Most savvy Internet shoppers are careful about how they use their credit card info online. But perhaps they should be more worried about their Twitter passwords.
On the Web's black markets, stolen Twitter accounts can actually demand a higher price tag than ill-gotten credit card info, according to a new study by the RAND Corporation. It speaks to the rising value of social media and the glut of stolen credit cards made available by the recent Target hack.
"Black market evolution mirrors the normal evolution of a free market, with both innovation and growth," the study reads. "Prices for credit cards, for example, are falling because the market is flooded with records, and botnets and DDoS capabilities are cheaper because so many more options are available."
According to the report, entitled "Markets for Cybercrime Tools and Stolen Data: Hacker's Bazaar," the rise of more sophisticated black market networks and hacking tools had already led to an increase in the availability of stolen credit cards online even before the Target hacking took place back in December. But once that attack took place, and 40 million additional credit cards were made available to the market, it created a glut that has led to the current price drop.
Shortly after the cards were made available online, they were priced at $20–$135 per account on various black market sites. Today, cards from the Target attack are now selling for $0.75 apiece. The cards costs more at first because the sooner they were obtained after the attack, according to the report, the more likely it was that the cards were still active. Over time, the value of these cards dropped as they became less likely to have any actual worth to their criminal buyers.
On the other hand, Twitter accounts retain much higher values going into the future–even spambots.
"The yield of a product influences its price. A Twitter account costs more to purchase than a stolen credit card because the former's account credentials potentially have a greater yield. Immediately after a large breach, freshly acquired credit cards command a higher price—as there is greater possibility for the credit cards to still be active. But after times, prices fall because the market becomes flooded – e.g., the Target case (Kirk, 2014)—leveling off as the data becomes stale, or if there has been significant time since the last breach."
But what is it about Twitter account info that gives it a "greater yield?" According to Michael Callahan of Juniper Networks, there are several factors. First of all, given the number of Internet users who use the same passwords and usernames across platforms, Twitter can become a key to unlocking vast amounts of information–including banking and ecommerce data. Also, stolen account info is good for "spear-phishing," in which friends, family, and coworkers connected to a stolen account can be targeted with more sophisticated phishing schemes.