Paying the Price: What’s Your Data Worth on the Dark Web?
October 2020 by IntSights
Cybercriminals make billions of dollars every year by exploiting unassuming internet users and unsecure systems and applications. As the global shift toward remote work due to COVID-19 continues, IntSights researchers have observed an increase in cybercrime activity in dark web forums. Ransomware gangs are selling encrypted company data, fraudsters are conducting account takeovers (ATOs), hackers are running successful unemployment assistance scams, and credit cards are flying off the shelves of online black markets.
Organizations around the world are grappling with the reality that their networks, employees, collaboration tools, and customers are not as secure as they should be, and they are leaking data out through various vulnerabilities. Business leaders want to know how much their data is worth to criminals and how much it will cost them to recover from incidents of data leakage and ransomware attacks.
IntSights researchers surveyed the most popular and exclusive illicit forums, marketplaces, and private messaging channels across the clear, deep, and dark web with the goal of determining how much different types of data are worth. What we found: cybercriminals are selling more types of credentials and network access types, the data is sold in bulks or individually through direct sales or auctions, and more collaboration and services are available now than what we have seen before.
The Value of Data Is Subjective
Data is the most valuable asset in the world right now – but your data is worth less to threat actors than it is to you. Hackers steal massive treasure troves of data that, individually, are worth very little to them. The goal is to sell this stolen data to other cybercriminals at a profit that allows them to justify their efforts. Businesses incur billions of dollars of losses each year due to data breaches and stolen credentials, whether it be due to loss of revenue, damage to brand reputation, or penalties administered by regulatory authorities.
Consumers might be surprised to learn that an American Social Security Number (SSN) is worth less than $5 to cybercriminals. But hackers can use that SSN for a number of malicious purposes. They can apply for a home or auto loan, open a new credit card, open a bank account, or even gain access to existing personal accounts.
Jurisdiction and the Value of Data
With the evolution of various data protection laws, global data transfer agreements, and current data exploit threats, the value of data as a commodity is changing rapidly. As data privacy laws and amendments are introduced, the price of business data evolves, especially factoring in the way the data is used. If it is stored only in long-term offline storage, for example, as opposed to online and actively transacted and processed, its value can vary greatly.
The rapid increase in international data transfers has also had a profound effect on data’s value for cybercrime. As international agreements are changed, adjusted, or nullified, there is a measurable liability shift to the related data that is the subject of such transfers or exchanges. These changes can trigger new risks associated with data usage and transfer, which have a direct connection to data exploit threats and cybercrime targeting and motivation.
The Cost of Different Data Types
IntSights researchers aggregated prices for various data products, intellectual property, and proprietary data in multiple sources. The estimated value of each record was based on the average price of a listing across multiple forums, marketplaces, and sale posts on various criminal source sites. Additional statistics related to these findings were sourced from the IntSights Threat Command module. These prices are in US dollars.
This might be surprising, but there are “freebies” in the criminal underground. Some forums have threads dedicated to sharing stolen credit card numbers as well as personal information for free. However, “fresh” data (data that has not been used for fraud or flagged as stolen) does come with a price. In this category, we find information such as Social Security Numbers and date of birth records that can be used for a number of different fraudulent schemes. “Fullz”, which are full packages of victims’ personally identifiable information (PII), are often available in this price range. Criminals also sell SOCKS5 proxies, which allow them to anonymize internet traffic. A somewhat nontraditional service offered in this price range is social media followers and likes, as well as adding subscribers to social media profiles and instant messaging channels. This is also the price category for stolen social media accounts.
While some of the offerings from the $0-$5 category appear here as well (depending on the quality of the data or its “freshness”), in this price category, we find stolen credit card data of high quality as well as fake ID scans and fake utility bills scans. These can all be used for financial fraud, new account fraud, and account takeover fraud. This is also the price range for identity markets that sell access to infected devices and, similarly, the going price for RDP and VNC access. Some hacked retail accounts are also sold in this price range, although the price can go up quickly depending on the merchant and cash-out options.
This price category is the broadest one as it includes many “high-end” products from lower-price categories in addition to products and services that have been around for years. Different types of fullz can be found in this price range, as well as compromised bank accounts and payment services. In addition, this price range includes tools such as phishing kits and DDoS services, configuration files for credential dumping and brute force. as well as courses and tutorials.
Two things that stand out in this price category are services and bulk databases of credentials. Botnets for hire can be found across different prices in this range, as well as bulletproof hosting services and spam services. Here you will also find corporate databases and access to ecommerce sites.
The top tier of price categories starts at $1000 but can go as high as six figures (or even seven figures if you are a ransomware victim). Domain controllers, exploits, exclusive databases, insider information trading, and more can be found in this price range.
It is also worth noting that some services are not sold for a fixed amount but rather for percentages of the total revenue. These include money mules, ransomware as a service (RaaS), and escrow services.
Locking Down Your Data With Cyber Threat Intelligence
For most businesses, it’s only a matter of time before their data is exposed in some way, shape, or form. Once cybercriminals have their hands on sensitive corporate data or intellectual property, there is only so much security teams can do to mitigate the damage. The best way to protect your network – and your organization’s entire workforce – is to proactively identify, validate, and take down threats as they emerge at the source. Security teams can leverage Cyber Threat Intelligence (CTI) solutions to save their companies millions of dollars in potential losses, ransom fees, and regulatory penalties incurred when suffering a data breach or cyberattack.
Here’s how the IntSights External Threat Protection (ETP) Suite enables organizations to stay one step ahead of hackers looking to infiltrate their networks:
1. Continuous Monitoring of Digital Assets: IntSights continuously monitors and collects threat data related to the organization’s digital assets from a broad range of sources across the clear, deep, and dark web. We synthesize and analyze the collected data and organize it into meaningful intelligence for security teams to review.
2. Actionable Intelligence Alerts: Many CTI solutions provide never-ending alert feeds that prioritize quantity over quality. Our approach is the reverse; we send alerts for validated threats against the organization that require action.
3. Automatic Credential Lockdown: A key component of our continuous monitoring capabilities is leaked credential discovery and lockdown. Our extensive leaked credential database, automated mitigation capabilities, and unique integration with Microsoft Azure Active Directory enable users to quickly take action when credentials are exposed.
4. One-Click Remediation: Coordinated efforts can mitigate the risk of leaked or stolen digital assets. Our one-click remediation leverages a robust ecosystem of technology integrations, equipping security teams with the tools they need to effectively stop emerging threats at the source before they become full-fledged cyberattacks.