Cyber-criminals ​boost sales through 'data laundering'

A security expert has warned that stolen data is being sold back into legitimate commercial channels.
Written by Rob O'Neill, Contributor

New and subtle business models are emerging for cybercriminals, boosting their sales of stolen data and offering new ways to inflict damage on target organisations.

Hackers are commercialising stolen data by selling it back to legitimate businesses, one security expert has warned.

There is a term for this: "Data laundering", which has been defined as "obscuring, removing, or fabricating the provenance of illegally obtained data such that it may be used for lawful purposes".

Much like money laundering, data laundering helps to both monetise and legitimise the proceeds of crime.

Andy Prow, chief executive of New Zealand-based Aura Information Security, said the development and how to combat it were the subject at a "closed-room" security conference in the US late last year.

As with other forms of data theft, data harvested from hacked databases is sold on darknet sites. However, instead of selling to identity thieves and fraudsters, data is sold into legitimate competitive intelligence and market research channels.

"It doesn't raise too many warnings," Prow said. The model both reduces the risks for hackers and increases the rewards.

Often, the organisation buying doesn't know the true source of the data, which is frequently made to look even more legitimate by anonymising individual customer information.

There is big demand for competitive data, especially among organisations not well placed to harvest their own, Prow said. In some cases, buyers don't ask too many questions about where data has come from.

"Customer activity is more farmable as an information source," Prow said. Transforming hacked data into a commercial asset is "the nature of a maturing industry".

Meanwhile, a warning has been issued about another kind of threat: The subtle alteration rather than theft of corporate information.

Speaking at a CFO conference last week in Auckland, Wynyard Group chief executive Craig Richardson asked, "What happens when you no longer trust an organisation's data?"

Identifying and rectifying data that has been changed is not easy, he said.

The aim of such an attack, possibly perpetrated by cybercriminal gangs for hire, is to destroy trust in an organisation or the system in which it works.

Richardson, whose company develops forensics software, said modern cybercrime is unsolvable.

"If you are connected to the internet, you are connected to the problem."

Traditional security can't protect against what he called "unknown unknown" attacks -- specifically, advanced persistent threats such as the planting of sophisticated malware, which, Richardson said, hides "both in data and in time".

It takes an average of more than 250 days in residence before such malware is activated and used, he said.

There isn't an organisation that Wynyard Group works with that isn't affected, he said. However, often the malware found is dormant or built to attack other types of systems than the ones it is found on.

Editorial standards