SG Michael Kassner
The online black market is becoming a well-oiled and lucrative machine, thanks to the massive amount of stolen data flowing through the underground.
In any data breach, it’s particularly interesting to note the number of individuals whose personal information was compromised. Case in point, the title of Zack Whittaker’s June 9, 2016 article on TechRepublic sister site ZDNet: A hacker claims to be selling millions of Twitter accounts.
He writes, “A Russian seller, who goes by the name Tessa88, claimed in an encrypted chat on Tuesday to have obtained the database, which includes email addresses (and sometimes two per person), usernames, and plain-text passwords.”
As compelling as that is, Thomas J. Holt, an associate professor of criminal justice at Michigan State University, is far more curious about what happens to the stolen data after the breach occurs. Holt’s interest hearkens back to 2014 when he and fellow researchers made an intensive study of the underground path of stolen credit card information.
Holt recently decided to augment that information in his commentary on The Conversation titled Buying and selling hacked passwords: How does it work? “What happens after a breach?” asks Holt in the article. “What does an attacker do with the information collected? And who wants it, anyway?” He begins to answer these questions by saying more often than not, stolen data is sold via online black markets.
How the online black markets work
In what might be a surprise to some, Holt believes those selling stolen data use underground web forums remarkably similar to above ground retailers like Amazon—buyers and sellers can even rate each other and review previous negotiations (more on this later). Holt points out some of the differences.
Digital location of the markets
As for those interested in buying stolen data, that happens in one of two places. “Most of the black markets operate on the so-called ‘open’ web, on sites accessible like most websites, using conventional web browsers like Chrome or Firefox,” writes Holt. “They sell credit and debit card account numbers, as well as other forms of data including medical information.”
Holt continues, “A small but emerging number of markets operate on another portion of the internet called the ‘dark’ web. These sites are only accessible by using specialized encryption software and browser protocols that hide the location of users who participate in these sites, such as the free Tor service.”
How payments are sent and received
Due to the nature of the product, sellers make every effort to remain incognito when it comes to receiving payments. The internet has been a big help in this regard. “Sellers accept online payments through various electronic mechanisms, including Web Money, Yandex, and Bitcoin,” explains Holt. “Some sellers even accept real-world payments via Western Union and MoneyGram, but they often charge additional fees to cover the costs of using intermediaries to transfer and receive hard currency.”
Holt next mentions that payments are made up front, with the release of stolen data taking a few hours to a few days. And, paying up front is why buyers want to know how the underground market rates the seller. If a deal goes wrong, it is doubtful either party will be calling the authorities.
“The parties operate anonymously, but have usernames that stay the same from transaction to transaction, building up their reputations in the marketplace over time,” adds Holt. “Posting reviews and feedback about purchase and sale experiences promotes trust and makes the marketplace more transparent.”
A lucrative business
Holt says those who buy stolen information on underground black markets try to make as much money as quickly as possible. The bad guys do that by:
Engaging in money transfers to acquire cash
Buying goods with stolen credit card numbers
Holding people’s internet accounts (i.e., social media logins) for ransom
Using the data to craft more targeted attacks on victims
Padding legitimate account reputations using fake followers
Holt estimates the criminal buyers were able to net between $1.7 million and $3.4 million USD from 141 purchases on underground markets. “These massive profits are likely a key reason these data breaches continue,” mentions Holt. “There is a clear demand for personal information that can be used to facilitate cybercrime and a robust supply of sources.”
A possible way to disrupt stolen data markets
Holt points out that if the rating systems could not be trusted, buyers would more than likely refrain from providing funds before receiving their purchase. “Some computer scientists have suggested the approach [rigging the rating system] could disrupt the data market without the need for arrests and traditional law enforcement methods,” explains Holt.
As to the success of the underground black markets, as Holt said earlier, they will continue to be successful as long as there are products to sell, and that seems assured with headlines like this from ZDNet: LinkedIn user? Your data may be up for sale.