What Canadian Data Can a Criminal Buy on the Dark Web for the Price of a Big Mac?

Cybercriminals sell users’ data on the dark web for dirt-cheap prices – less than the price of a Big Mac in Canada. Canadian payment card data can be bought for around US$5.04 (CA$6.91), and the Twitter login for a...

What Canadian Data Can a Criminal Buy on the Dark Web for the Price of a Big Mac?

Cybercriminals sell users’ data on the dark web for dirt-cheap prices – less than the price of a Big Mac in Canada. Canadian payment card data can be bought for around US$5.04 (CA$6.91), and the Twitter login for a single account only costs US$2 (CA$2.74) on average.

New research by NordVPN looked into a 17.3M USD-worth dark web market to find out what criminals can buy there for the price of a Big Mac, which currently costs 5.25 USD (CA$7.18) in Canada.

“The list goes on and on. A hacked HBO account is sold for US$3.5 (CA$4.8). Grammarly or Scribd accounts for a similar price. Dark web markets work like common e-shops, and the market rules are similar here. The easier it is to get an item, the cheaper it costs. And people do a huge favor to hackers by not protecting their accounts and credentials properly,” says Daniel Markuson, a cybersecurity expert at NordVPN.

$5 Spent by a Criminal on the Dark Web — What are the Consequences for the Victim?

Once a criminal purchases a user’s data, they try to reuse it for their own benefit.

“In the best-case scenario, a criminal will use the victim’s service account (like HBO or Grammarly) without a user noticing. However, the more likely scenario is that they will try to use the same login details to take over other accounts that a user owns,” says Markuson.

Social media accounts open gates for social engineering. A criminal can try to reach out to a user’s friends or family to trick them into giving up their personal information or even transferring money to the criminal’s account.

When it comes to the financial information that criminals can buy on the dark web, hackers can use it directly to steal money or purchase something using the victim’s credit card.

It is important to remember that the items sold on the dark web are usually sold multiple times. So a user’s credentials can get into the hands of thousands of criminals.

How to Protect Yourself from Your Data Being Sold on the Dark Web

“Between 2008 and 2021, the FBI recorded a 207% increase in cybercrime reports. Cybercrime is booming, and we need to educate ourselves if we want to stay safe,” says Daniel Markuson, a cybersecurity expert at NordVPN.

Below, Daniel lists the most common ways criminals use to steal user’s data with tips on how users can protect themselves:

Brute forcing. Brute forcing is difficult to prevent because a criminal needs to guess the payment card number, CVV, or mobile number by trying different combinations of numbers. The attack is done using special software and can be executed in as little as 6 seconds. After that, a criminal can try to steal money from a payment card or just sell it to other criminals. Even though users cannot prevent someone from guessing their financial data or phone number, they can check their bank statements regularly and avoid answering unknown numbers to prevent losses.
Credential stuffing. Credential stuffing includes exploiting emails and passwords that were leaked in big data breaches. Once criminals get them, they try the same credentials for other accounts a person owns and then sell the newly acquired logins on the dark web marketplaces. The best way to prevent that is to use different and sophisticated passwords for different online accounts. The expert also recommends using password managers, such as NordPass, to store those passwords securely.
Social engineering. Social engineering is a method in which a scammer will try and entice or trick a victim into revealing their sensitive data themselves. Many social engineering scams rely on phishing emails with an invitation to fill in a form or to reply to the email with some personal information that can later be sold on the dark web. The main tip here is to question everything a user receives from an unknown sender, especially if an email domain looks suspicious or a user notices grammar mistakes in the email.