Criminals pay just $15 for Apple iCloud account IDs, report claims

Compromised iCloud accounts are among the most valuable of those traded on the dark web, so Apple users must make sure they protect themselves against fraud and phishing attacks.

Apple, iCloud, Apple ID, security, iOS, macOS, Top10VPN, phishing, dark web
Getty Images

One of the biggest reasons Apple users need to beware of phishing attacks is that compromised iCloud accounts are among the most valuable of those traded on the dark web at $15 per account.

All your data belongs to us

Think about the value of your Apple ID data: Not only is your account the golden portal into all your personal data, but it unlocks all manner of other valuable items: credit card details, online purchasing, passwords for your websites and more.

That’s why every Apple ID user really should think about the value of the data they are trying to protect and create tough alphanumeric passcodes, even if they do need to spend significant time memorizing those codes.

It is interesting to note that other than banking and financial service IDs, a hacked Apple account is the most valuable single account traded on the dark web. It's just ahead of a Macy's account.

You’ll find online bank details trading at an average $160, PayPal logins around $250, and passport details trading at $60. All these forms of data can help hackers break into your private accounts, enabling effective attempts at identity theft.

These insights come from a U.S. study from VPN comparison service Top10VPN.com, which reviewed tens of thousands of listings on popular dark web markets Dream, Point and Wall Street Market.

What else is being bought and sold on the dark web?

  • Apple ID: $15
  • Amazon, Walmart accounts: <$10
  • eBay account details: $12
  • Skype: <$10
  • Uber login: $7
  • Match.com account details: c.$3.

The high value of an Apple ID also reflects the wealthier demographic of Apple users, the value of the wealth of associated data in iCloud, and the attachment of payment details to these accounts.

These may seem cheap, but (in the hacker’s mind) they are taking a gamble because not every set of details will be accurate, though an Apple ID tends to be more accurate (when sold).

All the same, even at $15, “the risk of the data being worth nothing to the scammer is ‘baked in,’” the company told me in an email.

Simon Migliano, head of research at Top10VPN.com, warns:

“There’s a real concern that with such valuable information changing hands so cheaply, there’s nothing to prevent would-be fraudsters from buying up much as they can in the hope of striking it lucky and draining victims’ bank accounts and credit lines."

It’s not just the obvious scams like bank fraud and ID theft.

“A hacked Airbnb account, for example, could allow a scammer to pocket hundreds in booking fees or even stay at high-end properties as a guest and burglarize the hosts. At less than $8 initial outlay, that’s very appealing to a cyber criminal,” Migliano said.

Apple says ‘protect yourself,’ will introduce new privacy and anti-phishing tools

Apple users need to understand that even though they are using the world’s most secure consumer platforms, their information remains valuable to cyber criminals.

They must also understand that while an Apple existence is relatively free of the regular deluge of malware, dodgy app downloads, and other threats experienced on other platforms, threats still exist.

Ultimately, users are the biggest cross-platform security weakness you’ll find.

That’s why Apple is introducing new privacy protection and anti-phishing tools in iOS 11.3 and macOS 10.13.4.

These tools aim to warn users when they find themselves entering confidential data in phoney websites in response to (for example) convincing seeming email requests.

While for most of us those requests are annoying, scammers know that if only one person enters full account details in response to them, they can sell those details for $15 a pop. And victims may not even know they have been scammed until some other party raids their account using those purchased details.

Apple advises how to protect against phishing

In response to recent wave of App Store related phishing frauds, Apple recently published information to help users protect themselves against phishing and other forms of online fraud.

This explains how to identify a real email from Apple. It also advises users of what details Apple never requests, such as Social Security numbers, mother’s maiden names, credit card numbers of CCV codes. If those are requested, the email is almost certainly fraudulent.

Apple also recommends that rather than accessing your account using links in an email, users should access their accounts using a web browser and a typed URL or in Settings/Preferences on their device.

You should also use two-factor authentication.

The researchers put it like this:

“Our research is a stark reminder of just how easy it is to get hold of personal info on the dark web and the sheer variety of routes that fraudsters can take to get hold of your money. This really underlines the importance of two-factor authentication and more generally, secure use of websites and apps.”

Want to improve your security? Please read these two guides:

Google+? If you use social media and happen to be a Google+ user, why not join AppleHolic's Kool Aid Corner community and get involved with the conversation as we pursue the spirit of the New Model Apple?

Got a story? Please drop me a line via Twitter and let me know. I'd like it if you chose to follow me there so I can let you know about new articles I publish and reports I find.

Download the 2018 Best Places to Work in IT special report
  
Shop Tech Products at Amazon