An illicit and lucrative trade has grown on criminal forums across the surface, dark, and deep web – the purchase and sale of exploited data. This criminal economy is driven by a growing demand for usernames, passwords, social security numbers, and credit cards, enticing threat actors to find new and innovative ways to steal data, supply it, and profit from it.
Attackers steal this sensitive data in many ways including targeted breaches, phishing campaigns, network intrusions, and through external infrastructure vulnerabilities. Some of this is already exposed by organizations: SearchLight has collected more than 14 billion exposed credentials and 2.3 billion files across the deep, dark, and surface web. This data is extremely valuable as it can be used to take over accounts, perform corporate espionage, exploit vulnerabilities, conduct spear-phishing, and target customers.
The dark web frequently headlines as a home for the public trade of this breached data; however, this trade extends beyond the dark web.
We’ve noticed a lifecycle of this exposed data. The public sale of these credentials is only one step in the overall lifecycle, which is comprised of four main stages – acquisition, private sale, bulk sale, and re-use. We will walk you through each stage of this exploited data cycle to illustrate the economy of exposed credentials, and then present ways you can protect and mitigate the threats targeting your organization.
Producing the supply – how the cybercriminals get their hands on the data. A wide variety of tactics, techniques, and procedures (TTPs) are used, each varying in the technical expertise required. Targeted breaches, phishing campaigns, credential stuffing, network intrusions, and malware such as banking trojans, are some of the common methods attackers use to expose the data.
However, attackers can also acquire this sensitive data from accidental exposure on your digital footprint from open ports, misconfigured file systems, shadow IT, dev-ops IAAS environments and other public-facing applications. Adobe, Microsoft Office, Amazon S3, mongo DB, and Google Drive are all points of potential exposure if not properly secured.
A common example of a breach by accidental exposure is the 2017 Equifax breach. Attackers gained access from a vulnerability in the Apache Struts software and exposed over 148 million records from around the world. Many threat actors already possess highly advanced technical skill to acquire this data, but we have seen 2.3 billion files exposed from accidental insiders – we need to stop making it so easy for criminals!
Figure 1: Some findings on data leakage and exposure from our latest research report, Too Much Information The Sequel
2. Private Sale
Once this data has been harvested and the cybercriminals possess something of high value, such as credit cards or company documents, these criminals generally turn to private sales on discreet marketplaces or initiate the fraud themselves.
These private sales occur generally on higher tier criminal sites such as Joker’s Stash, or instant messaging like Jabber. Cybercriminals can sell these breached credit and debit cards for roughly $25 to $45 dollars a piece. Yet, financial data is not the only data sold in private transactions. Recently, one criminal marketplace, Genesis, started selling fingerprint bots. These bots are created from harvested data on a user’s computer that allows attackers to fully impersonate users – a very powerful tool.
Figure 2: Adverts for the Genesis Store on a carding forum
Criminals also sell access to a network – which can be used by attackers to hijack accounts within financial sectors of an organization. We detected over 33,000 exposed accounting inboxes in our breached repository the previous year, evidencing this high demand for quality credentials is not going away anytime soon.
3. Bulk Sale
Fulfilling the rest of the demand – the leftover credentials. Sometimes the harvested data is not easily able to be monetized. When this is the case, cybercriminals take this data and sell it on dark web markets or forums, through peer-to-peer communications channels, or within large combo lists.
Threat actors selling millions of breached credentials on dark web market places is frequently headlined. However, following the demise of dark web markets like AlphaBay and Hansa, cybercriminals have turned to secure peer-to-peer chats such as Telegram to trade this data with more secrecy.
Figure 3: Market[.]ms Telegram channel
Overtime when the exposed data loses value, as people change their passcodes and take proper security measures, we see criminals bunching the remaining data near the end of its lifecycle to form Combo lists. These combo lists include billions of credentials ranging from different breaches and can be terabytes of data sold for next to nothing.
The resale market – cybercriminals’ last effort to monetize and deploy breached credentials. Once the stolen data has been through most of its lifecycle, some cybercriminals try to further monetize these credentials through techniques such as sextortion and credential stuffing.
Sextortion is a common tool where actors send out fake emails saying they have access to personal data and pictures. The actors share the username and password of the user in an attempt to make the victim panic and think their personal data has been compromised. The actors pretend to hold this personal data ransom that can be recovered through cryptocurrency payments. From our research 792,000 cases of sextortion resulted in a total of $332,000 dollars being paid – not extremely successful but still a way for criminals to attempt to make some money off of the exposed data.
Figure 4: The Photon Research Team found a large volume of sextortion email campaigns that were hitting people’s inboxes
Credential stuffing is also a re-use effort of the exposed data. Threat actors take bulks of these credentials and automate logins in an attempt to brute force attack certain sites. Some cybercriminals also sell pre-configured bots to completely automate this process so even the least sophisticated actors can pose a threat.
Mitigation Options – How You Can Fix It
There are several options you can use to prevent attacks – each range in difficulty of implementation.
Have I Been Pwned is an easy way to detect exposed employee credentials in public breaches. On top of this, advanced google searches and alerts are also simple ways to monitor and detect when your data is picked up in a google search engine.
Some moderately difficult ways to monitor for exposure include infrastructure scanning tools such as Shodan and Censys. Likewise, DNS Twist or URL Crazy can help to generate domain permutations that threat actors could potentially use for phishing sites, and URL Haus has data related to domains that have been detected as a part of spam or other fraudulent campaigns. For spoof social media accounts, Twitter API can help you reduce instances of brand impersonation and keep customer loyalty strong.
Exposed data is a lucrative trade for cybercriminals as it can be a key item in an attacker’s arsenal. Security practitioners reiterate taking control of your data. Protecting your data in the digital age can be expensive, time-consuming, and difficult – but it doesn’t have to be. There are practical steps that can be taken to help you monitor your digital footprint, secure your assets, and properly experience the benefits of digital transformation.
To learn more about the lifecycle of exposed data, register for our upcoming webinar “Harnessing Exposed Data to Enhance Cyber Intelligence”.
And to get more threat intelligence updates such as these, subscribe to our emails: