These days it’s not much. $1,000 doesn’t go far. Unless that is you do your shopping on the Dark Web, it seems that even a “relatively inexperienced hacker” can go shopping in a kind of identity theft as a service supermarket, helping themselves to all sorts of profitable trades, and ruining lives while they are at it, or such is the gist of the new Carbon Black report.
For $1,000 these “relatively inexperienced” hackers can:
- Buy authenticated access to a US-based bank account
- File a false tax return
- Have the IRS refund deposited into the authenticated account
- Transfer the combined balance into a cryptocurrency exchange/wallet
- Conduct additional dark web transactions via the cryptocurrency
- Cash-out from the cryptocurrency exchange into a EU-based bank
The report said that an attacker can more than double their money.
Russia finishes top of ‘Dark Web Olympics’ medals table
These days, of course, in the era of the cloud, the costs of creating a start-up accessing cutting edge technology is lower than ever before. Software as a service, or SaaS, has transformed the costs of doing business, with IT infrastructure that previously carried a massive upfront investment costs, transformed into a variable cost. It’s like that with crime too, identity theft as a service is growing, start-up cyber criminals can enter the game with a small investment, professionally designed, but anonymous, services are there to tap into.
“You will be absolutely delighted” went the sales blurb accompanying one identity theft as a service product. “This is by Far the most comprehensive, clear, easy to follow, up to date, resourceful and thorough tax refund cash-out guide ever written.” It could have been promoting a new financial product or washing detergent. It all feels so normal, so professional, so helpful — there are even warnings and hints about things to avoid to reduce the risk of getting caught.
“The United States tax refund system, when exposed to the ruthless efficiency of dark web marketplaces, has been turned into a Vegas-style slot machine. Insert some Bitcoin, pull the handle and figure out how to receive your $2,000 to $3,000 from the U.S. Treasury, courtesy of a faceless victim thousands of miles away,” says Carbon Black.
Amber Rudds 9m aims to turf out criminals from the dark web, but is it enough?
“Perhaps most notable is that an identity theft cycle can now be completed by an attacker without ever stepping foot outside or showing their face to another human via ‘identity fraud on-demand,’ a process by which a hacker can provide stolen/purchased identity information and receive an original image of a person holding a forged passport with matching picture/information and scans of the forged identity documents.”
What can be done to avoid the threat of cyber criminals operating from the Dark Web, tapping into identity theft as a service model? Carbon Black said it was tough, “if not impossible.”
It seems, however that doing the same old simple stuff we keep hearing about, helps — the virtual equivalent of locking the door, or putting valuables in a safe.
So that’s:
- Ensuring bank offers multi-factor authentication for logins
- Using a password manager and avoid saving passwords in a browser
- File taxes as soon as possible, so that if someone else tries to file a return in your name, it is rejected
- Avoiding giving information when requested by a website unless there is a very good reason
- Never transfer money based on an unexpected email request.
As for organisations, it is best to train staff in the above.