Bitglass has revealed that data stolen today moves around the Dark Web 11 times faster today than it did six years ago. The details come after Bitglass re-ran an experiment it first conducted in 2015. The details of the experiment are contained in a document entitled “2021 Where’s Your Data Experiment”.
Mike Schuricht, leader of the Bitglass Threat Research Group said: “We expect that the increasing volume of data breaches as well as more avenues for cybercriminals to monetize exfiltrated data has led to this increased interest and activity surrounding stolen data on the Dark Web.”
What do we learn from the Bitglass experiment?
More than we might expect. The experiment created a set of fake lists containing login and password data. The data claimed to originate from a known breach and be augmented with data scraped from LinkedIn. Additionally, the data was said to be mapped to several high-value account logins.
The lists were then posted on several Dark Web marketplaces with various links that would allow cybercriminals to access various organisations using the data. All of the data lists had watermarking added to allow Bitglass to track views and downloads.
The responses were surprising:
- 13,300 data views. 1,100 in 2015
- 1,100 links in 24 hours. It took 12 days to reach the same number in 2015
- Breach data downloaded across five continents
- 93% of viewers were anonymous. Only 67% were anonymous in 2015
- Retail (60%), pirated content (13%) and gaming (12%) were the most viewed lists
- Retail (37%), government (32%) and pirated content (10%) were the most clicked on categories
It would have been interesting if this had been allowed to run over Black Friday and Cyber Monday to see if that push the retail category higher.
Who is most likely to look at stolen data?
The general assumption is that the most active acquirers of data are cybercriminals in Russia, China and North Korea. This survey shows a very different picture. In fact, for those in the US, it is their fellow citizens turned cybercriminals who are the most interested in the data. While China does show up in 4th place, there is no sign of interest from cybercriminals in Russia or North Korea.
Top countries opening breach files
- USA (34.6%)
- Kenya (32.6%)
- Romania (10.2%)
- China (8.1%)
- Sweden (4%)
The investigators looked closely at the data from the US to find out where the hotspots were for those searching for stolen data. They identified six states but chose not to put any numbers on them so it’s not possible to identify who is the most likely to be looking for or at data. They also declined to identify what types of data were most searched for in the different states.
Top US States open breach files:
- District of Columbia (DC)
Cybercriminals using the same business tools as IT departments
As with who is stealing data, there are also misperceptions about the tools used by cybercriminals. Attackers planning breaches or delivering ransomware will use specific tools. However, when it comes to data mining breach data, SaaS solutions such as virtual machines, AI and machine learning are commonplace.
These are the same tools that IT departments and users take advantage of when they are looking for patterns in data. It demonstrates that any tool can be misused and that anyone can create an anonymous account, buy stolen data and start mining it.
Enterprise Times: What does this mean?
There is a lot of myth built up around cybercrime, especially in terms of who is doing it and the tools they are using. This piece of research dispels some of that and should be a wake-up call to people.
Of more importance, is the speed with which data was accessed from around the world. Informing people of a breach as soon as it occurs is critical. There is no grey period where attackers are preparing the data. Once on the Dark Web it is fair game and will be exploited quickly.
It is not just defenders who need to recognise this. End-users and customers need to act as soon as they receive notification of a potential data breach. Change those passwords and those security questions. Update your personal details and check through online accounts for suspicious transactions. The quicker you react, the less time there is for an attacker to exploit that stolen data.
Do not dismiss any breach notification as inconsequential. One of the core parts of this research was to enrich the initial data with data scraped from elsewhere. This is what cybercriminals are doing all the time. There is a thriving business on the Dark Web where people do nothing but enhance stolen data to make it more valuable.
It would be interesting to see some of the raw data from this experiment. For example, what were cybercriminals in the different US states looking for? Were those in the District of Columbia mainly focused on government identities? Was there any correlation between the IP address data captured and known cybergangs? Also, how many of the parties viewing or clicking on the content were cybersecurity firms? Did that skew the results?