Dark Web Ads Offering Access to Corporate Networks

The rate of cybercrime increased in the first half of 2020 due to the pandemic. The total volume of cyber attacks increased by 35% when compared to the second half of 2019, as per the September 2020 Microsoft Report on the increase in cyber threats. Also, my firm’s 2020 Breach Report found that there were more than 18 billion raw identity records being sold on the Dark Web which can be used by cybercriminals to create digital profiles of businesses & individual citizens and perform different types of identity-based attacks.

The average prices for various types of identity records differ depending on the type of account, region, etc. However, it was reported that a social security number was sold for around $67, a credit card was sold for around $41, a passport was sold for $53, a driving license for $48, and a tax ID for around $29.

There are millions of pages on the Internet, but roughly 90% of them are indexed by search engines such as Google, Yahoo, and Bing, implying that only a small percentage of them is available via search engines. Deep Web and Dark Web refer to the areas of the Internet that aren’t searchable using traditional search engines or pages that aren’t indexed in any way.

Fig. – Surface Web, Deep Web, and Dark Web

Surface web: The surface web, sometimes known as the “Visible Web,” is a segment of the World Wide Web that is available to the general public and can be searched using standard web search engines.

Deep web: Being a part of the World Wide Web, the Deep Web differs in a way that its content is not indexed by traditional search engines like Google and Yahoo. People can use the Deep Web for various purposes like online banking, webmail, and on-demand payable services that are secured by a paywall, including online periodicals, on-demand video streaming, newspapers, etc.

You can access deep web information using a direct URL or IP address but it may require you to use a password or other security access in addition to what a public website page requires.

Dark web: The Dark Web is a layer of information and pages that can only be accessed via “overlay networks”, which run on top of the regular internet and hide access. Because much of the Dark Web is encrypted and most of the dark web pages are hosted anonymously, it will need special software to access it.

Fig. – Comparison of Surface Web, Deep Web, and Dark Web

What is the Dark Web?

The Dark Web is a part of the unexplored world of the Internet. It includes online content that is encrypted and not searchable by traditional search engines. It is a network of websites that users can access only via a specialized web browser. It helps them to keep their internet activity anonymous, which can be useful in both legal and unlawful situations.

Users must download explicit onion routers like Tor to access these black web domains.

The term “Dark Web” is used for the Internet content that is encrypted (cannot be read by unintended people) and not indexed by conventional search engines. The dark web, like the early Internet, has a reputation for being a haven for criminal activities. The dark web helps users to express themselves freely while being anonymous.

Dark web tools and services

According to ‘Into the Web of Profit’ research, there are 12 types of dark web tools or services that potentially pose a danger of a network breach or data compromise:

Access like remote access Trojans (RATs), keyloggers, and exploits
Support services like tutorials
Espionage, including targeting, customization, and services
Credentials
Phishing
Customer data
Operational data
Financial data
Intellectual property/trade secrets
Other emerging threats
Infection or attacks, which include distributed denial of service (DDoS), malware, and botnets

Also, the report lists 3 risk variables for every category:

Devaluing the organization. This may include reputational damage, undermining brand trust, or losing ground to competitors.
Disrupting or damaging the organization. This may include DDoS attacks or some malware that disrupts business operations.
Defrauding the organization. This may include espionage or IP theft that creates financial loss or impairs the organization’s ability to compete with its competitors.

For sale on the dark web

The dark web has grown in popularity as a result of crypto currencies, particularly Bitcoin, which allows two parties to execute a secure transaction without knowing each other’s identity. Bitcoin or its derivative is mostly used by dark web commerce sites for transactions. This does not mean that it is safe to do business on the dark web. Scammers and criminals are drawn to the dark web because of its secrecy.

The elements of dark web commerce sites are similar to those of any e-commerce operation, such as ratings/reviews, shopping carts, and forums, as shown in the images below.

Image Source – https://www.nytimes.com/

Image Source: https://securelist.com/

Any rating system’s integrity is questioned when both buyers and vendors are anonymous. Ratings are easily manipulated, and even famous sellers have been known to vanish with their customers’ crypto-currencies, only to reappear later under a new alias.

Most e-commerce sites provide some form of escrow service, which holds consumer payments until the product is delivered. In the event of a dispute, though, it is really up to the buyer and seller to fight it out. Even completing a transaction does not guarantee that goods will be delivered. Most orders need to be shipped internationally (cross-border shipments) and customs officials stop these shipments considering them suspicious.

Like in the real world, the price for stolen data depends on the market changes. The following are the prices for data and services that cybercriminals have set for trade on the dark web, as reported by Privacy Affair’s Dark Web Price Index 2021:

Cloned credit cards with their PIN: $25 to $35
Credit card details with the account balance up to $5,000: $240
Stolen online banking logins having a minimum of $2,000 in the account: $120
PayPal transfers from stolen/compromised accounts: $50 to $340
Hacked Coinbase verified account: $610
Compromised social media account: $1 to $60
Hacked Gmail account: $80
Hacked eBay account having good reputation: $1,000

Dark Web for Initial Access to Corporate Networks

As per the research done by security researchers of Positive Technologies, they discovered that the 10 most popular Russian and English dark web forums provide access to business networks as well as advertisements for hiring hackers or hacking partners. More than eight million people have registered on the boards, over seven million threads have been initiated, and more than 80 million messages have been written.

For the past few years, the market for business network access has developed. The surge in ransomware attacks is one element that has contributed to this level of development.

The majority of the data was sold to carders, criminals who use bank cards without the owners’ permission. Cybercriminals used ransomware against specific users to track them down. When ransomware distributors gained access to a corporate network, they were able to quickly carry out an attack and collect a ransom and this sparked a pattern of leveraging initial access in attacks on corporate networks. The below figure shows the percentage of ransomware attacks out of all malware attacks on organizations.

Image Source – ptsecurity.com

As per the research, the number of new ads for access on dark web forums increased with each quarter. The majority of these were classified advertising offering access to compromised business networks for sale. Researchers found 707 new ads for access in 2020. In comparison to the previous year, the number of new commercials has surged sevenfold. In the first quarter of 2021 alone, 590 new offerings were discovered, as shown in the figure:

Image Source – ptsecurity.com

The number of users posting ads for buying, selling, or collaborating access is another indicator of interest in accessing corporate networks. The number of users tripled over a year in the first quarter of 2021.

Image Source – ptsecurity.com

On a quarterly basis, almost $600,000 worth of corporate network access is sold on the dark web. In general, the cost of access is determined by the following factors:

The total number of computers that will be exposed
Account permissions
Size of the company, revenue, and other financial indicators of the business

Below are the sample images of dark web forum ads:

Image Source – ptsecurity.com

Can you find out if someone has sold access to your corporate network?

Yes. Credential compromise can be detected using various security solutions. Also, we at Infoshare-Varutra, deal methodically with any form of Dark Web content by engaging a comprehensive risk prevention strategy. By monitoring the Dark Web using various technologies, we observe and collect data so that businesses can be proactive in their digital security. We regularly search places where information can be sold on the Dark Web, looking for information related to various organizations.

We provide the following services under Dark Web Analysis:

Detect data leakage, breaches, and illegal selling of data on the Dark Web, including TOR, I2P, ZeroNet, and paste sites.
Actionable attack intelligence
Trademark and copyright infringement
Data leaks through employees
Sensitive data exposed via unprotected file transfers
Detection of compromised employee accounts and enterprise servers
Company consumer data traded on the underground black market
Detection of stolen financial data (credit & debit cards, PayPal accounts, and other systems)
Detection of compromised devices & terminals (in real-time)

References:

https://www.helpnetsecurity.com/2021/07/29/dark-web-ads-offering-corporate-network-access/

https://www.techrepublic.com/article/how-the-dark-web-enables-access-to-corporate-networks/

https://www.massivealliance.com/insights/monitoring-dark-web/

Author,

Poornima Jambigi

Managed SOC Team,

Varutra Consulting Pvt. Ltd.