[BreachExchange] Buying and selling hacked passwords: How does it work?

[Audrey McNeil]

https://theconversation.com/buying-and-selling-hacked-passwords-how-does-it-work-60894

Data breaches are a regular part of the cyberthreat landscape. They
generate a great deal of media attention, both because the quantity of
information stolen is often large, and because so much of it is data people
would prefer remained private. Dozens of high-profile breaches over the
last few years have targeted national retailers, health care providers and
even databases of the federal government, getting Social Security numbers,
fingerprints and even background-check results. Though breaches affecting
consumer data have become commonplace, there are other resources that, when
targeted, lead to major security concerns. Recently, a hacker claimed to be
selling over 32 million Twitter usernames and passwords on an underground
marketplace.

But what happens after a breach? What does an attacker do with the
information collected? And who wants it, anyway? My research, and various
studies from other computer and social scientists, demonstrates that stolen
data is usually sold by hackers to others in underground markets online.
Sellers typically use their technical prowess to collect desirable
information, or work on behalf of hackers as a front man to offer
information. Buyers want to use stolen information to its maximum financial
advantage, including buying goods with stolen credit card numbers or
engaging in money transfers to directly acquire cash. In the case of social
media account data, buyers could hold people’s internet accounts for
ransom, use the data to craft more targeted attacks on victims, or as fake
followers that pad legitimate accounts' reputations.

Because of the clandestine nature of the online black market, the total
number of completed sales of stolen information is hard to quantify. Most
sellers advertise their data and services in web forums that operate like
any other online retailer like Amazon, where buyers and sellers rate each
other and the quality of their products – personal information – being
sold. Recently, my colleagues and I estimated the income of data buyers and
sellers using online feedback posted after sales were completed. We
examined feedback on transactions involving credit and debit card
information, some of which also included the three-digit Card Verification
Value on the back of a physical card.

We found that data sellers in 320 transactions may have earned between US$1
million and $2 million. Similarly, buyers in 141 of these transactions
earned an estimated $1.7 million and $3.4 million through the use of the
information they purchased. These massive profits are likely a key reason
these data breaches continue. There is a clear demand for personal
information that can be used to facilitate cybercrime, and a robust supply
of sources.

Getting to the market

Clandestine data markets are, it turns out, very similar to legal online
markets like eBay and Amazon, and shopping sites run by legitimate retail
companies. They differ in the ways the markets are advertised or hidden
from the general public, the technical proficiency of the operators, and
the ways that payments are sent and received.

Most of these markets operate on the so-called “open” web, on sites
accessible like most websites, with conventional web browser software like
Chrome or Firefox. They sell sell credit and debit card account numbers, as
well as other forms of data including medical information.

A small but emerging number of markets operate on another portion of the
internet called the “dark web.” These sites are only accessible by using
specialized encryption software and browser protocols that hide the
location of users who participate in these sites, such as the free Tor
service. It is unclear how many of these dark markets exist, though it is
possible Tor-based services will become more common as other underground
markets use this platform.

Connecting buyers and sellers

Data sellers post information about what type of data they have, how much
of it, pricing, the best way for a prospective buyer to contact them and
their preferred method of payment. Sellers accept online payments through
various electronic mechanisms, including Web Money, Yandex and Bitcoin.
Some sellers even accept real-world payments via Western Union and
MoneyGram, but they often charge additional fees to cover the costs of
using intermediaries to transfer and receive hard currency internationally.

Most negotiations for data take place via either online chat or an email
account designated by the seller. Once buyer and seller agree on a deal,
the buyer pays the seller up front and must then await delivery of product.
It takes between a few hours to a few days for a seller to release the data
sold.

Reviewing the transaction

If a buyer makes a deal but the seller never sends the data, or what
arrives includes inactive or inaccurate information, the buyer will not sue
for breach of contract or call the FBI to complain he got ripped off. The
illegal nature of the transaction renders the buyer largely powerless to
use traditional means of dispute resolution.

To rebalance this power, social forces come into play, maximizing rewards
for both buyers and sellers and minimizing the risk of loss. As in systems
from eBay to Lyft, buyers and sellers in many underground markets can
publicly review each other’s adherence to a negotiated deal. The parties
operate anonymously, but have usernames that stay the same from transaction
to transaction, building up their reputations in the marketplace over time.
Posting reviews and feedback about purchase and sale experiences promotes
trust and makes the marketplace more transparent. Feedback shows all users
who operates according to community norms, whose behavior is worrisome, and
which new users might not yet know all the rules.

This ability to post and review feedback presents an interesting avenue for
market disruption. If all sellers within a market were to be flooded with
negative and positive feedback, buyers would have trouble figuring out who
is trustworthy. Some computer scientists have suggested that approach could
disrupt the data market without the need for arrests and traditional law
enforcement methods. More research into how to curtail the market for
stolen data could investigate this and other potential strategies.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160623/c352dcbc/attachment.html>