The dark web is an intentionally hidden part of the Internet. It isn’t visible to search engines and users need an anonymizing browser called Tor to access it. While not all of this reportedly 5% section of the Internet is used for illicit purposes, the dark web is known as ‘a hotbed of criminal activity’ and the number of dark web listings that could harm a business is growing.
So, what are the risks to businesses from cybercriminals on the dark web, and what value are these bad actors placing on business customers’ stolen personal data?
The 2019 installment of the ongoing study by criminology professor Dr Michael McGuire from the University of Surrey, ‘Into the Web of Profit’, shows “dark web listings that could harm an enterprise have gone up by 20% since 2016, and of all listings (excluding those selling drugs), 60% could potentially harm enterprises.” Dr McGuire lists bespoke malware, network access tools as well as phishing kits and tutorials among those threats.
Into the Web of Profit says cybercrime is now an economy, not a business. McGuire compares the dark web’s “platform criminality” to the “platform capitalism” model where data is the commodity: “Equally, if not more significantly, the cybercrime economy has now become a kind of mirror image of contemporary capitalism – reproducing disruptive business models popularized by the likes of Amazon and Uber. As a kind of ‘monstrous double’ of the legitimate information economy – where data is king – The Web of Profit is not just feeding off the way wealth is generated there, it is reproducing and, in some cases, outperforming it. This is most obviously evident in the platform models of wealth creation it has now adopted.”
McGuire reports that cybercrime generates about $1.5 trillion annually, of which $500 billion is from theft of trade secrets and IP, $160 billion comes from data trading, $1.6 billion is from what’s known as ‘crimeware-as-a-service’, and $1 billion comes from ransomware.
Deloitte recently described the motivations of cybercriminals: “In most cases, hackers will not use the data themselves but are either engaged by a third party to obtain the data or have the aim to sell the information on the dark web. Buyers from the dark web may use this data for different purposes including financial theft from credit cards, creating fake passports and identities, transferring money between accounts, reselling information at a higher price to the media, or to support other illicit activities. Once the ‘community’ of the dark web acknowledges the achievement of a hacker, the hacker may then request a ransom from the target entity to release the data back to them.” And, unfortunately, most often the attacked business and its customers are unaware the data was stolen until it’s too late to do anything about it.
The COVID-19 pandemic is worsening cybercrime
The COVID-19 pandemic and its push to remote workforces is opening even more opportunities to cybercriminals. According to an exposé by IntSights researchers into the value of data types on the dark web: “As the global shift toward remote work due to COVID-19 continues, IntSights researchers have observed an increase in cybercrime activity in dark web forums. Ransomware gangs are selling encrypted company data, fraudsters are conducting account takeovers (ATOs), hackers are running successful unemployment assistance scams, and credit cards are flying off the shelves of online black markets. Organizations around the world are grappling with the reality that their networks, employees, collaboration tools, and customers are not as secure as they should be, and they are leaking data out through various vulnerabilities.”
Indeed, there has been a 429% increase in the number of corporate credentials—clear text usernames and passwords—exposed on the dark web since March 2020, and a 64% increase in ransomware and phishing attempts in the second quarter of 2020. Banking, education and telehealth are among the hardest hit industries. One source says banking has had a 520% increase in this activity since March 2020, and the education sector, with campuses moving to remote learning during COVID-19, has averaged a total of 384 high severity ATO incidents since March 2020.
The healthcare industry is in the process of rolling out a collective $65 billion in cyber defense systems but hacking attacks and data breaches in this data-rich environment are staggeringly frequent, particularly now. In 2019, a reported 40 million Americans were caught up in a healthcare data breach, and data breaches and ransomware attacks cost the US health sector about $4 billion. Other countries, such as the United Kingdom and Singapore, are experiencing the same issue. Some argue that in this global pandemic, telehealth “security is taking a back seat to usability”. For a quick summary of the highly topical healthcare data risk situation, check out this report.
