Stolen Twitter Credentials Worth Big Bucks To Criminals

Tom Jowitt is a leading British tech freelance and long standing contributor to TechWeek Europe

The price of stolen user credentials varies depending on the popularity of the Internet service or application for which they could be used

Just like thieves targeting platinum and corporate credit cards five years ago, nowadays cyber criminals are paying more money for ‘platinum’ user credentials such as Twitter account details.

So warned data security specialist Imperva. According to the firm’s chief technology officer, Amichai Shulman, the price of a file of user credentials – known as a ‘dump’ in hacking circles – depends greatly on the Internet service(s) where they can be used.

“Just five years ago, the illegal trade in credit card details was a rising problem for the financial services industry, as well as their customers, with platinum and corporate cards being highly prized by the fraudsters,” he said.

images0.jpg

“Today, however, there are reports of Twitter credentials changing hands for up to $1,000 (£628) owing to the revenue generation that is possible from a Web 2.0 services account. This confirms our observations that credentials can fetch a high sum according to both the popularity of the application, and the ‘popularity’ of the account in question,” he added.

According to Imperva, the “going rate” for various web applications and services can vary widely. For example a Hotmail account is worth $1.50 (94 pence), whereas a Gmail account is worth $80 (£50).

Shulman believes that the disparity between the two prices is because Hotmail (as a service) “has fallen out of favour of serious Internet users, while Gmail’s all-round flexibility means it is central service for business users.”

Shulman said that this means that Gmail credentials can also give access to a range of Google cloud services, including Google Docs and Adword accounts.

“Google Docs,” Shulman explained, “can contain valuable additional information on the legitimate owner, while an Adwords account can allow criminals to manipulate existing and trusted search engine results.”

And Shulman believes it is a similar story with Twitter accounts, “but with the added dimension of the immediacy of a rapid-fire social networking connection.”

This was almost certainly the reason why it was reported that Twitter had blocked the accounts of some users, whilst they changed their passwords.

“Twitter accounts are so valuable to criminals that they will use almost any technique to harvest user credentials, including targeted phishing attacks. Once a fraudster gains access to a Twitter account, they can misuse it in a variety of ways to further their fraudulent activities,” he said.

“If this isn’t a wake-up call to anyone with multiple IDs that use the same password, I don’t know what is. Internet users – especially those with business accounts – need to use different passwords for different services, or they could face the disastrous consequences of taking a slack approach to their credentials,” he added.