Criminals pay just $15 for Apple iCloud account IDs, report claims

Credit to Author: Jonny Evans| Date: Wed, 07 Mar 2018 03:59:00 -0800

One of the biggest reasons Apple users need to beware of phishing attacks is that compromised iCloud accounts are among the most valuable of those traded on the dark web at $15 per account.

Think about the value of your Apple ID data: Not only is your account the golden portal into all your personal data, but it unlocks all manner of other valuable items: credit card details, online purchasing, passwords for your websites and more.

That’s why every Apple ID user really should think about the value of the data they are trying to protect and create tough alphanumeric passcodes, even if they do need to spend significant time memorising those codes.

It is interesting to note that other than banking and financial service IDs, a hacked Apple account is the most valuable single account traded on the dark web. It’s just ahead of a Macy’s account.

You’ll find online bank details trading at an average $160, PayPal logins around $250, and passport details trading at $60. All these forms of data can help hackers break into your private accounts, enabling effective attempts at identity theft.

These insights come from a U.S. study from Virtual Private Network (VPN) comparison service Top10VPN.com, who reviewed tens of thousands of listings on popular dark web markets, Dream, Point and Wall Street Market.

The high value of an Apple ID also reflects the wealthier demographic of Apple users, the value of the wealth of associated data in iCloud, and the attachment of payment details to these accounts.

These may seem cheap, but (in the hacker’s mind) they are taking a gamble as not every set of details will be accurate, though Apple ID tends to be more accurate (when sold).

All the same, even at $15, “the risk of the data being worth nothing to the scammer is ‘baked in’,” the company told me in an email.

Simon Migliano, Head of Research at the company, warns:

“There’s a real concern that with such valuable information changing hands so cheaply, there’s nothing to prevent would-be fraudsters from buying up much as they can in the hope of striking it lucky and draining victims’ bank accounts and credit lines.”

It’s not just the obvious scams like bank fraud and ID theft.

“A hacked Airbnb account, for example, could allow a scammer to pocket hundreds in booking fees or even stay at high-end properties as a guest and burglarise the hosts. At less than $8 initial outlay, that’s very appealing to a cybercriminal,” Migliano said.

Apple users need to understand that even though they are using the world’s most secure consumer platforms, their information remains valuable to cybercriminals.

They must also understand that while an Apple existence is relatively free of the regular deluge of malware, dodgy app downloads and other threats experienced on other platforms, threats still exist.

Ultimately, users are the biggest cross-platform security weakness you’ll find.

That’s why Apple is introducing new privacy protection and anti-phishing tools in iOS 11.3 and macOS 10.13.4.

These tools aim to warn users when we find ourselves entering confidential data in phoney websites in response to (for example) convincing seeming email requests.

While for most of us those requests are annoying, scammers know that if only one person enters full account details in response to them they can sell those details for fifteen dollars a pop – victims may not even know they have been scammed until some other party raids their account using those purchased details.

In response to recent wave of App Store related phishing frauds, Apple recently published information to help users protect themselves against phishing and other forms of online fraud.

This explains how to identify a real email from Apple. It also advises users of what details Apple never requests, such as SSI numbers, mother’s maiden names, credit card numbers of CCV codes – if those are requested an email is almost certainly fraudulent.

It also recommends that rather than accessing your account using links in an email, users should access their accounts using a web browser and a typed URL or in Settings/Preferences on their device.

You should also use two-factor authentication.

The researchers put it like this:

“Our research is a stark reminder of just how easy it is to get hold of personal info on the dark web and the sheer variety of routes that fraudsters can take to get hold of your money. This really underlines the importance of two-factor authentication and more generally, secure use of websites and apps.”

Google+? If you use social media and happen to be a Google+ user, why not join AppleHolic’s Kool Aid Corner community and get involved with the conversation as we pursue the spirit of the New Model Apple?

Got a story? Please drop me a line via Twitter and let me know. I’d like it if you chose to follow me there so I can let you know about new articles I publish and reports I find.

http://www.computerworld.com/category/security/index.rss