Companies are getting hacked on a regular basis these days. Sometimes that data ends up allegedly in the hands of the Chinese military, like it did with the Equifax hack. Sometimes the data is used by the entity that carried out the hack, like a ransomware attacker. But often it ends up for sale on the Dark Web.
Many have heard of the Dark Web, a mysterious online marketplace invisible to Google’s search engines where people buy and sell drugs, fraudulent info, and conduct other illegal affairs. But it’s often only passingly referred to, without examples of what it actually looks like. Because it’s unindexed by search engines and hidden, the Dark Web isn’t easy to access for most people.
Cybersecurity firm Sixgill, which found that stolen credit card info has skyrocketed on the Dark Web recently, shared images of the marketplace with Yahoo Finance, showing listings for tools that carry out scams on consumers and data dumps for sale.
Physical hacking tools and compromised data
Sixgill highlighted two devices for sale on the Dark Web, an EMV chip card skimmer and a skimming device to steal credit card information from a gas pump. The “all kind” fuel pump skimmer connects to the pump’s power and can “operate indefinitely,” the post brags.
Besides devices that skim people’s data, there’s a lot of data already hacked and ready for use. There’s a trove of data of “bank employees” from a Russian hacker, and a database for sale containing emails from “various staff” at one university.
This type of information is really useful because it can help facilitate future attacks, according to a Sixgill analyst who requested anonymity due to the nature of his work researching criminals and criminal activity. If a hacker can find out who a certain company’s leaders are, it can better target that leadership and get someone’s Gmail. Once the Gmail is breached, hackers can figure out what bank people use and then deploy automated scripts to test logins and gain access.
Often times, threat actors will use the Dark Web to find people to work with. In one post, someone is looking for a person with experience in “CEO fraud.” In another, an insider at a Spanish bank asks to be pinged on Telegram, a cloud-based instant messaging service.
Going after a CEO also has advantages, according to Sixgill, because an imitated email from the top means people will often click on it or respond quickly and reflexively.
The Dark Web isn’t one place, but a wide array of regular websites and remote corners of legitimate platforms — Telegram, instant messaging service Tencent QQ, and Discord (a messaging site designed for the video game community). Some if it is like Amazon, but some of it is much more casual.
Legitimate sites like these often take immediate action against posts if they’re discovered or reported. Discord told Yahoo Finance a post like this would be immediately removed, citing community guidelines.
Telegram says in its FAQ that it actively goes after combatting ISIS and terrorism posts, but that chats and group chats are private and therefore requests to remove them will not be processed. However, there is an anti-scam reporting system in place, as well as an abuse email account. Telegram and QQ didn’t respond to questions from Yahoo Finance.
Sixgill’s platform identified a bunch of listings on a wide array of services. Here’s a post from Discord servers showing how payments happen and how more info is more valuable. For this post of German credit card, the bank information adds $40 worth of value.
According to Sixgill, card info has a wide variety of values. Sometimes they are $5 and sometimes into the hundreds, depending on the origin of the cards and whether they have CVV/CVV2 information — those security numbers on the back of the card — and ZIP codes.
“The idea is a threat actor can take that info and clone a card, creating actual plastic, where they’ll go in store to use it,” the Sixgill analyst said. “Then there is the other way: with CVV and CVV2 info where that’s used for online purchases. That creates another layer of anonymity for threat actors.”
This post from a Telegram group highlights the fact that fresh cards are much more valuable, since people and banks will try to stop fraud quickly. Canadian and British cards are more valuable than American cards, because the limits are generally higher.
This is a post from QQ, a Chinese messaging app. It is selling CVV data for a few Chinese banks, but also banking trojan malware.
A recent Sixgill report noticed that Russian cards are “exceptionally underrepresented, despite Russian speakers’ prominent role in the underground community.” In fact some Russian threat actors specifically say the tools can’t be used in Russia. Sixgill said that is likely because law enforcement cares less if criminals target other countries.
A big takeaway from the experts from Sixgill is that the Dark Web is changing. Non-traditional platforms have become a key part of trying to avoid law enforcement, which means that a year from now data dumps may look different or be on completely new platforms. This business is lucrative — and scammers are motivated.