How you can buy a credit card for $20 from Dark Web crims
Special Investigation: Stolen Australian passport credentials are being sold for just over $1000 on the Dark Web and working credit cards are selling for as little as $20 in a trade cybersecurity experts warn is booming as criminals exploit the recent rise in online transactions.
One expert said the coronavirus pandemic and lockdowns had been like "throwing kerosene on a fire" for identity theft, even though many victims remained unaware their information was being stolen and sold.
And the 2020 crime wave could intensify an already dire problem, with new data from the Australian Institute of Criminology showing one in four Australians have suffered identity crime, with losses rising to $3.1 billion last year or almost $4000 for each victim.
Trend Micro Asia Pacific managing director Tim Falinski said cybercrime was skyrocketing during the pandemic as criminals sought to steal information through COVID-19 phishing attacks, by exploiting insecure work connections, and by hacking online stores, which were attracting more customers than ever.
"Since COVID-19 hit, the cyber criminals have moved in," he said, "and identity theft is definitely on the rise.
"In April and May, it was like throwing kerosene on a fire."
Mr Falinski said identity documents were in "highest demand" as they allowed criminals to set up accounts in the names of others, and also commanded higher prices on the Dark Web in case they did not want to take the risk themselves.
The latest Dark Web Price Index, released this week by Privacy Affairs, showed cloned credit cards were selling for between $20 and $50 each, and access to sizeable bank accounts were being traded for $75.
Safety Detectives researchers found stolen Australian passport credentials were selling for $1,021 on the Dark Web, but criminals could also purchase a full portfolio of counterfeit Australian documents, including a passport, birth certificate, and education certificates for just over $2000.
Penalties needed to slow the dangerous trend of data theft are lacking, despite more than 1000 incidents reported to the Office of the Information Commissioner in the last financial year.
Currently, Australia's Information Commissioner can only issue fines up to $2.1 million to companies for "serious and repeated" breaches of consumers' private information.
A change to increase the maximum punishment to $10 million or 10 per cent of the company's Australian turnover was promised in March last year, but has yet to see action.
Shadow Cybersecurity Assistant Minister Tim Watts said the rising number of Australian companies suffering data breaches and exposing their customers' private information was also a problem.
"It's absolutely becoming a bigger issue because these breaches are becoming more frequent," Mr Watts said.
"It's a recipe for identity theft on a really big scale if the government and users don't take it seriously."
As the man in charge of Labor's cybersecurity portfolio, and a self-described geek, he said even he is not immune to data leaks.
Despite being "pretty phobic about my online presence," careful about what he shares and what passwords he uses, his information has still been leaked widely online.
A scan with BitDefender's Digital Identity Manager found his personal data had been exposed in hacks of social networks and online services including Tumblr, LinkedIn and Dropbox.
"There are two or three data breaches that I've been caught up in every year," he said.
"I also found lots of accounts from the deep dark past."
Mr Watts said the analysis showed he had almost twice the amount of personal data exposed on the internet compared to the community average, though some instances may have been due to his public role.
The member for Gellibrand, in Melbourne's west, said he'd been surprised to find so many old, abandoned accounts were still available to view online, and that the number of data breaches affecting his details were growing each year.
"These old hacks are a good lesson in why you shouldn't use the same password across multiple sites," he said.
"There are people who aggregate the data from all these breaches, put them into extremely large data sets and seek to use them for identity theft."
Mr Watts said well-connected Aussies should employ a password manager to recall unique, complicated logins for every service, and use multi-factor authentication where possible - advice he has taken too.
Norton LifeLock senior director Mark Gorrie estimated that most information exposed in data breaches was being harvested and either sold or exploited, with "over 60 per cent used for criminal purposes, and a lot appearing on the Dark Web".
Norton recently launched a Dark Web Monitoring program in Australia that takes users' information and compares it to data scraped from Dark Web forums and databases. The service will compete with similar offerings from Trend Micro and BitDefender that have recently been made available in Australia.
'I DIDN'T REALISE MY DATA HAD BEEN EXPOSED'
Brisbane wealth coach Jeremy Britton said his identity was stolen in an attempt to defraud health insurance companies of $6000, which he only discovered when one phoned him to ask about his substantial dentistry claim.
"They obviously had my name and date of birth and possibly my driver's licence," he said. "They could have applied for a credit card so I got off lightly."
Mr Britton said he had no idea how his information had been stolen but, after trialling the BitDefender program, found his name, email addresses, passwords, phone number and some financial information had leaked online.
"I didn't realise my data had been exposed on so many sites," he said.
"Some of them I signed up for as a trial years ago and never touched again."
'I'M CAREFUL ONLINE'
Community kitchen founder Christine Smith, from Melbourne, said she had her Facebook account hacked and more than $2000 charged to her credit card after an online job advertisement went wrong.
The criminals also tried to hack into other accounts, she said, and "really knocked me for six".
"I'm careful online, I can spot a phishing email, and I've never been caught my any of those," she said.
While she is still yet to regain control of her Facebook account, Ms Smith said the Dark Web-scanning program was able to identify the internet address of the person who used it last, and proved the criminals were not able to access or sell more of her personal data.
DARK SIDE OF THE FORCE
The Australian Federal Police has begun creating specialist cyber teams in every state in the country after an alarming rise in the use of the dark web by criminals to sell drugs, guns and child abuse material.
Dedicated cyber liaison officers are also being recruited to work offshore particularly in the United States and the UK, in a co-ordinated push by Five Eyes partner nations to crack online criminality, that has exploded post COVID-19 movement restrictions.
"We are concerned about that," one senior AFP officer said yesterday of the rising use of the dark web.
"The concerning part or challenge for law enforcement with the dark net is that the tools that people use to connect to the dark net provide a high degree of anonymity and things like encryption, virtual private networks, that type of technology makes it extremely difficult to identify the criminals operating on the dark web.
"We are seeing a whole range of criminal activity on the dark web from drug dealing to firearms trafficking, terrorist activity, criminals preying on our children, trading in child exploitation material, so there is a whole range of criminal impacts."
He added the AFP was very focused on ensuring Australians were safe online, particularly children. A national security forum involving the AFP, Home Affairs and ASIO earlier last month noted the rise of extremists targeting the young and vulnerable online more than in person because of the coronavirus epidemic.
The new state-based AFP cyber teams and dedicated offshore cyber liaison officers were being funded out of $89.9 million given to the AFP as part of the 2020 Cyber Security Strategy announced by Prime Minister Scott Morrison last month. Part of that strategy is to ensure Defence's Australian Signals Directorate, the AFP and other agencies within Home Affairs collaborate on cyber security.