Skip to content
photo bycomedy_nosefrom flickr​

$00.000025: The Going Rate On The Black Market For Your Email Address

The going rate for a batch of one million United States email addresses: $25. One-and-a-half million addresses from England sell for $100. And email addresses from Russia, Ukraine, Germany, and Australia are available for the right price. That’s according to McAfee’s second quarter Threats Report published this week.

McAfee says 2011 has been a year of “chaos and change.” LulzSec and Anonymous continually showed their skill at compromising networks and showed companies both big and small that their networks are vulnerable. Android operating systems are now the most targeted platform for mobile malware; threats increased 76 percent over the last quarter. And botnets, networks of computers that have been hijacked and are being used for cyberattacks, whose numbers had been at an all time low, are slowly making a comeback.

One of the more interesting parts of McAfee’s quarterly report includes cybercrime “pricebooks” that show the going rates for email addresses that spammers can buy to distribute spam. The price varies by country, with the most expensive being email addresses from Portugal, which sell for $166.66 for one million. One million addresses in Ukraine sell for $20.

Where’d they get the numbers? Adam Wosotowsky, senior research analyst at McAfee Labs explains:

“Mcafee has researchers who, in cooperation with law enforcement, work to monitor newsgroups and chat rooms that would be associated with underground cybersecurity activities. Values and prices for activities can be posted in such venues and at times can even appear in spam or directly advertised on illicit Web sites that sell such services. In many cases the sellers will seem to operate in a country which doesn’t have strict laws concerning selling such private data,” he told Security Management.

“Though spam is still at historic low levels, due in part to the Rustock takedown, McAfee Labs still expects to see a sharp rise in activity over the coming months,” a McAfee release says. A common way cybercriminals can quickly re-up their volume of spam activity is buying email addresses in bulk.

Spammers who are buying and selling email addresses get them from a variety of sources. According to a fact sheet from Verizon, many Web sites ask visitors to provide email address that they sell later.

Companies don’t always make their plans for customer email addresses obvious so one blogger is fighting back.

“Buried in the fine print was something only a lawyer could understand that gave them permission to sell your email address (and other information about you) to outside companies, earning them a tidy profit and you a full spam folder,” Dan Schointuch at Money Talk News wrote on Wednesday.

For this reason, he’s embarking on an experiment to find out who is or isn’t selling information by signing up for rewards programs from companies like Publix, Office Depot, and Facebook, with individual unique email addresses. When the spam starts coming in, he'll get to see who’s selling what to who.

He’ll be posting what he finds on Money Talks News. Either way, the spam will come; there's no way to avoid it, according to one researcher.

“It winds up in the databases eventually,” Dave Marcus, director of security research at McAfee Labs told Security Management by email.

Other email addresses are pulled right from Web sites by computer programs or hacked mailing lists.

“They can be harvested with web crawlers which scour the Internet looking for email addresses. Such crawlers will come across any publicly posted email lists, like from a security breach, and absorb them. In other cases, address books can be harvested from infected machines. Raw data logs from botnets can be purchased and mined for data such as email addresses as well,” Wosotowsky said.

[ Stay Aware of Threats. SM7 Newsletter: Sign Up ]

The exact price of an email list will depend on the quality of the list. That quality is based on how many email addresses are still active and what type of addresses they are--from government, corporations, or individual, for example. Wosotowsky said the numbers in the study are the average prices for an average quality list.

“Most of the time when you use your email address to sign up for things online it’s not going to get you into trouble…. Obviously the more address books your email address is in the higher chance that it will eventually slip out,” he said.

“Email addresses also get out there when companies go out of business and someone comes along and buys ‘rights’ to their old customer email list. Those are some of the more infuriating ones, because the law can be a bit obtuse on issues of online privacy in terms of what qualifies as a tangible and sellable email list,” he added.

Verizon says before providing a Web site with an email address, always check their privacy policy. If the site doesn’t have a privacy policy or it doesn’t explicitly say they won’t share user information, a person should assume their information is being sold to spammers.

Wosotowsky is a little more optimistic about spam protection than his counterpart. He says the best safeguards are to have anti-virus protection, some sort of spam filtration, be aware of domain reputation, and keep track of legit subscriptions.

“Unsubscribe from legitimate mailing lists when you get bored of them. If you sign up for too much then it’s hard to know how much of that ‘spam’ you should be angry at,” he said.