Dr Gareth Owenson, CTO of Searchlight Security
Cyberattacks don’t appear out of the blue. Cybercriminals have to do their due diligence, coordinate their efforts, perform reconnaissance, and purchase the tools, credentials or access they need to execute their operations.
This activity takes place on the deep and dark web, which means there is an opportunity for financial services organizations that are proactive to identify - and stop - the criminal activity that could affect them while it is still in the reconnaissance stage. For financial institutions, that activity broadly falls into two camps: financial crimes that target their customers, and cyberattacks directly targeting financial services companies themselves.
This blog, the first in a two-part series, focuses on the former - financial attacks against consumers - to explore the criminal activity that is common in the dark web and how it could be prevented by financial services companies that are committed to protecting their customers.
Uncovering Autoshop Marketplaces
One of the most prevalent financial crimes on the deep and dark web is the sale of personal financial accounts, with some estimates putting the number of credit cards for sale on the dark web into the millions.
There is even a specific name for the marketplaces that specialize in the sale of credit card, debit card or bank account information, as well as the credentials, cookies and remote access needed to take over online accounts. They are known as “autoshops” - which refers to the transaction process being more automated than other dark web markets. Autoshops sell digital products, which means that the purchased item can be delivered instantly to the buyer with little to no input required from the vendor. This automation also speaks to how sophisticated the sale of financial information has become. The top autoshops (which currently includes the likes of Blackpass, 2easy and Russian Market) regularly post tens of thousands of new listings per week - which demonstrates the scale of this problem.
As well as in the products they sell, autoshops differ from other dark web marketplaces in their setup and organization. Typically dark web marketplaces are operated by administrators who allow many independent vendors to sell their products in exchange for a fee (known as an escrow marketplace). By contrast, autoshops typically have far fewer vendors, in some cases with all of the listings originating from just the site operator. Autoshops are also more likely than other marketplaces to have a “clear web” presence, either in addition to their dark web site or exclusively. (You can read more about the distinctions between the deep, dark and clear web here).
The Source of Stolen Financial Data
As well as giving us visibility into autoshops, monitoring the dark web gives us insight into the activity being undertaken to supply them. Autoshops have a number of different sources for the financial products that they illicitly sell:
- Historic data breach sets - Large datasets of stolen card details from financial institutions can be found for sale on the dark web, however these are sometimes viewed skeptically in criminal forums as they are often old, meaning that they contain few “live” credit cards for hackers to exploit.
- Attacks against e-commerce sites - Cybercriminals exploit vulnerabilities in websites to extract customer card data through a technique known as web skimming. If undetected, attackers can extract thousands of customers’ payment information through automated software, a technique infamously used in the Magecart attacks against British Airways, Ticketmaster and Newegg.
- Phishing sites - Where customers are tricked into entering their credit card information into a fraudulent website, often imitating a known and trusted brand. Spamming tools and phishing pages are sold on the dark web, as well as reverse proxy servers (such as Modlishka and Evilginx) to bypass bank's two-factor authentication systems.
- Banking trojans and stealer malware - Malware that is directly installed onto a user’s computer to capture card data. Stealer malware and banking trojans can be found for sale on markets and forums, as well as user guides for how to utilize them. Notable examples have included Zeus, Emotet and Trickbot.
- Insider threat - Customer information sold by employees from within financial institutions.
How Financial Crimes Could be Prevented With Dark Web Intelligence
With dark web intelligence, there are actions that financial services companies can take to combat this orchestrated targeting of their customers.
For example, by monitoring the dark web for its Bank Identification Numbers (BIN) - the part of the card number that indicates which bank a card belongs to - a bank could find all of its credit card details leaked on autoshops, pastebins and forums. With the stolen card details identified, the bank could then block the cards, inform customers so they are alert to any suspicious account activity, and contact the authorities to make sure they are aware of the autoshop’s operation - preventing fraud at scale.
Financial institutions could also identify commodities available on dark web marketplaces, such as banking trojans or 2FA bypass tools, to identify when and how their customer base is being targeted. This intelligence could then be used to implement defensive measures on their customers’ accounts, and prevent their financial data from being harvested in the first place.
Gareth will be giving a keynote talk on “Threats to Financial Services from the Dark Web” at the Securing Financial Services Summit in London on Tuesday July 5, 2022. Find out more about the event or sign up to attend here.