Cybercriminals who capture your personal information often do one of two things with it. They’ll either use it themselves to directly hack your accounts, or they’ll sell it on the Dark Web. And once your personal data is up for sale, buyers can use it for financial gain or for doxing, a practice where malicious actors publicly reveal private information about you for all to see. In a blog post published Tuesday, security provider Kaspersky looks at the sale of personal data on the Dark Web and offers advice on how to protect your own data.
SEE: The Dark Web: A guide for business professionals (free PDF) (TechRepublic)
Kaspersky’s blog post entitled “Dox, steal, reveal. Where does your personal data end up?” describes doxing as a form of cyberbullying. The goal is to embarrass or target the victim by publishing embarrassing photos, private correspondence, a physical address, private contacts, job details, and medical or financial data.
Journalists, bloggers, activists, lawyers, sex industry workers, and law enforcement officers all run a higher risk of being doxed, according to Kaspersky. People with high-profile internet personas also are at greater risk for doxing. However, “ordinary” people can be doxed as well.
Doing or saying something online that upsets a lot of people can make you an open target for angry reactions, even in cases of mistaken identity where you didn’t actually do or say the thing that got you in trouble.
Personal data that finds its way to the Dark Web can be sold at relatively low prices, certainly for less than the average person would think. For its report, Kaspersky scanned several Dark Web forums and marketplaces to determine the going rates for certain types of information.
Dark Web data and prices
ID card data: 50 cents to $10
Containing sensitive information such as Social Security numbers, ID cards are the main form of identification in many regions, including the US and Europe. Though such cards seem important, they don’t fetch much on the Dark Web. A card or document with a full name and insurance number can cost as little as 50 cents per person. A full pack with name, ID number, SSN, date of birth, email address, and phone number can go for $10 per person.
Passport scans: $6 to $15
Another popular form of identification, passports are typically used in countries such as Russia and Ukraine for any type of government or financial service. Such documents can easily find their place on the Dark Web when you consider the number of times someone’s passport is scanned at a post office, an airport, or another location. Passport scans can sell for anywhere from $6 to $15 depending on the quality of the scan, the country of origin, and whether the scan includes just the full page or the entire booklet.
Driver’s license scans: $5 to $25
Driver’s licenses are also used as a means of identification with scans of a license and all the visible information up for grabs on the Dark Web. Selling for anywhere from $5 to $25, these license scans can be used by criminals to rent cars, commit insurance fraud, and present as an ID for different services.
Medical records: $1 to $30
As medical records become more digitized, they also become more susceptible to cyber theft. The type of data sold on the Dark Web varies from medical forms with full names, email addresses, and insurance numbers to full records with a patient’s entire medical history, prescriptions, and other data.
Selling for anywhere from $1 to $30 per record, such information can also be used for ransomware. In one example, the Finnish mental health organization Vastaamo was hit by a breach that compromised the data of at least 2,000 patients. After offering the stolen information on the Dark Web, the attackers wanted a ransom payment to delete it before turning their attention directly to the patients.
How to protect yourself
To protect yourself and your data from being stolen and sold on the Dark Web, Kaspersky offers this advice:
- Never reuse your passwords across accounts. Use a unique password for each account and a password manager to store them.
- Protect your devices with fingerprint/face scan or with a PIN or password.
- Use two-factor authentication. Remember that using an application that generates one-time codes is more secure than receiving the second factor via SMS. If you need additional security, invest in a hardware 2FA key.
- Always check permission settings on the apps you use. The idea is to minimize the likelihood of your data being shared or stored by third parties without your knowledge.
- Check for any accounts that may have been compromised. Certain tools and websites tell you if any of your online accounts have been caught in a data breach. The site known as have i been pwned? and Google’s Password Checkup tool and Password Manager can warn you of potentially leaked passwords.
- Think twice before you post on social media channels. Always consider how the content you share online might be interpreted and used by others. Could there be unforeseen consequences of making your views or information public? Could content be used against you or to your detriment now or in the future?