Breached credentials are rampant on the dark web, with cybercrime steadily rising in 2019. This shouldn’t come as too much of a surprise given the frequency of data breaches is increasing every year. In fact, there have been almost 15 billion records breached since 2013.
The reality is that following data breaches, the credentials of email accounts, banking accounts, cable accounts and many other types of credentials, begin to be bought and sold across dark web markets. Sites that offer the buying and selling of credentials pop up constantly on the dark web, and many owners actually reuse the same credentials or data dumps that have been around for years to trick potential “buyers” into thinking that the data is legitimate and new.
Much like our own BreachRecon, which helps users identify whether their email has been compromised, sites are starting to emerge that help threat actors identify whether user credentials being sold on the dark web are fresh or are being recycled. However, with a cyber threat intelligence service, you don’t have to worry about sifting through the data to find breaches or vulnerabilities.
The following images, found by GroupSense researchers, illustrate how common it is for threat actors to share and sell credentials on the dark web. They will also demonstrate how essential it is to have a dedicated service to sort through the millions of data points that smaller security teams otherwise wouldn’t have the time or resources for.
Figure 1– BreachCompilation Database
The database shown in Figure 1 looks to be the “BreachCompilation” database, which was found on the dark web in December 2017 and contains data from both known and unknown breaches. This database is for sale by the threat actor behind this post, but it is still available for free download for those who are willing to look for it.
Figure 2– The Discord Hacking Market
Above, Figure 2 shows the Discord hacking market, home to endless hacking channels discussing the buying and selling of hacked accounts. The poster displayed in the image is a cybercriminal telling other threat actors that he has approximately 977 GB of data from hacked accounts. Within the post, we see a screenshot of the infamous “Collection #1,” before it was widely known by cybersecurity experts and professionals. This dark web activity was going on way before news of the breach broke publicly, which gives us a screenshot (literally) into the behind-the-scenes threat actor activity that goes on in the Discord service and on the dark web.
Figure 3– Telegram
Telegram is a cloud-based messaging platform. Much like Discord, it is a place where people can share and sell credentials for business. This poster, from Hacking Institute, was giving away sample credentials to validate credibility with potential “buyers.” While these credentials (which we blacked out) could be legitimate, posters on these sites can reuse credentials to make it appear as though they have a new data set.
Figure 4 – Tenebra
This fourth image shows a screenshot from Tenebra, a Tor website. Tor protocol supports hosting marketplaces only available within Tor. Here we see that the poster is selling access to Netflix for five years. There is no way to verify the five-year guarantee, but with the way these sites pop up and disappear, it seems unlikely that the offer is legitimate.
Figure 5 – Cracked
In the above image, a site called “Cracked” houses a poster selling DirectTV accounts. Our best guess is that it only offers access to TVs, though there is the possibility that it also includes internet service. On this forum, users need to leave a reply to see the rest of the content or upgrade their account.
Figure 6 – OpenBazaar
This last finding was found on OpenBazaar, a platform for engaging in e-commerce on a decentralized platform. This threat actor is selling lifetime access to Netflix for $4.53 per account. In other words, when access to the account is lost, the actor will provide another account for free for life. Netflix does not heavily enforce the sharing of accounts and this may partially contribute to selling such access. There are many sellers who operate on OpenBazaar, and owners of these accounts should be mindful to avoid sharing their information outside of their household and only use devices they have control over.
How Does This Impact Security Teams?
GroupSense researchers are continually seeing sites emerge that reuse old credentials or post new ones to try and score quick cash on breached user data. A simple technique individuals can use it to start practicing good password hygiene. As for businesses, monitoring the dark web to see if company information or your customers’ personal information is being bought and sold should also be an important component of your cyber security strategy. However, this comes with its fair share of challenges:
- First, just the thought of sifting through data breach files – which can often be millions of credentials or personal records – can be overwhelming, never mind the process of actually doing it.
- Additionally, security teams often don’t know where to look for breached data or how to effectively search for it.
- Finally, given the challenges above, monitoring the dark web for stolen company or customer data is a painstaking process that consumes security teams’ time, resources and budget.
GroupSense scours the dark web, through our cyber threat intelligence services, actively seeking breaches or vulnerabilities of your company. We have the industry’s most extensive experience helping organizations manage their digital risk with cyber reconnaissance, counterintelligence and breached credential monitoring. Contact us today to see how we can help your security team more effectively monitor the dark web for stolen company or user data.