We will illuminate the market for stolen data, providing an overview of the “data black market” and what’s for sale in the underground marketplaces where personal information is commoditized and traded. Reviewing this allows us to provide relevant information that will allow readers to prioritize their defense strategies.
A Quick Word on Infostealers
As the original source of stolen data, infostealers are an important piece of the data black market puzzle.
Infostealer malware is a type of malicious software that cybercriminals use to extract sensitive information from a victim’s computer or mobile device. They are specifically designed to steal data, such as credentials, credit card and financial information, and other critical information, that can later be used for other fraudulent activities. This data, which can be stolen from the browser’s saved passwords or from browser cookies, could allow the criminal to bypass multiple factor authentication (MFA), which is very valuable to an attacker. However, this value is time-sensitive; it’s only good based on how long a session remains open with each affected account.
Infostealers continue to be a prominent threat because of the increasing value of stolen data on the black market. Cybercriminals sell stolen data on the dark web, a hidden part of the internet where illegal activities often take place, in various forms, including complete databases or individual records, such as social security and credit card numbers.
Furthermore, the value of individual stolen data varies depending on its type, quality, and availability. For example, credentials for a bank account with a high balance will be much more valuable than those for a social media account. The more data available about an individual, the more valuable and susceptible to fraudulent activities it becomes.
It’s essential for individuals and businesses alike to understand the market for stolen data. This will allow them to take the necessary precautions to safeguard themselves against data breaches and to implement strong security measures to protect their sensitive information.
Marketplace Data Availability
To understand how information gathered by infostealers is put up for sale on the underground market, we accessed two individual marketplaces that are known to sell data dumps from infostealers. We chose “Russian Market” and “2easy.shop” because of their popularity among criminals, the vast amount of stolen data they have for sale, and functional similarities across the two marketplaces: Users can browse, search, and buy stolen data dumps such as the following:
- Web credentials. The most organized dataset indexed by both sites. A potential buyer can search for dumps containing credentials for a specific website in a specific country.
- Crypto wallets. These can be searched via Russian Market's search bar, using a simple keyword search. However, the data needs to be further inspected.
- Microsoft Outlook domain credentials. Russian Market also features a specific search box for Outlook domain credentials, making mail credentials somewhat easier to find and buy.
- Other data. These cannot be specifically searched or filtered but can be inspected in a specific dump by opening the archive.zip file available on each log for sale. This can be done in both marketplaces.
- We assigned a score of 3 to data that we deemed very easy to find in marketplaces, such as web credentials.
- We then assigned a score of 2 to data that is still searchable, albeit with fewer search options. These would be crypto wallets, which are still searchable on Russian Market via a keyword search and can be filtered by country of origin.
- A score of 1 was assigned to any other piece of data that is part of the sale package, is visible on the website, but is not searchable.
- Finally, we assigned a score of 0 to items that cannot be searched at all.
Figure 1: Infostealer vs. data actionability and market availability
The figure above compares each infostealer and each data type using a combination of data actionability with market availability scores. As a risk matrix, it measures how at risk a piece of stolen data is when it ends up in a criminal's hands. This further confirms that crypto wallets and web credentials are not only the most actionable pieces of data but are also the easiest to find and the most indexed in underground marketplaces. Mail credentials, for example, are as actionable as web credentials, but are harder to find on underground marketplaces.
Conclusions
Infostealer malware is responsible for most of the stolen data being sold on the criminal underground. Once a victim is infected, their data will be extracted from the machine and put up for sale. Second-hand marketplaces, where all stolen credentials and other personal data end up, have become thriving criminal businesses.
Criminals turn to these shops for quick monetary gain. The usual ways to monetize stolen user credentials are:
- Draining cryptocurrency wallets
- Exploiting user authentication methods to make transactions on behalf of the user on e-commerce sites and banking sites
- Attacking the victims’ contacts
- Entering users’ organization through their VPN credentials
According to our analysis, we saw that the most at risk categories of data are cryptocurrency wallets and website credentials as they can be very easily monetized. When we look at the most stolen website credentials, we can see many popular sites, including Google, Live.com, Facebook, and Instagram. Somewhat surprisingly, we can also see other less popular sites that might be more easily monetizable, such as Steam, GitHub, and Spotify.
Personal data is and will continue to be a prime target for criminals because it’s easy to obtain and make money from. Therefore, data shops will remain a staple in criminal communities with its popularity showing no signs of dwindling anytime soon.
* Article by David Sancho and Vincenzo Ciancaglini
