The sensitive and financial data held by banks and financial institutions, as well as their centrality to national infrastructure, makes them an attractive target for cybercriminals and hacktivists. In this blog series, we’ll be shining the light on some the latest tactics and techniques used as part of insiders, banking trojans, phishing campaigns, and payment card fraud. In future posts, we’ll also peer beyond the cybercrime world to understand if hacktivism poses a viable threat to the financial sector. Let’s start with insiders.

Criminal forum discussions

It’s not uncommon for insiders to offer their access and information across dark web and criminal sites. These discussions include users asking about the best places to sell insider information, others asking where it can be found, individuals claiming to sell insider access, and other users attempting to recruit insiders. It’s something that we will alert our customers to (read the our insider use case for more information). The site Intel Exchange (Figure 1), for example, has a dedicated section for insider information discussions. Similarly, Figure 2 illustrates an individual selling insider access to a large mortgage company.

 

Figure 1: Insider information discussion board on Intel Exchange site

 

Figure 2: Posts made by user offering insider access to mortgage company

 

Keyword searches across our dark web spider coverage over only the past six months returned 8,425 mentions of insider trading keywords and phrases on our tracked sites. This data and supplementary manual searches indicate there is substantial interest in insider trading within the online criminal ecosystem.

For example, back in February 2017, an AlphaBay forum (when the site was still operational) user named “asad1199” made multiple posts to the forum claiming to have access to a Society for Worldwide Interbank Financial Telecommunications (SWIFT) payment gateway and sought experienced users to help them monetize it.

 

Figure 3: Post made to AlphaBay forum by user asad1199 offering SWIFT access

 

The user claimed to possess “data” that provided full administrator access to this system. The posts claimed that asad1199 would provide information as to where SWIFT transfers should be sent and offered to provide any potential partners with 10-20% of any profits in exchange for their services.

This user had previously added similar posts to the “Wanted” section of AlphaBay claiming to have access to an Automated Clearing House (ACH) system at a logistics company and an automobile dealership in the United States. In these posts the user offered a bank drop service wherein they would receive payments and then transfer to another account specified by the customer, charging 50% commission.

Specialized insider marketplaces on the dark web

Despite these examples, the most valuable insider information is not typically advertised openly online. Insider access is often a very case-based and demand driven process that is not well suited to online marketplace or forum models.

Those with privileged access or information will most likely conduct their business in person to avoid raising the suspicions of law enforcement. Large datasets containing personally identifiable information or credit card details, on the other hand, are more easily monetizable and likely to be shared and sold across online forums and marketplaces.

Exclusivity and a level of closed- or limited -access is significant in the trade of insider access on cybercriminal locations. Insider information only remains valuable while access to it is limited to a small, restricted and trusted group, hence why specialist dark web sites such as The Stock Insider (Figure 4) and KickAss (Figure 5) have ostensibly developed access restrictions to maintain the appearance of legitimacy. Moreover, these restrictions also provide inside sources and buyers with a level of perceived protection as they will feel their identities are less likely to be exposed or compromised by having too many members in these networks.

 

Figure 5: Stock Insiders forum homepage

 

Figure 6: KickAss marketplace homepage advertising insider trading

 

Of course, we should take these forums with a pinch of salt. The focus on insider trading on KickAss has since been scaled back and the site appears to now cater to a more general criminal community. Threads on other criminal forums and Reddit pages also regularly claim that KickAss is a scam and users were not receiving valid insider trading tips for the membership fee. Membership of the forum requires a monthly fee of 0.25 BTC.

How to Detect Insiders: Don’t Hyper Focus on the Dark Web

Sites like KissAss and The Insider are illustrative of the interest in insider trading across the dark web and criminal forums. However, you shouldn’t hyper focus on these sources alone. Organizations should start on the inside, implement the principles of zero trust, know where your toxic data resides, and understand how an insider would monetize that data. Once you have understood this, you can:

  1. Monitor the open, deep, and dark web for mentions of your brand and toxic information.
  2. Work with legal teams to determine the appetite for purchasing items and services sold by potential insiders on criminal forums and market places.
  3. Purchase or use a third party to acquire items and services sold by potential insiders.
  4. Conduct investigations on recruiters and the sellers of goods and services. For example: history of individual, reputation of individual, OSINT research, gathering meta data where possible to aid in investigation.
  5. Don’t forget about the accidental insider; the chances are that you are more likely to have someone send toxic data in a spreadsheet to a third party than to have a malicious insider selling the keys to your kingdom.

Stay tuned for our future blogs on other threats to financial services.

 

To stay up to date with the latest Digital Shadows (now ReliaQuest) threat intelligence and news, subscribe to our threat intelligence emails here.