Data Breach Sales: What’s Trending on the Dark Web?
Every year Flashpoint analyzes all of the activity we observed in threat actor communities discussing the sale and distribution of breached data over the preceding 12 months. Shared first with Flashpoint customers in early January 2021, we’re excited to explore these findings with you now in this blog post—and even more insight to follow in our upcoming webinar on Tuesday, February 23, 2021 at 11:00 AM EST!
Financial, Retail, and Healthcare Sectors Among Hardest-Hit
Over 69% of the data breaches that Flashpoint observed in this timeframe were concentrated within five industry sectors (see Figure 1): Financial Institutions (19%), Retail (17%), Healthcare (12%), Technology (12%), and Government (10%).
COVID-19 Cybercrime Disrupts Organizations Worldwide
The global COVID-19 coronavirus pandemic played an outsized role, altering threat activity and tactics as security and fraud teams scrambled to transition to entirely remote workforces, surging eCommerce transactions, and new trending fraud schemes.
Financial institutions dealt with a wide gamut of COVID-19-related cybercrime, including stimulus check fraud and new social engineering tactics, tricking bank customers into handing over their personal and banking information. The US Federal Trade Commission (FTC) is now warning of more than USD $343 million in coronavirus fraud. With a new wave of stimulus checks likely on the way soon in 2021, this number is poised to surge yet again.
Retail and healthcare industries were also badly battered by coronavirus-related threats. Retail cybersecurity teams dealt with the rapid transition of online sales, as threat actors sought to exploit misconfigurations, such as SQL injections and other web vulnerabilities. Meanwhile, hospitals, which were already stretched thin treating COVID-19 patients, were left exposed to increases in threat actor attempts to gain admin-level access to data and patient health information (PHI) to sell or use in their own extortion schemes.
Figure 1: Five Industries Account for 69% of Observed Data Breaches
Threat Actors Concentrate Data Breach Ads on Exploit and Raid Forums
Threat actors most frequently posted about or advertised data breaches on Exploit and Raid Forums (see Figure 2). Data breach advertisements on these forums typically promote sellers’ access to victim networks, offering information to prove the validity and value of the access offered.
Breach advertisement details vary, most commonly including details about the victim organization, the type and level of access, pricing and escrow information, and proof to verify the validity of the access. In some cases, particularly on the Exploit forum, cybercriminals will auction their breached data and indicate if they’re willing to work through escrow (with those who are deemed as more credible).
Figure 2: Two Cybercriminal Forums Dominate Ads for Breached Data and Access
Join Us for Our Upcoming Webinar on Tuesday, February 23rd!
This blog post was just the start of what we plan to share during our webinar. Join us on Tuesday, February 23rd at 11:00 AM EST to hear our analysts Abigail Showman and Ashley Allocca dig deeper into the observed trends, the possible motivating forces behind them, and how 2021 will continue to unfold.