‘Buying bad’: the black market where access to hacked Australian data can cost as little as $500 | Cybercrime
When personal data is stolen in a breach, such as the recent high-profile attacks on Optus and Medibank, it often begins a journey through a shadowy criminal marketplace that follows surprisingly traditional models of supply and demand.
Passwords, personal information, copies of identity documents and contact details of victims can pass through a web of transactions, mediated in online forums or hidden on the dark web, and denominated in cryptocurrency, before ending up in the hands of those who plan to exploit them.
“There are several different markets out there – or forums,” explains Dean Williams, systems engineer at NortonLifeLock.
“You can often find verified hack shops where you can search by organization name and have access to the entire list right down to buyer-seller platforms where you can buy different levels of [personal information] in different amounts.”
The biggest ones offer cybercrime products as a service, where you can order a distributed denial of service attack to bring down a website, order ransomware tools or services, and malware that people can then use on the proposed targets.
“It means that people can enter the world of cybercrime without having traditional cyber skills because you just ‘buy bad’ or rent,” said Katherine Mansted, director of cyber intelligence at CyberCX.
Transactions are in cryptocurrency – often bitcoin. Initial access to an organization in Australia can cost around $500, but Mansted said there was no standard price because it depended on the size of the organisation, the quality of access and the sector the organization is in. The price is usually higher for companies in larger countries such as the US .
Building credibility in these groups can be through proving what you’ve got – in a data breach, the seller of the records will often provide a sample to allow users to cross-check against existing breaches to ensure it’s genuinely new material.
Some sites even have Reddit-style voting systems.
“Because of the presence of law enforcement and researchers, marketplaces rely on reputation systems to try to distinguish real cybercriminals from pretenders. And, of course, reputation systems also give buyers and sellers a degree of protection against fraudsters,” said Brett Callow, threat analyst at Emsisoft. “Some marketplaces also offer intermediary services that hold funds until buyers confirm that the product is as described.”
Law enforcement is able to take down some marketplaces or some of the biggest sellers of services, but experts say it’s a mule game. When a group or site falls away, a new one will appear.
“Unfortunately, there is so much money to be made from cybercrime that there will always be people willing to step up to fill the gaps in the ecosystem,” Callow said.
“When we do searches, we find sites drop and reappear in the same format but under a different URL,” Williams said.
“You have to look at it as a game of cat and mouse. Criminals are very, very good at swinging.”
Mansted said black markets work “exactly the same” as any other.
“Some groups have the upper hand and some don’t,” she said. “Some groups sell the best stuff and have the best price for it, different people are highly skilled and they rise up and sometimes they rise up to find the attention of law enforcement and then they have a quick end.”
Hackers may be employees of these markets, she said.
“It’s not just hackers in hoodies, it’s grandmothers in Russia and former Soviet countries, it’s people who, in any part of the world, literally go to work every day, as businesses, criminal enterprises within a market and a economy,” she said.
“And then once you understand that, you can actually start to figure out how to actually stop their economy. You can figure out what pieces are vulnerable, and that’s where you can focus your attention.
“It’s a market economy – we just have to figure out how to make it less profitable for them.”
