If a cybercriminal wants to cause trouble for a major corporation, tools for the job are widely available on dark web markets, according to researchers who spent three months analyzing their activity and interacting with sellers.
The wares — including malware and leaked credentials — are specifically promoted for breaching companies on the Fortune 500 and the Financial Times Stock Exchange 100 Index, according to Mike McGuire, a senior lecturer in criminology at the University of Surrey, and the security vendor Bromium.
Their research includes data collected from Empire Market, The Hub, and the now-shuttered Dream and Wall Street markets, among others. The findings come amid a period of heightened law enforcement activity on the dark web, with international police recently seizing a number of sites that primarily sold drugs. Forums where members buy and sell hacking tools and access to breached email accounts have survived the dragnet.
The financial sector was the target of most of the malware tools (34 percent) for sale on the forums, which typically were only accessible with the anonymity software Tor. E-commerce was next, with 20 percent, followed by health care (15 percent) and education (12 percent). Dark web vendors offered unauthorized access, often in the form of stolen usernames and passwords, to business networks in those industries, too.
“The methods for providing access varied considerably,” McGuide said in a statement. “Some involved stolen remove access credentials that are for sale for as little as $2, other involve backdoor access of the use of malware. Illicit remote access tools appear to be most popular – we were offered Remote Access Trojans at least five times more often than keyloggers.”
More than 60 vendors offered access to at least 10 business networks, selling stolen credentials for between $2 and $30 apiece. Some 15 percent of all the dark web data researchers analyzed originated with corporate email chains, including projected business costs, payments and personnel conversations like hiring and firing decisions.
“This kind of data provides lucrative options, from threats to leak information to the media, to even blackmailing of company executives,” the report states.
Other listings promised to deliver the Nuke malware, a hacking tool particularly popular on Russian-speaking forums that buyers could use to open remote desktop systems and bypass Windows firewall systems deployed by many companies.
In another case, McGuire and Bromium found a database of passwords and PIN numbers that appeared to belong to customers of Qatar National Bank, a global bank with tens of billions of dollars in revenue, for sale for roughly $10.
Verifiable examples of stolen trade secrets for sale — a prospect long-feared by chief information security officers who have hired threat intelligence investigators to monitor the dark web on their behalf — proved to be more elusive.
In their report, the researchers say they performed numerous searches for leaked intellectual property, only to find “the trade seems now to have become even more covert.” It’s also possible that information simply isn’t on the dark web, and that any advertisements were posted by vendors trying to scam their buyers, or law enforcement trying to lure buyers into a trap.
In one case, the researchers say they spoke with one forum member who claimed to be able to access to communications between executives at three major companies for fees between $1,000 and $15,000. “Whilst there was no way of verifying these claims (short of engaging in espionage), he gave us certain information about the company that is not available in the public domain, which indicated that he might have been genuine,” the researchers wrote.
They did not provide details on what that disclosure may have included.