The Problem with Statistics of Compromised Credentials in the Dark Web
Dark web monitoring has become widely popular in the industry, with dozens of vendors, large and small, offering to extract intelligence from cybercriminal circles. In such a crowded market (Dark Web monitoring specifically and cyber security in general), vendors need to stand out from the pack. To do so, any cyber security company must have an arsenal of marketing materials and tools. One such effective tool is the threat research report, which includes interesting industry insights based on the company’s expertise. This report is especially relevant for these Dark Web monitoring vendors, who have a direct view to the dealings and innovation that happen in the underground economy. After all, the Dark Web is inherently very interesting, so writing reports on what goes on there is a no brainer.
One of the most popular type of reports in this space is one that details the amount and prices of compromised credentials that are traded in the Dark Web. It’s no surprise that these reports are popular as they are easy to understand by everyone, therefore making them appealing to both professionals and mainstream media. As they are written for broad appeal and the media’s attention, in many cases these reports are summarized into one or two sentences – “there are X number of credentials sold in the Dark Web right now”, or “you can get a stolen credit card for X dollars”. These reports do often include a “shopping list” of Dark Web prices for various types of credentials and many do delve deeper into the details of these findings, often speculating as to why certain things cost as much as they do. However, the reality of the Dark Web is usually much more complex, to the point that quoting credentials volume and price is usually meaningless. Some reports do a better job than others touching on these complexities, but the fact remains that normally only the numbers in the reports – the volumes and prices – are the focus and what only gets quoted, with the full intent of those who wrote the report. But as noted, these numbers are usually meaningless. Here is why, and why you should always take them with a pinch of salt.
Not All Credentials are the Same
Over the years, there were several articles quoting threat research reports, claiming that “X number of credentials are being sold in the Dark Web”. One of the main issues with the accuracy of such a title is that the real value of credentials vary dramatically.
Naturally, a compromised Twitter account is not worth the same as a compromised bank account, which is not worth the same as a credit card. Trying to group all of them together into one category of “compromised credentials” removes any meaning from these findings. Even when reports address this by providing a “shopping list” that is not enough, as there are dramatic differences between credentials of the same type.
For example, the price of compromised bank account records is derived from the amount of money in the account. A credential of an account with $500 in its balance would cost much less than an account with $5,000 in its balance. As these credentials are mainly obtained by Phishing and banking malware, the balances of compromised accounts are a luck of the draw for the fraudsters.
Another example is compromised credit cards. In reality, credit card records have several formats, each enabling fraudsters to steal money in different ways. The more limited types can cost a few dollars, while the types that enable fraudsters to steal more money would be worth a lot more. Adding to this complexity is the fact that the type of card, its issuer, its issuer’s country, how the card was stolen, how much additional data is provided in the record, all have dramatic effect on the price and the value of the record.
This isn’t limited to financial records. Logs from infected machines also hold different value, as corporate machines are probably more valuable than a student’s desktop. In the case of corporate machines, these credentials can provide threat actors with access to internal networks, enabling them to perform ransomware attacks. Social media accounts can differ in value based on the number of followers and whether it’s a business or personal account.
The Sellers Affect the Price
Not only is a credential’s price affected by the product and its characteristics, but it is also affected by the vendor as well. As the Dark Web aims to provide cybercriminals with the infrastructure to trade stolen credentials while retaining their anonymity, there is a very large group of members that tries to abuse the system and steal money from other fraudsters – these are called “Rippers” (as they rip off others). Rippers would often advertise that they sell certain products (for example, a compromised credential of a large known bank), trying to entice other fraudsters to buy it. Once they receive the funds via Bitcoin, they simply disappear, change their avatar and advertise a different product. A common tactic for a ripper would be to advertise their product relatively cheap (but not too cheap) in order to attract potential buyers as quickly as possible.
This also works the other way around – verified vendors, those who have been verified by the community to be “real” criminals, have the ability to charge more for their product, as dealing with them provides a relative peace of mind to their buyers that they are not going to be ripped off. Reputation is everything in the Dark Web and those with a good reputation will reap its rewards. Not only rippers, but new members who are trying to establish their own reputation, would have to settle for lower prices – which would affect the overall price of records.
Many Credentials are Duplicates
Another major factor which considerably skews statistics of the volume of stolen credentials is the fact that many credentials are duplicates from one another. Some vendors have multiple store fronts and forum avatars (the dark web equivalent of operating multiple brands), through which they sell the same data sets.
In addition, many vendors have been observed reselling some of the same data sets, even if they operate independently from one another. When each data set potentially contains up to millions of records, this means that many credentials are counted twice – or more. Even if the researchers try to remove duplicates, the same records are not always provided in the same format, making it difficult to identify.
Many Credentials are Already Dead
Organizations whose customer credentials are being stolen, whether these are online service providers or financial institutions, do not just wait for threat actors to exploit them. They work tirelessly in identifying stolen credentials before they are being used, applying various methods to identify and block them. As a result, a large percentage of credentials being offered for sale in the Dark Web are actually already dead. This is why the Dark Web is filled with tools to check the validity of a purchased credential, often time these tools are embedded into the shops themselves and refunds are given if an already-blocked credential is bought.
Therefore, the number of stolen credentials in the Dark Web is often greatly inflated.
The Context of How Credentials are Published is also Important
The value of the same stolen credential can vary dramatically, depending on how and where it was published in the Dark Web. Let’s take for example a credit card record. In bottom-feeder circles of the Dark Web, credit card vendors tend to post free samples of their wares to establish credibility and prove they are no “Rippers”. When a credit card record is publicly published in such a way, multiple fraudsters will immediately try to use it before it gets blocked. The sudden high volume of transaction means that this kind of activity can be easily identified by the bank’s systems. A feed of credit cards that were publicly published in such a way is mostly useless, as by the time the intelligence gets processed by the bank the cards have all been flagged. Meanwhile, a credit card sold to a fraudster in private is much harder to detect and a feed of such cards would be a lot more valuable.
These are just a few examples of the different variables that determine just how valuable a record published in the Dark Web truly is. Ignoring them and lumping everything together into general categories leaves little room to extract actual insights from such reports. The purpose of many of these reports is one and only – marketing, showing the length and depth of the author’s Dark Web coverage, and they should be read with that in mind.
Idan Aharoni
Idan Aharoni is the Co-Founder & CEO of threat intelligence provider IntelFinder (intelfinder.io). He is a cyber security and intelligence
veteran, with over 15 years of experience developing and managing cyber intelligence operations. In 2019, Idan received a “Legends of Fraud” award for his role in creating one of the world’s first fraud intelligence services, which monitored the Dark Web on behalf of financial institutions worldwide, as part of his work as Head of Cyber Intelligence at RSA Security.