When personal data is stolen in a breach, such as the recent high-profile attacks on Optus and Medibank, it often begins a journey through a dark criminal market that follows surprisingly traditional patterns of supply and demand.
Passwords, personal information, copies of identity documents and contact details of victims can pass through a network of transactions, publicized in online forums or hidden on the dark web, and denominated in cryptocurrency, before to end up in the hands of those who plan to exploit them.
“There are several different marketplaces – or forums,” says Dean Williams, systems engineer at NortonLifeLock.
“You can often find verified data breach stores where you can search by organization name and have access to the full list all the way to buyer-seller platforms where you can buy different levels of [personal information] at different quantities.
The big ones offer cybercrime products as a service, where you can order a distributed denial of service attack to bring down a site, order ransomware and malware tools or services that people can then use on their proposed targets.
“This means people can enter the world of cybercrime without having traditional cybercrime skills because you’re just ‘buying bad’ or renting,” said Katherine Mansted, director of cyber intelligence at CyberCX.
Transactions are made in cryptocurrency – often in bitcoin. Initial access to an organization in Australia can cost around $500, but Mansted said there is no standard price as it depends on the size of the organization, the quality of access and the sector in which the organization is located. The price is generally higher for businesses in larger countries like the United States.
To build the credibility of these groups, it is possible to prove what you have – in a data breach, the seller of the records will often provide a sample for users to cross-check against existing breaches to ensure that it really is new material.
Some sites even have Reddit-style voting systems.
“Because of the presence of law enforcement and researchers, markets rely on reputation systems to try to separate real cybercriminals from fake ones. And, of course, reputation systems also offer buyers and sellers some degree of protection against scammers,” said Brett Callow, threat analyst at Emsisoft. “Some marketplaces also offer intermediary services that hold funds until buyers confirm the product is as described.”
Law enforcement is able to take down some markets or some of the biggest service sellers, but experts say it’s a mole game. When a group or a site disappears, a new one arises.
“Unfortunately, there is so much money to be made from cybercrime that there will always be people who are willing to step in to fill gaps in the ecosystem,” Callow said.
“When we do searches, we find that sites disappear and then reappear in the same format, but under a different URL,” Williams said.
“Think of it as a game of cat and mouse. Criminals are very, very good at pivoting.
Mansted said black markets work “in the same way” as others.
“Some groups have the upper hand and then they don’t,” she said. “Some groups sell the best stuff and get the best price for it, different people have high skills and they get up and sometimes they get up to get the attention of law enforcement and then they have a quick end.”
Hackers may be employees of these marketplaces, she said.
“It’s not just the pirates in hoodies, it’s the grandmothers in Russia and the former Soviet countries, it’s the people who, in any part of the world, literally go to work every day , like businesses, criminal enterprises within a market and economy,” she said. said.
“And then once you understand that, you can actually start to figure out how to actually shut down their economy. You can determine which elements are vulnerable and that’s where you can focus your attention.
“It’s a market economy – we just have to figure out how to make it less profitable for them.”