooses the user ID for its customers, 42% use the bank issued user ID with at least one other website.
“Using stolen credentials remains the easiest way for criminals to bypass the security measures implemented by banks to protect their online applications, so we wanted to see how often users repurpose their financial service usernames and passwords,” said Amit Klein, CTO of Trusteer and head of the company’s research organization. “Our findings were very surprising, and reveal that consumers are not aware, or are choosing to ignore, the security implications of reusing their banking credentials on multiple websites.”
“If this isn’t a wake-up call to anyone with multiple IDs that use the same password, I don’t know what is. Internet users – especially those with business accounts – need to use different passwords for different services, or they could face the disastrous consequences of taking a slack approach to their credentials,” Shulman told Help Net Security.