One leaked credential is all it can take for a swarm of cyberattackers to grab and exploit such data on the Dark Web in a matter of days, researchers have found.
The Dark Web is a fraction of space in the Deep Web, an area of the Internet which is hidden by today's search engines. This area is most commonly associated with the illegal trade of items including drugs and weaponry, it also hosts forums in which cyberattackers leak data and sell information stolen in data breaches.
On Wednesday, cloud security firm Bitglass unveiled the results of the company's second "Where's Your Data" experiment, a yearly exploration of the state of the Dark Web -- and where stolen data goes.
Under the name "Project Cumulus," the security team created an online persona for an imaginary employee of a fictitious bank, and then pretended the employee's Google Drive credentials had been stolen via a phishing campaign.
These dummy credentials were then leaked into the Dark Web, complete with a fake Google Drive account containing fake bank data, credit card numbers and work products.
However, the team also embedded these files with Bitglass watermarks -- which brands files with invisible watermarks that "ping" the firm with geolocation data such as IP and country -- which allowed the team to track when a file was opened or a login attempt and download took place.
In last years' report, Bitglass discovered that within a few days of a data leak, stolen documents were able to rapidly spread across the Dark Web. After crafting an excel worksheet comprising of 1,568 fake employee credentials, the company were able to track the spread of the file across over 20 countries and multiple continents.
In this year's experiment, the researchers noticed an "immediate spike in activity" once the dummy files were leaked. In total, the team tracked over 1,400 visits to the fake credentials, in addition to the fictitious bank portal.
Out of the visits that were trackable, one in ten people attempted to log in to Google services using credentials from the fake file. In total, 94 percent of those who accessed the Google Drive account then uncovered the fake bank details contained within and chose to try their luck by visiting the bank portal.
Within the first 24 hours, there were, at least, five attempted bank portal logins.
In addition, 12 percent of visitors who accessed Google Drive attempted to download files with sensitive content, and several were able to crack the encryption placed on files after download.
The latest study revealed that those wandering the Dark Web who downloaded the tracked files came from over 30 countries across six continents. Those who decided to visit the fake bank Web portal -- without the anonymity of Tor -- mainly came from Russia (36 percent), as well as the US (16 percent), China (3.5 percent) and lastly Japan (2 percent).
The researchers note that in the first experiment, few cyberattackers bothered to cover their tracks using methods such as the Tor network. However, governments worldwide are now taking note of digital attacks -- considering the rise of high-profile data breaches and hacktivism -- and so are attempting to catch up and crack down on cybercriminals.
There is now an uptick in people using the deeper recesses of the Internet in tandem with surveillance-thwarting software such as Tor, VPNs and Tails -- with 68 percent of all visitors to this experiment's fake files coming from Tor -- and so the research team acknowledge this makes exact geolocation statistics difficult to establish.
Still, when a data breach occurs, it is not a one-time event. Information which is leaked online never truly vanishes, and not only this, but such data can spread to almost every country in the world in a short amount of time.
Nat Kausik, CEO of Bitglass commented:
"Our second data-tracking experiment reveals the dangers of reusing passwords and shows just how quickly phished credentials can spread, exposing sensitive corporate and personal data. Organizations need a comprehensive solution that provides a more secure means of authenticating users and enables IT to quickly identify breaches and control access to sensitive data."