Panda Security has a blog post on phishing and how it so profitable that criminals don’t always use stolen credentials themselves — they just sell them to other criminals. From the blog post:
Phishing attacks have one purpose – to steal your usernames and passwords. Cybercriminals use carefully crafted messages to trick you into visiting a fake website that looks legitimate. But when you ‘login’, hackers collect your password.
Typically, people send these messages via email. But as attacks become more sophisticated they may also be received via text message, phone call or even app notifications on your smartphone. Advanced attacks may use two or more channels at once (email + SMS for instance) to make the message appear more legitimate – and urgent.
Once harvested, hackers have a choice. To use the credentials to launch their own attacks or to sell them onto other criminals. Usernames and passwords are extremely valuable too. Although a Microsoft 365 account login can be bought on the dark web for a few dollars, bank account details are worth more than $4000 each. Even credentials for general websites hold some financial value because so many people reuse their passwords between services.
Realising this, hackers now buy and sell compromised credentials to each other. One estimate suggests that there are more than 24 billion username and passwords combinations for sale on the dark web.
Read more at Panda Security.
Related: 10 Tips to Prevent Phishing