It’s that wonderful time of the year again, when all the information gathered by malware over the holidays begins to be distributed to all the eagerly awaiting customers in the deep web. Actually, it might be a little early. Most malware goes undetected for two or three months before someone starts to figure out something is awry. In fact, sometimes it isn’t even found at all and those in control of it will wait to pay a visit to the lucky website next holiday season.
Yet, even though it might be a bit early, I put on my protective security gear and dived into the deep web to see what I could find. First of all, I went to that old, trusted, standard, Silk Road, only to find that the updated version of this underground market site displays a notice from the FBI that it has been closed with the help of other crime agencies from around the world. Undaunted, I continued the hunt and found an alternate forum which I joined in order to do the research necessary for this article.
I will not give the name of the site because these people are paranoid enough. Everyone seems a lot more nervous than they used to feel. They’ve put in place a lot more safeguards – safeguards, by the way, which the normal world can learn from. Just try joining one of these forums and you will see.
In any event, it will be no surprise to see that the “drugs” category is 8 times more popular than anything else. The next most popular category, “fraud related” items, includes credit card and personal information, along with other items. Although credit cards and credit card details make up a great deal of what’s for sale, personal information seems right behind. Many experts believe personal information is what most hacks will be targeting this year, which is why banks and medical facilities will be prime targets.
But why wait? Many banks have already been compromised and the personal information that has been gathered is for sale now. For example, a number of Bank of America accounts are for sale. These seemed to have been compromised by a foreign hacker. Although the English is better than most, the ad for this information still has some telltale signs of nonnative speaker errors. Here is part of the notice:
“This is a listing for a US checking bank account These accounts are provided by Bank of America, one of the biggest bank in the US. They are not virtual bank accounts or prepaid, they are real bank account. These accounts are perfect with – Paypal Cashout – BTC Cashout – Stripe and other gateways – Bank drop And much more If you have a drop, you can also receive the debit card to your drop.”
Each account costs about $150 which must be paid in bitcoins. For this money
“You get : – Fullz information – Log in information – IP used for the account – Background check – Credit report”
If you were the buyer, your first question should be, “how can I trust this guy?” Well, the whole deep web operates on trust generated by user reviews. Without good reviews, your hacking career is over. Thus, you can always depend on getting good customer service. For example, the above seller will give you another account if the one you buy closes or is blocked within two weeks of your purchase. Other sellers throw in free credit cards or credit card information.
For those not used to hacker/deep web slang, there are a few terms and abbreviations you need to know before going there to look around. I know this may seem obvious or over-simplified to many of you, but it might be the first time some of you encountered this information.
Fullz – full package of personal identification information, including name, Social Security number, birth date, account numbers, and other information (more on this later)
BTC – bitcoin
VBV – verified by Visa
ATO – account takeover
AVS – account verification system; non-AVS means it bypasses account verification
Pizza – credit card
Slice of pizza – one credit card
Fresh slice of pizza – newly acquired credit card information
Drop – a website or address set up to receive stolen property, items bought on the deep web, or credit card information
The extent of information that is available for one individual is truly amazing. For example one seller will give all of the following for each identity sold:
“First_Name; Last_Name; Address City State Zip (Postcode for UK); Email ;Home_Phone; Work_Phone; Best_Time_To_Call; Work_Phone_Ext; Requested_Loan_Amount; SSN (NiNo for UK); Mothers_Maiden_Name ;Date_Of_Birth; Drivers_License Number ;Drivers_License_State; Gender; