.. where criminals buy and sell your private information

Nobody in my household is old enough to receive publications from AARP. (And if you believe that, I should either say “thank you” or try to sell you that beautiful 8-lane bridge crossing the Cooper River in Charleston.) But, for some reason, AARP’s September Bulletin arrived in my mailbox today, and it contained an excellent article entitled “Inside the Dark Web” that provides the best information on that topic than I’ve read to date. You can read the article here.

The article, written by Doug Shadel with Neil Wertheimer, said much of the available information on the dark web comes from Brett Johnson, an “imposing and charismatic” former criminal once dubbed the “Original Internet Godfather.” Johnson created “Shadowcrew”, one of the first online forums where criminals could buy guns, credit cards, Social Security numbers, and drugs. He landed on the Secret Service’s most-wanted list and was in and out of prison for a decade. The other source of information is a character who is now in prison and who asked to be called “Blue London” in this article. Today, according to this article, Brett and Blue are willing to share detail about the dark web, Brett, as a law enforcement consultant, and Blue, as an inmate who wants to reduce his prison sentence.

The article describes the entire content of the web. The “surface web”, which makes up 5-10% of the Internet, consists of sites that show up when you use normal search engines like Google, Yahoo and Bing. These sites encompass news, entertainment, products, services and consumer information. The creators of these sites, like Wikipedia, Amazon and WebMD, want lots of people to see them.

The “deep web”, which makes up 90-95% of the Internet, consists of pages requiring a password and can’t be accessed by normal search engines. These sites include online banking, subscription websites, government records, emails and most social media content. Examples include PayPal, Netflix, LinkedIn, Instagram and Dropbox.

The “dark web”, which makes up just 01% of the Internet, consists of sites that provide anonymity to users and go largely unregulated. Many are legal. For example, sites service as outlets for human rights activists can be found on the dark web. But the dark web is also used by criminals to make illicit purchases and sales with total anonymity. Cryptocurrency like Bitcoin is used to make the transactions untraceable.

The article described AlphaBay, a site that, before it was taken down in 2017 by the FBI, had over 200,000 users and took in between $600,000 and $800,000 daily, mostly drug related. But that site also dealt in stolen personal IDs, stolen credit card numbers and hacking tools.

Brett and Blue showed the authors of the article many other inhabitants of the dark web that moved in to take the place of AlphaBay. These sites sell the items marketed on AlphaBay plus logins and passwords, credit reports, and “fullz” which translates to a “complete package of everything needed to commit identity theft: Social Security number, date of birth, mother’s maiden name, address, phone numbers, driver’s license number and more.”  Blue said a fullz can sell for $20-$130, depending on the victim’s age and credit score.

Data can also be sold piecemeal. Brett asked the author his wife’s name and quickly found her Social Security number available for purchase at $2.99. The author also paid a small fee and received a 92-page report containing all his current and previous addresses, phone numbers, social media sites and email addresses. The report also contained descriptions of his family members and neighbors and details about properties he has owned.

Much of the data, according to this article, goes up for sale shortly after it is stolen. The huge data breaches we hear about routinely apparently flood the market and deflate prices. Brett and Blue told the author that they could study social media sites to harvest data for criminal purposes. Many sites use “knowledge-based authentication” (KBA) questions, which should be information that only the user knows. But if the user adds this type of information to social media sites, the scammers can successfully mine the information.

The article provides some advice to stop the cybercriminals. First, we should all simply assume that our information is already “out there” on the Internet, and take action to protect ourselves. Cybersecurity experts and former criminals agree on three steps to help us all stay safe:  freeze credit, closely monitor all accounts and use a password manager. The author said he fully subscribes to this advice and has taken all three steps. I’m at two out of three. What about you?

(You can thank me later for directing you to this outstanding article that you are much too young to read.)