According to a recent Kaspersky security research report, stolen Twitter accounts are being sold on the black market for as much as $1000 a time. This really should not come as any great surprise given that the rapid evolution of social media mirrors the rapid evolution of cybercrime.
The price of a file of user credentials, or a dump if you want the hacker vernacular, depends greatly on the Internet service where it can be used, says Amichai Shulman, chief technology officer with data security specialist Imperva.
"Just five years ago, the illegal trade in credit card details was a rising problem for the financial services industry, as well as their customers, with platinum and corporate cards being highly prized by the fraudsters" Shulman told us, adding "Today, however, there are reports of Twitter credentials changing hands for up to $1,000 owing to the revenue generation that is possible from a Web 2.0 services account. This confirms our observations that credentials can fetch a high sum according to both the popularity of the application, and the `popularity' of the account in question".
Indeed, with the going rate of a stolen Hotmail account being a paltry $1.50 yet a Gmail account selling for an average of $80, the proof would appear to be in the eating of this particular criminal pudding. "As a service, Hotmail has fallen out of favour of serious Internet users" Shulman explains "while Gmail's all-round flexibility means it is central service for business users". And that means that stolen Gmail credentials are likely to provide access to a whole range of Google cloud services such as Google Docs and Adword accounts which, in turn, can open doors into company systems. Hence the added value of these compromised credentials.
As for Twitter, these compromised accounts are more valuable still as they offer an immediate 'in' to a network of contacts which can be used to unwittingly spread malware or perhaps drive a more targeted attack. "Twitter accounts are valuable to criminals that they will use almost any technique to harvest user credentials, including targeted phishing attacks. Once a fraudster gains access to a Twitter account, they can misuse it in a variety of ways to further their fraudulent activities" Shulman says, concluding "If this isn't a wake-up call to anyone with multiple IDs that use the same password, I don't know what is. Internet users - especially those with business accounts - need to use different passwords for different services, or they could face the disastrous consequences of taking a slack approach to their credentials".