Dark Web and Underground Markets Targeting the Finance Sector

“Life in the SOC” is a Blog Series that shares experiences of the BlueVoyant SOC defending against the current and prevalent attacks encountered by our clients. The blogs discuss successful detection, response and mitigation actions that can improve your defensive capabilities.

BlueVoyant analysis of dark web forums and market places discovered some interesting target and discussion trends. PayPal and Western Union maintain their place at the top of the target stack. However, BlueVoyant noted significant upticks in targeting discussions on Social Media hacking, Phone hacking and ATM skimmer sales.

With regard to specific institutions, larger organizations such as Wells Fargo and JPMorgan Chase still get the lion's share of targeting. However, smaller institutions are finding their way onto the list as more and more data becomes available for criminal use. The graph below shows the top targets and criminal discussion topics from May 2019.

Of note, is the large presence of “dumps” available for sale. Bank account, PII, and other information gathered from breaches has become widespread and attackers are taking full advantage. Cybercriminals are scraping more and more data during breaches. For example, when attackers breach an e-commerce site, they steal more than the monetary transaction. They collect all data possible, including: name, address, phone, account numbers etc. This information has turned into a proverbial cash cow for attackers. The process below shows typical monetization tactics employed in the criminal underworld.

After a successful breach, the data collected is typically sorted into groups. The data is then sold on the dark web based on the card provider (Master, Visa, etc.). A seller may use resellers or networks of resellers to insulate themselves from exposure. Attackers usually have a minimal timeline in which the stolen data is valuable, especially credit card information. Therefore, the data is sold quickly. Speed-to-market is important before someone notices and mitigative efforts are enacted. Resellers often sort further based on the card valuations. Factors for valuation include verified balance and accompanying PII.

Shifts in the tide of dark web forums and underground marketplaces are occurring due to the recent closure of popular sites such as Dream Market. Joker’s Stash was a collection of BINs, Credit/Debit cards, and other financial information available for sale on multiple large criminal forums. However, it appears that the Joker's Stash now houses their collection on their own underground marketplace.

The Crimenetwork forum was another popular site in May. This German-language forum took the number two spot based on the individual posts with target interests in the financial sector. The graph below shows the top criminal forums and marketplaces on the dark web with a focus on the financial sector.