With the holiday buying season well underway, cybersecurity experts have been waiting to see if the news would be as bad as it was last year. In 2020, more than 86% of global consumers1 were victims of identity theft and fraud, and terabytes of corporate or personal data were exposed through data breaches (70 TB were exposed2 during the breach of conservative social media app Parler, alone).
“Shopping seasons” such as the holidays are especially fraught with peril because cybercriminals know both individuals and companies are purchasing more items online. Furthermore, purchasers are often in a rush, trying to get things done quickly at an especially busy time and are less vigilant than they should be.
So far, the news has not been reassuring. The Identity Theft Research Center (ITRC) reported a 17% increase3 in U.S. data breaches during the first three quarters of 2021 compared with the 2020 total. The organization also estimated that 250 million people would have their data compromised by the end of 20214.
Careless shopping habits create a field day for cybercriminals, who leverage personal information or credentials to uncover more information about their victim. The details they obtain can also be used to gain access to corporate data, as well, which generally includes far more valuable information, such as corporate secrets.
Yet cybercriminals have learned that extorting victims and companies directly puts them at greater risk of discovery and criminal charges. Now, many of them go to the world’s “underworld crime clearing house” — the Dark Web — where they sell the data to others who can exploit victims even further. Let’s explore this cycle of damage.
How Bad Things Happen to Good People
In pursuit of profit, cybercriminals have become incredibly inventive, creating websites that look identical to an actual online company but have URLs (web addresses) with nearly imperceptible differences (e.g., DanaandHarriesCookies.com versus DanaandHarrysCookies.com). Furthermore, they understand that targets will let down their guards if a site has the trappings of legitimacy. One is example is the use of SSL certificates (digital certificates that authenticate a website’s identity and enable an encrypted connection), for which any website owner, including a cybercriminal, can sign up.
Criminals can also hack into retailer databases and steal customer email addresses, then send them fake notifications of huge sales, cash back and other bonuses that contain a fake link to the supposed benefit. The link will lead the unwary shopper to a spoofed site that sounds and looks real, like AmazonHolidayRewards.com, and ask them to confirm their identity so the reward can be sent to them. Ever looking for a bonus, shoppers fall prey to these offers in droves.
The Dark Web: An Unwelcome Holiday Visitor
Once criminals are in possession of valuable information, they often sell it on the Dark Web, a hidden network of websites that isn’t indexed by search engines and can only be reached with specialized software or authorization. Historically, buyers were other thieves. Now, a “cottage industry” has sprung up for the resale of information to individuals looking for a new identity, whether to get a job or escape a problematic past.
A recent article5 published by cyber-research lab Safety Detectives found that the cost of purchasing stolen credentials in the U.S. is shockingly low. A U.S. passport starts around $700; ID cards and driver’s licenses start at $200. A new Social Security Card/Number costs between $2 and $5. From birth certificates to bank accounts, and even educational documents like bachelor’s and master’s degrees, it’s all available.
Protecting Yourself Against a Disastrous Outcome
Victims of these crimes often suffer catastrophic damage. Individuals have their credit ruined or even lose their jobs or property, like homes and cars. Businesses are just as severely impacted, with 60% of small businesses6 (1,500 or fewer employees, per the SBA) closing within six months of a data breach or cyberattack.
Fortunately, there are concrete steps organizations can take to protect themselves and their workers from these disastrous outcomes. Safeguards, such as using multi-factor authentication and unique, complex passwords are a great start.
However, these tactics won’t work if your information is already out there. Carmichael Consulting offers a Dark Web Monitoring service where our experts troll the Dark Web to see if your data and other corporate assets are already for sale there. We also evaluate your company’s IT infrastructure and security to identify whether your practices, and those of your personnel, may be increasing your level of exposure. To learn more about it, or for a complimentary consultation on cybersecurity in general, call 678-719-9671 Ext. 2 or email [email protected]