Almost half of the listings on the most popular underground marketplaces are guides on how to commit fraud, as aspiring cyber criminals look to find out how to conduct business email compromise and other online scams. But there's a twist – many of the how-to guides are useless fakes.
Cybersecurity researchers at Terbium Labs examined listings on three major dark web exchanges and found that 49% of all data being sold consisted of how to guides for online fraud. In many cases, guides are written on how to do this against specific organisations, particularly those in the financial sector.
Stolen personal data only accounted for 15% of listings, with non-financial accounts and credentials (12.2%), financial accounts and credentials (8.2%), fraud tools and templates (8%) and payment cards (7%) accounting for the rest. The average price for a single personal record was $8.45, while the cost of a single personal record can drop as low as $1.00.
Credentials available for sale on the sites included usernames and passwords for services ranging from email accounts, streaming services and even food delivery accounts.
The average price for this data is $7 – although in come cases it reaches triple figures – and leaked usernames and passwords, linked to other personal details can provide attackers with a means of compromising the victim's other accounts – potentially even their corporate ones.
Credentials for financial accounts listed on the dark web potentially provide cyber criminals with direct access to bank, payment card and PayPal accounts that have been compromised – and direct access to the funds within. Attackers can either simply steal this money, or alternatively, use the card details to make purchases for themselves, or even set up loans.
The potential for this data proving lucrative means that these accounts command a higher sum that others, with listings in this category selling for an average of $33, but sometimes they can be listed for as high as $500.
Buying guides on how to commit fraud isn't risk-free because some are fraudulent themselves, providing readers with no useful information – and it's not as if the buyer can demand their money back.
"Ironically, many fraud guides are themselves fraudulent. Bad actors create fake guides, and try to make a profit selling them before buyers catch on," said Tyler Carbone, chief strategy officer at Terbium Labs.
By being aware about data breaches and other incidents where credentials might be leaked, organisations can reduce the potential of falling victim to any sort of attack or fraud.
"You can dramatically reduce your exposure if you understand early that data is exposed, and what data is exposed, because you can cut short those cycles where criminals use exposed data to defraud your organisation," he added.
There are also policies that organisations can employ to help prevent attackers using stolen data to compromise accounts.
These include encouraging employees not to use passwords they may have used elsewhere and to employ multi-factor authentication on business accounts, so even if an attacker knows the correct passwords, the chances of them being able to use it successfully are heavily reduced.
MORE ON CYBERSECURITY
- Phishing scams are costing us more than ever. This trick is most likely to catch you out
- Why employees still fall for phishing emails TechRepublic
- Phishing attacks: Watch out for these telltale signs that you've been sent to a phoney website
- Cyberattack: How we were phished by professional hackers CNET
- Phishing attacks: Why we're still losing the battle against phoney emails