Cybercriminals have been found selling the Social Security numbers and other personal data of babies for hundreds of dollars on the Dark Web. According to Dark Web intelligence firm Terbium Labs, one listing spotted on the Dream Market – one of the largest marketplaces on the dark web – reads: "Infant fullz get em befor tax seson [sic]".
For $312 (£222) worth of Bitcoin, a buyer can purchase an infant's name, Social Security number, date of birth and mother's maiden name. The valuable stolen data offers nefarious actors access to a clean credit history allowing them to apply for credit cards, receive government benefits, take out mortgages, claim extra tax credits to maximize their return and more, CNN reports.
"With a maximum child tax credit of $1,000 per child, that is a potentially significant return on investment, assuming the buyer successfully files and claims the return," Terbium Labs wrote in a blog post. "An enterprising buyer can find the remaining details through open-source data sets or by harvesting the parents' other online presences like social media accounts."
This malicious behaviour can potentially go unnoticed for years until the victim is old enough to open their own credit account. Although the personal data of children has been previously seen for sale in these marketplaces, researchers said this was the first time they found infants' data.
"It's unusual to have information specifically marked as belonging to children or to infants on these markets," Terbium Labs' director of analysis Emily Wilson told CNN.
Researchers noted the timing of the posting given that tax season in the US is coming up in April.
"Unlike other forms of fraud, tax fraud is cyclical; there's little interest in purchasing a W2 or other tax-specific information in July," researchers said. "Now that tax season approaches, however, it's likely the volume of tax fraud-specific listings on the dark web will grow, with more vendors listing products to match demand.
Throughout the year, troves of personal data harvested from data breaches and leaks are put up for sale on the dark web as full identity packs or "fullz". These include full names, Social Security numbers, driver's license numbers and dates of birth among other personal details.
Tax fraud guides and tutorials were also spotted on the dark web for as little as $2 in some cases and detail how to file a fraudulent tax return without being detected. However, many of them are often out of date or do not include topical information rendering them useless, they added. Before tax season hits, W2 forms, Employee Identification Numbers and pay stubs are also available for as little as $35 for cybercriminals to file fraudulent tax returns.
"The most useful guides may not be publicly advertised at all; rather than selling to just any buyer, experienced fraudsters tend to keep the most valuable tips and tricks to themselves, or circulate it among a small, trusted group," Terbium Labs notes.
"The recent disruption to the tax code and the shake-ups on the dark web will not stop the tax fraud machine," researchers said. "As always, fraud finds a way."