1www.intsights.com

Paying the Price: What’s Your Data Worth on the Dark Web?

Paying the Price: What’s Your Data Worth on the Dark Web?

Cybercriminals make billions of dollars every year by exploiting unassuming internet users and unsecure systems and applications. As the global shift toward remote work due to COVID-19 continues, IntSights researchers have observed an increase in cybercrime activity in dark web forums. Ransomware gangs are selling encrypted company data, fraudsters are conducting account takeovers (ATOs), hackers are running successful unemployment assistance scams, and credit cards are flying off the shelves of online black markets.

Organizations around the world are grappling with the reality that their networks, employees, collaboration tools, and customers are not as secure as they should be, and they are leaking data out through various vulnerabilities. Business leaders want to know how much their data is worth to criminals and how much it will cost them to recover from incidents of data leakage and ransomware attacks.

IntSights researchers surveyed the most popular and exclusive illicit forums, marketplaces, and private messaging channelsacross the clear, deep, and dark web with the goal of determining how much different types of data are worth. What we found: cybercriminals are selling more types of credentials and network access types, the data is sold in bulks or individually through direct sales or auctions, and more collaboration and services are available now than what we have seen before.

The Value of Data Is SubjectiveData is the most valuable asset in the world right now – but your data is worth less to threat actors than it is to you. Hackers steal massive treasure troves of data that, individually, are worth very little to them. The goal is to sell this stolen data to other cybercriminals at a profit that allows them to justify their efforts. Businesses incur billions of dollars of losses each year due to data breaches and stolen credentials, whether it be due to loss of revenue, damage to brand reputation, or penalties administered by regulatory authorities.

Consumers might be surprised to learn that an American Social Security Number (SSN) is worth less than $5 to cybercriminals. But hackers can use that SSN for a number of malicious purposes. They can apply for a home or auto loan, open a new credit card, open a bank account, or even gain access to existing personal accounts.

Jurisdiction and The Value of DataWith the evolution of various data protection laws, global data transfer agreements, and current data exploit threats, the value of data as a commodity is changing rapidly. As data privacy laws and amendments are introduced, the price of business data evolves, especially factoring in the way the data is used. If it is stored only in long-term offline storage, for example, as opposed to online and actively transacted and processed, its value can vary greatly. The rapid increase in international data transfers has also had a profound effect on data’s value for cybercrime. As international agreements are changed, adjusted, or nullified, there is a measurable liability shift to the related data that is the subject of such transfers or exchanges. These changes can trigger new risks associated with data usage and transfer, which have a direct connection to data exploit threats and cybercrime targeting and motivation.

2

Paying the Price: What’s Your Data Worth on the Dark Web?

The Cost of Different Data TypesIntSights researchers aggregated prices for various data products, intellectual property, and proprietary data in multiple sources. The estimated value of each record was based on the average price of a listing across multiple forums, marketplaces, and sale posts on various criminal source sites. Additional statistics related to these findings were sourced from the IntSights Threat Command module. These prices are in US dollars.

$0-$5This might be surprising, but there are “freebies” in the criminal underground. Some forums have threads dedicated to sharing stolen credit card numbers as well as personal information for free. However, “fresh” data (data that has not been used for fraud or flagged as stolen) does come with a price. In this category, we find information such as Social Security Numbers and date of birth records that can be used for a number of different fraudulent schemes. “Fullz”, which are full packages of victims’ personally identifiable information (PII), are often available in this price range. Criminals also sell SOCKS5 proxies, which allow them to anonymize internet traffic. A somewhat nontraditional service offered in this price range is social media followers and likes, as well as adding subscribers to social media profiles and instant messaging channels. This is also the price category for stolen social media accounts.

Figure 1: Stolen credit card numbers and personal information shared for free

3

Paying the Price: What’s Your Data Worth on the Dark Web?

Figure 2: A threat actor sells “fullz” including bank account numbers and SSNs

Figure 3: Facebook accounts for sale for various global entities

Figure 4: A threat actors sells social media followers at rate of $10 per million 4

Paying the Price: What’s Your Data Worth on the Dark Web?

$5-$20While some of the offerings from the $0-$5 category appear here as well (depending on the quality of the data or its “freshness”), in this price category, we find stolen credit card data of high quality as well as fake ID scans and fake utility bills scans. These can all be used for financial fraud, new account fraud, and account takeover fraud. This is also the price range for identity markets that sell access to infected devices and, similarly, the going price for RDP and VNC access. Some hacked retail accounts are also sold in this price range, although the price can go up quickly depending on the merchant and cash-out options.

Figure 5: A Russian threat actor sells RDP/VNC access for $10-$20

Figure 7: Utility bills for residents of various countries around the world for sale

Figure 8: Fake ID templates and scans for sale on a black market

Figure 6: Access to Spotify accounts, VPNs, and retail rewards accounts offered between $2 and $22

5

Paying the Price: What’s Your Data Worth on the Dark Web?

$20-$100This price category is the broadest one as it includes many “high-end” products from lower-price categories in addition to products and services that have been around for years. Different types of fullz can be found in this price range, as well as compromised bank accounts and payment services. In addition, this price range includes tools such as phishing kits and DDoS services, configuration files for credential dumping and brute force. as well as courses and tutorials.

