- Select a language for the TTS:
- UK English Female
- UK English Male
- US English Female
- US English Male
- Australian Female
- Australian Male
- Language selected: (auto detect) - EN
Play all audios:
Blue told me that on the dark web sites he worked for, fullz were by far the most viewed and purchased items among the digital goods for sale. A fullz can sell for $20 to $130 depending on
the victim’s age and credit score, as well as the breadth of information provided. The fullz profiles most in demand, our experts said, belong to older people. Data also gets sold piecemeal.
Brett asked me my wife’s name and, within a few moments, found her Social Security number, available for all of $2.99. The website he found it on claimed to have over 170 million Social
Security numbers and dates of birth for sale. Surprised? Don’t be. A recent study found that Social Security numbers comprised 35 percent of data breaches in 2017, surpassing credit cards
(30 percent) as the top personal information compromised. Much of that data goes up for sale shortly after it has been stolen. Lillian Ablon is an information scientist for the Rand Corp.
who recently testified before Congress about the monetization of stolen personal information. She described four kinds of internet bad guys: state-sponsored hackers who steal data or attack
computer systems for political reasons; “hacktivists” who often do it just for fun, to prove themselves or to forward a personal agenda; cyberterrorists seeking to create fear and chaos; and
cybercriminals like Brett and Blue who do it for the money. Of these, cybercriminals are the most likely to dump their stolen information on the dark web. As Ablon told the U.S. House
Subcommittee on Terrorism and Illicit Finance earlier this year, “Immediately after a large breach, batches of credit cards get released in the cybercrime black markets.” When thousands of
credit card numbers or logins and ID numbers flood the market, the bloated supply drives down prices, allowing criminals to purchase our information more cheaply. Blue observed this
phenomenon firsthand. “I actually felt sorry for some scammers who had invested a lot in stolen information, only to have a huge data breach flood the market and deflate prices,” he told me.
Ablon noted that savvy crooks have learned to release stolen data in batches to avoid forcing prices too low. Brett could not show me what digital goods look like on the dark web because
that would require breaking the law. But he did show me a site where one hacker was quitting the business. Like a drug dealer who quits and gives his remaining stash to a couple of lucky
neighborhood teenagers, this individual had freely posted 47 fullz profiles on a dark web site Brett was investigating. The ages of these identity fraud targets ranged from a 36-year-old
from Sitka, Alaska, to an 85-year-old retired engineer from Arizona. The average age was 52. Each profile had at least eight separate pieces of information, among them: address, email
address, home and work phone numbers, date of birth, Social Security number, mother’s maiden name, credit card numbers, bank account numbers, even their computer’s IP address — all for
anyone to see and use however they chose. A PERENNIAL VICTIM I decided to try to contact some of these 47 people to warn them that their personal information had been posted online and to
find out if any of them had ever been victimized by identity fraud. After getting several disconnected numbers, I reached Joan Adams, a 51-year-old Army veteran living in the Southwest. When
I told Joan (not her real name, to protect her from further scams) what a crook had posted on the internet, there was a long pause, then a deep sigh. “I’m not surprised,” she replied. It
turns out that Joan has been a victim of identity theft on and off for 17 years. “It started in 2000 right after I got out of the military,” she began. “I was just raising my kids, working
hard, paying my bills and thought everything was fine. Then I started getting these delinquency notices saying I was past due on accounts I never knew I had.” Someone had stolen her identity
and opened multiple accounts in her name. So Joan, a mortgage underwriter and no stranger to paperwork, took action. She froze her credit and placed alerts on all her bank and credit card
accounts. This shut down the criminal activity. Or so she thought. After several years without credit problems, she let down her guard and removed the credit freeze on her account. Sure
enough, it happened again. More bogus accounts, multiple hits on her credit file and endless collection agency calls about debts she had not incurred. So once again, she froze her credit,
put alerts on all her accounts and signed up for an ID theft monitoring service. And it’s a good thing she did. “I’m not kidding, I was getting eight to 10 alerts a day saying people were
trying to use my Social Security number to open new accounts. It was very stressful.” Eventually, Joan received a letter from the U.S. Department of Justice telling her they had just
arrested a notorious identity thief and that her name was among those of his victims. In fact, the Justice Department told Joan her information had been bought and sold so many times that
she needed to change her Social Security number — which she did. As it turns out, most of the information on Joan’s fullz that got posted by the retiring hacker was outdated. But even
knowing that, she is taking active steps to protect herself. Like most of us, Joan will have to watch her digital identity like a hawk from now on. FOR MORE ON THE DARK WEB, LISTEN TO
AARP'S _THE PERFECT SCAM_ PODCAST. Illegal data merchants use many of the same marketing and customer-service tools that legitimate sites use on the surface web; it’s a sales business,
after all, even if the product is illegal. One example: Dark web site sellers encourage customer feedback ratings so that prospective buyers can evaluate the criminal’s reputation for
delivering the illegal stolen identities as described. Brett showed me the web page of a scammer named “Hackyboy” who had a customer rating of 299 positive reviews and 18 complaints — pretty
good. This essentially means that 299 of his customers have reported that he delivered precisely the stolen credit information he said he would deliver. This same scammer said he had 1,500
positive reviews across about eight different dark web sites. Blue also described listings for what are known as “calling services.” These are offered to fraudsters who are in the process of
taking over someone’s financial accounts. A calling service will contact the target victim’s banks, credit card companies or identity-theft monitoring companies pretending to be the person
and arranging to have their email and phone number changed. If these companies later suspect inappropriate activity, their calls and emails to the person will then go to the calling center,
which will cover for the crook. Calling centers are often located in an overseas country. (Many scammers, it turns out, are uncomfortable making or taking such calls because of the risks;
it’s safer to have out-of-country professionals do it for you.) Once the victim’s contact info is changed, the scammer can open new accounts, max out old accounts, even take out new loans in
the victim’s name without the victim ever knowing. After many hours with Brett and Blue, I came to realize that while the dark web has its legal usages, it also contains a massive
collection of auction sites for criminals, fueled by data breaches that pump millions of new records of personal information into this underground market each year. Which may be why
Alexandre Cazes, the founder of AlphaBay, had said his goal was to make it “the largest eBay-style underworld marketplace.”
