Top 10 list of dark web activities that indicate a breach

Research analysts at Terbium Labs released a list of the most common activities seen on the Dark web indicate a breach, or other unwanted incident, has taken place.

dark web activities

Despite increased security budgets and better defences, organizations are losing the battle against cyber attacks. According to the 2018 cost of Data Breach Study: Global Overview by Ponemon Institute and IBM Security, data breaches continue to be costlier and result in more consumer records being lost or stolen, year after year.

This year the report found that the average total cost of a data breach ($3.86 million), the average cost for each lost or stolen record ($148), and the average size of data breaches have all increased beyond the 2017 report averages. In fact, the costs of the largest breaches can reach into the hundreds of millions of dollars in damage. Ultimately, the inevitability of attacks and ongoing risk exposure of sensitive data has prompted organizations to seek new ways to proactively monitor for lost or stolen data.

The following top 10 list outlines activities, in no particular order, that take place on the dark web that organizations should be most watchful of:

1. Doxing of VIP. Dark web and clear web sites like Pastebin are a dumping ground for personal, financial, and technical information with malicious intent.

2. Full PANs, BINs, payment cards for sale. There is a robust economy for payment cards on the dark web. Sellers update markets with new cards regularly, sometimes daily.

3. Guides for opening fraudulent accounts. The dark web offers guides for sale containing detailed, step-by-step instructions on how to exploit or defraud an organization. The appearance of the guide has a dual impact: fraudsters learn how to take advantage of an organization’s systems and processes and the criminals’ attention is focused on the target company.

4. Proprietary source code. A leak of source code can enable competitors to steal intellectual property and allow hackers to review the code for potential vulnerabilities to be exploited.

5. Dump of a database. Third-party breaches can put organizations at risk by revealing employee credentials that can unlock other accounts or provide fodder for phishing attacks.

6. Template to impersonate a customer account. The dark web is full of account templates that allow fraudsters to pose as customers of financial institutions, telecommunications companies and other service providers. These templates are then used to solicit loans, open accounts, or as part of a broader scheme for identity theft or fraud.

7. Connections between employees and illicit content. Posts doxing individuals who engage in illegal activities on the dark web, such as child exploitation, can draw undue negative attention to their employers or affiliated organizations.

8. W2s and tax-fraud documents. Before tax season each year there is a rush of activity on the dark web gather compromised identity information in order to file fraudulent tax returns before the legitimate taxpayer can. This tax fraud is enabled by the sale of W2s and other tax fraud-specific documents, which can be tied back to the employers where those documents came from originally.

9. Secure access and specialty passes: While most of the materials on the dark web are for generalized personal information, vendors sometimes offer special access materials. These can range from the benign, e.g., amusement park tickets, to the more concerning, e.g., military IDs.

10. Inexpert dark web searching. Security vendors not properly immersed in the dark web can expose an organization to harm by simply searching for information related to the company. For example, one security vendor searched for a CISO’s name so many times on the now-defunct dark web search engine, Grams, that the full name made it to the front page “trending” section of the site.