Businesses are vulnerable from 12 different angles
Dr McGuire calls out the 12 areas where enterprises risk a network breach or data compromise:
- infection or attacks, including malware, distributed denial of service (DDoS) and botnets
- access, including remote access Trojans (RATs), keyloggers and exploits
- espionage, including services, customization and targeting
- support services such as tutorials
- credentials
- phishing
- refunds
- customer data
- operational data
- financial data
- intellectual property/trade secrets
- other emerging threats.
Further, he reports: “We found that 4 in 10 dark net cybercriminals were offering hacking services targeting FTSE 100 or Fortune 500 businesses. This gives a clear indication that the dark net has become extremely tailored to attacking the enterprise, moving to a service-led approach catering to client needs, even offering service plans to outline how they’ll conduct the hack. It’s like they’ve become cybercrime consultants.”
McGuire’ says any of these attacks can devalue the enterprise (e.g. reputational damage), disrupt the enterprise (e.g. malware attacks that affect business operations), and defraud the enterprise (e.g. IP theft or espionage).
What is personal data worth on the dark web?
The Intsights team found personal data ranges in value on the dark web from $0–$5 to $1000+, and price varies depending on freshness and quality of personal data.
Credit card numbers, SSNs, data of birth records, and social media activity are all in the cheapest category; fake IDs and hacked retailed accounts are among the data in the $5–$20 category; and the highest value data in the $1000+ category includes “domain controllers, exploits, exclusive databases, insider information trading.”
But it’s not the initial sale value of the data on the dark web so much as what cybercriminals do with that data that matters most. Intsights says: “… Consumers might be surprised to learn that an American Social Security Number (SSN) is worth less than $5 to cybercriminals. But hackers can use that SSN for a number of malicious purposes. They can apply for a home or auto loan, open a new credit card, open a bank account, or even gain access to existing personal accounts.”
So what can businesses do?
Solutions to the growing risks of cybercrime will lie in greater investment in cybersecurity systems, and increasingly sophisticated innovations like secure digital identities and decentralized identity management. The goal is to reduce the risk of losing large quantities of valuable data, through either (1) improving defences, or (2) reducing the attack surface. While the first option is becoming an increasingly difficult arms race to win, the second has strong potential to offer longevity, solid return on investment, and efficacy. The strategy is: Don’t build a bigger barricade, become a smaller target.
The National Institute of Standards and Technology in the US makes it plain: “The likelihood of harm caused by a breach involving PII is greatly reduced if an organization minimizes the amount of PII it uses, collects, and stores.”
Consumers are clearly seeing the value in option 2: If you don’t hold the data, it can’t be breached. Already, more than half of adult Americans are declining to use a product or service based on their perceived risk to their PII. They want to be smaller cybersecurity targets, and they want the businesses they deal with online to do whatever it takes to make them so.
We believe it’s well past time for option 2. Major enterprises and small businesses must recognize that unless they urgently find ways to be smaller cybersecurity targets, the costs could be enormous—to finances, reputation, customer safety, and brand loyalty. By 2021, the global damages bill from cybercrime is predicted to hit USD 6 trillion annually, double the 2015 figure, and cost victims USD 17,700 every minute.
At Anonyome Labs we offer solutions that reduce the attack surface for enterprises and consumers. Our scalable Sudo Platform is the complete privacy toolkit for integrating next generation identity protection and privacy into a brand’s products and services. Sudo Platform and our consumer app MySudo show businesses an easy way to engage, onboard and continually interact with their customers without collecting, managing or risking their PII, and give consumers greater trust in the entire system.
As Gregory Webb, CEO of Bromium, which sponsors the ongoing ‘Into the Web of Profit’, study says: “We need to make it more difficult for hackers to gather our most precious resource – data. The cybersecurity industry needs to come to terms with the limitations of detect-to-protect security and find better ways to isolate the problem. We need to approach cyber-defenses in a totally different way, by focusing on the most vulnerable – and easiest to attack – vectors in our organizations. The criminals know where we are vulnerable – most often where humans put fingers to keyboards. We know changing human behavior is both challenging and costly. Instead, by focusing on protection, rather than detection, we can disrupt cybercrime in significant ways.”
Explore Sudo Platform.
Better understand the Sudo, a core capability of Anonyome Labs’ products.
