User accounts are extremely valuable. This is not only true for Internet properties, which are valued by the size and growth of their user base, but also for professional online criminals exploiting these platforms for a profit.
The prevalence of these user accounts in the underground market proves this is a common problem across all social platforms. The figure below shows the price range per account on BlackHat World, a web forum for black hats providing tips or services for online marketing. As you can see, the price varies widely by service, and also depends on the number of accounts purchased, whether the accounts are phone-verified, the country in which they were created, the age of the accounts, etc.
In the figure, the red line is the median price per account, the box is drawn between the first and third quartile of the price range, and the “whiskers” (in dotted line) extend to the furthest value within 1.5 times the interquartile range from the end of the boxes. Any data point further than that is marked as ‘+’.
In addition to accounts, other types of social currency are also up for sale. On the BlackHat World forums, a thousand Facebook “likes” run for a median price of $3, a thousand Twitter retweets is about $0.75, and a thousand Instagram followers is $2. Combo packages are available – $18.99 will buy you 530 Facebook likes, 500 Twitter shares, 380 Google +1’s, 300 Pinterest repins, 250 Facebook shares, and 240 LinkedIn shares. Looking for a quality marketing channel? LinkedIn accounts with 500 connections are only $30 each.
So what does all of this mean? Clearly it shows that the current security solutions in place, such as multi-factor authentication and rules/model-based systems, are ineffective at stopping mass registrations and account takeovers. It also underscores the point that there is a thriving underground for “fraud-as-a-service” where people buy and sell user accounts, fake reviews, followers like commodities on the stock exchange. Furthermore, it demonstrates the type of adversary we are now up against. Well-organized, well-funded criminal businesses that are spending a lot of money in these black markets to create huge armies of fake accounts to do their bidding for financial gain – whether it be fraudulent transactions, spam ad campaigns, promotional abuse or more. We need to rethink how we combat this modern adversary by stopping the creation of these accounts and the downstream damage they conduct.