[BreachExchange] From the dark web to the 'open' web: What happens to stolen data

Tue Jul 12 20:23:28 EDT 2016

http://www.techrepublic.com/article/from-the-dark-web-to-the-open-web-what-happens-to-stolen-data/

In any data breach, it's particularly interesting to note the number of
individuals whose personal information was compromised. Case in point, the
title of Zack Whittaker's June 9, 2016 article on TechRepublic sister site
ZDNet: A hacker claims to be selling millions of Twitter accounts. He
writes, "A Russian seller, who goes by the name Tessa88, claimed in an
encrypted chat on Tuesday to have obtained the database, which includes
email addresses (and sometimes two per person), usernames, and plain-text
passwords."

As compelling as that is, Thomas J. Holt, an associate professor of
criminal justice at Michigan State University, is far more curious about
what happens to the stolen data after the breach occurs. Holt's interest
hearkens back to 2014 when he and fellow researchers made an intensive
study of the underground path of stolen credit card information.

Holt recently decided to augment that information in his commentary on The
Conversation titled Buying and selling hacked passwords: How does it work?
"What happens after a breach?" asks Holt in the article. "What does an
attacker do with the information collected? And who wants it, anyway?" He
begins to answer these questions by saying more often than not, stolen data
is sold via online black markets.

How the online black markets work

In what might be a surprise to some, Holt believes those selling stolen
data use underground web forums remarkably similar to above ground
retailers like Amazon—buyers and sellers can even rate each other and
review previous negotiations (more on this later). Holt points out some of
the differences.

Digital location of the markets

As for those interested in buying stolen data, that happens in one of two
places. "Most of the black markets operate on the so-called 'open' web, on
sites accessible like most websites, using conventional web browsers like
Chrome or Firefox," writes Holt. "They sell credit and debit card account
numbers, as well as other forms of data including medical information."

Holt continues, "A small but emerging number of markets operate on another
portion of the internet called the 'dark' web. These sites are only
accessible by using specialized encryption software and browser protocols
that hide the location of users who participate in these sites, such as the
free Tor service."

How payments are sent and received

Due to the nature of the product, sellers make every effort to remain
incognito when it comes to receiving payments. The internet has been a big
help in this regard. "Sellers accept online payments through various
electronic mechanisms, including Web Money, Yandex, and Bitcoin," explains
Holt. "Some sellers even accept real-world payments via Western Union and
MoneyGram, but they often charge additional fees to cover the costs of
using intermediaries to transfer and receive hard currency."

Holt next mentions that payments are made up front, with the release of
stolen data taking a few hours to a few days. And, paying up front is why
buyers want to know how the underground market rates the seller. If a deal
goes wrong, it is doubtful either party will be calling the authorities.
"The parties operate anonymously, but have usernames that stay the same
from transaction to transaction, building up their reputations in the
marketplace over time," adds Holt. "Posting reviews and feedback about
purchase and sale experiences promotes trust and makes the marketplace more
transparent."

A lucrative business

Holt says those who buy stolen information on underground black markets try
to make as much money as quickly as possible. The bad guys do that by:

Engaging in money transfers to acquire cash
Buying goods with stolen credit card numbers
Holding people's internet accounts (i.e., social media logins) for ransom
Using the data to craft more targeted attacks on victims
Padding legitimate account reputations using fake followers

Holt estimates the criminal buyers were able to net between $1.7 million
and $3.4 million USD from 141 purchases on underground markets. "These
massive profits are likely a key reason these data breaches continue,"
mentions Holt. "There is a clear demand for personal information that can
be used to facilitate cybercrime and a robust supply of sources."

A possible way to disrupt stolen data markets

Holt points out that if the rating systems could not be trusted, buyers
would more than likely refrain from providing funds before receiving their
purchase. "Some computer scientists have suggested the approach [rigging
the rating system] could disrupt the data market without the need for
arrests and traditional law enforcement methods," explains Holt.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160712/4e0fd6d7/attachment.html>