Identity theft subscription services uncovered on dark web

After movies, music and television, identity theft has become the newest type of subscription service available to a paying audience.

Identity theft subscription services have been discovered on the dark web by VMware Carbon Black's Threat Analysis Unit (TAU) in a recent blog post titled "Tax Day Fraud: 'Identity Theft Subscriptions' in High Demand on the Dark Web." The post touched on the various types of fraud cybercriminals are engaging in ahead of Tax Day, as well as how criminals have more time to enact such fraud in the wake of COVID-19's delay of the original 2020 Tax Day, April 15, to July 15. The research also reveals the rise of identity theft subscriptions being offered on the dark web.

In the blog post, Greg Foss, a senior threat researcher from VMware Carbon Black's TAU, said the vendor "uncovered hundreds of newly published identity information packages" on dark web marketplaces that included personal data such as Social Security numbers, addresses, dates of birth, email addresses, passwords and more, costing anywhere between $50 and $10,000.

"Perhaps most notable is the massive number of malicious actors bidding to buy this content, with many interested in 'identity theft subscriptions,' requesting and committing to purchasing stolen data weekly, monthly, and even on a daily basis," Foss wrote.

While identity theft has typically been a threat to consumers, stolen personally identifiable information (PII) including tax information and W-2 forms have become a hallmark of enterprise security threats such as business email compromise (BEC), which led to $26 billion in losses across the globe between 2016 and 2019, according to the FBI. BEC attacks make fraudulent email requests to enterprises for employee tax information, for example, and the threat actors can then sell that data on the dark web or use it to construct more convincing scams for fake invoices or wire transfers to bank accounts that are controlled by the attackers.

Foss told SearchSecurity that PII and tax information can be also used by cybercriminals for "carding" schemes for payment card fraud. "A lot of this information would be used in carding operations, generating new accounts under different people."

Foss added that a lot of the information at play is related to "fullz" -- full packages of PII including social security numbers, full names, emails, companies the individual is working for or has worked for in the past, and health record data.

While he said that some of the data packages will be sold for the intention of scamming the buyer and not all of it will be high-quality, TAU is also seeing are escrow services where the buyer puts currency in an account for the seller, and once the deal is confirmed to be legitimate, the buyer releases the funds to the seller.

"Criminals seize on every opportunity to exploit bad situations. 2020 has presented unlimited opportunities to profit, increasing the demand for identity packages," Foss wrote. "It has also shifted the buying frequency with hackers looking to purchase data on a subscription basis. These criminals run the gamut from script kiddies to seasoned hackers and scammers."