A researcher here at Trustev last week found an ad on the Dark Web for datasets purportedly extracted from the Ashley Madison hack, the first advertisement of its kind -- to our knowledge -- promising valid financial data from that data dump that fraudsters can use for online fraud. Here is the ad:
The ad, whose authenticity we haven't been able to verify (and which seems very fishy!), was posted on the dark store Nucleus, which has since gone offline. It promises 100,000 credit cards printed onto physical cards, with guarantees of up to $2000 of usable credit for each one.
Pricing for the cards was at 0.45 BTC (bitcoin) for the identities with lower amounts of credit, which equates to around $103 as of September 2, and 0.75 BTC for the accounts with a higher amount of usable credit, which equates to $172.
The user offering these stolen payment credentials is called "Ms. Griswald", and has a history dating back to early August, selling credit card data. It's not a very long history that would imply reliability. The cards are printed and sent as physical items -- with free shipping offered in the US and a $10 fee for shipping internationally.
It is not clear whether any of the payment details for sale here are in fact culled from the Ashley Madison data dump. The card numbers couldn't be directly taken from there, as the dumps themselves did not contain full credit card strings. We spoke to VICE about this -- and were slightly mischaracterized because 1) the reporter thought we believed that the credit card strings came from the Ashley Madison dump (we don't believe this) and 2) that the cost of this particular Dark Web sale would be $480 million (what we meant was the total cost of this data leak, over time). We'll write a longer post to talk about what we think the Ashley Madison dump will cost.
The key point is that this leak is very serious: it is a huge amount of data that was released, and fraudsters -- who now have free, unfettered access to it -- will be able to use the data to triangulate with other data leaks where they do have full-string credit card numbers. It will also be used to create forged and synthetic identities, which themselves are very useful for online fraud.