Figure 9: A Russian cybercriminal sells compromised bank accounts with varying balances

Figure 10: A threat actor offers DDoS services for sale with the promise of eliminating a competitor’s website

Figure 11: Phishing kits for sale on a cybercrime forum

Figure 12: A threat actor seeks to purchase stock-trading and brokerage accounts6

Paying the Price: What’s Your Data Worth on the Dark Web?

$100-$1000Two things that stand out in this price category are services and bulk databases of credentials. Botnets for hire can be found across different prices in this range, as well as bulletproof hosting services and spam services. Here you will also find corporate databases and access to ecommerce sites.

Figure 13: Botnets designed to collect passwords, cookies, and more for sale

Figure 14: Scammer software for sale with terms of service similar to a legitimate vendor

Figure 15: Corporate databases listed for sale, with the caveat that the seller is still checking their validity7

Paying the Price: What’s Your Data Worth on the Dark Web?

Figure 16: Access to an Indian ecommerce website for sale

Figure 17: “Abuse-resistant” hosting servers for sale

Figure 18: Specs of hosting servers for sale

8

Paying the Price: What’s Your Data Worth on the Dark Web?

$1000+The top tier of price categories starts at $1000 but can go as high as six figures (or even seven figures if you are a ransomware victim). Domain controllers, exploits, exclusive databases, insider information trading, and more can be found in this price range.

Figure 19: Domain admins for sale

Figure 20: A threat actor selling a vulnerability that offers access to a bank via arbitrary code execution (RCE)

Figure 21: A massive dump of over 20,000 US bank account numbers and PII for sale

Figure 22: Israeli domain admin listed for sale

9

Paying the Price: What’s Your Data Worth on the Dark Web?

It is also worth noting that some services are not sold for a fixed amount but rather for percentages of the total revenue. These include money mules, ransomware as a service (RaaS), and escrow services.

Figure 23: Ransomware services offer for sale based on a percentage of revenue generated by the buyer

Figure 24: Guarantor services requested, offering to pay commission

10

Paying the Price: What’s Your Data Worth on the Dark Web?

Locking Down Your Data With Cyber Threat Intelligence For most businesses, it’s only a matter of time before their data is exposed in some way, shape, or form. Once cybercriminals have their hands on sensitive corporate data or intellectual property, there is only so much security teams can do to mitigate the damage. The best way to protect your network – and your organization’s entire workforce – is to proactively identify, validate, and take down threats as they emerge at the source. Security teams can leverage Cyber Threat Intelligence (CTI) solutions to save their companies millions of dollars in potential losses, ransom fees, and regulatory penalties incurred when suffering a data breach or cyberattack.

Here’s how the IntSights External Threat Protection (ETP) Suite enables organizations to stay one step ahead of hackers looking to infiltrate their networks:

1. Continuous Monitoring of Digital Assets: IntSights continuously monitors and collects threat data related to the organization’s digital assets from a broad range of sources across the clear, deep, and dark web. We synthesize and analyze the collected data and organize it into meaningful intelligence for security teams to review.

2. Actionable Intelligence Alerts: Many CTI solutions provide never-ending alert feeds that prioritize quantity over quality. Our approach is the reverse; we send alerts for validated threats against the organization that require action.

3. Automatic Credential Lockdown: A key component of our continuous monitoring capabilities is leaked credential discovery and lockdown. Our extensive leaked credential database, automated mitigation capabilities, and unique integration with Microsoft Azure Active Directory enable users to quickly take action when credentials are exposed.

4. One-Click Remediation: Coordinated efforts can mitigate the risk of leaked or stolen digital assets. Our one-click remediation leverages a robust ecosystem of technology integrations, equipping security teams with the tools they need to effectively stop emerging threats at the source before they become full-fledged cyberattacks.

About IntSightsIntSights simplifies threat intelligence with the most comprehensive, flexible, and contextualized solutions on the market. The IntSights External Threat Protection (ETP) Suite monitors thousands of sources across the clear, deep, and dark web to identify threats that directly target an organization’s unique digital footprint. The ETP Suite enables security teams to rapidly operationalize intelligence by delivering information when and where they need it – all within an intuitive interface. Frictionless integration of our real-time cyber threat intelligence with existing security infrastructure allows enterprises to maximize return on investment. IntSights has offices in Amsterdam, Boston, Dallas, New York, Singapore, Tel Aviv, and Tokyo. To learn more, visit: intsights.com or connect with us on LinkedIn, Twitter, and Facebook.

To see the IntSights External Threat Protection Suite of solutions in action, schedule a demo today.

Visit: Intsights.com Call: +1 (800) 532-4671 Email: info@intsights.comVisit: Intsights.comIntsights.com Call: +1 (800) 532-4671 Email: info@intsights.cominfo@intsights.comVisit: Intsights.com Call: +1 (800) 532-4671 Email: info@intsights.com

To see the IntSights External Threat Protection Suite of solutions in action, schedule a demo today.

11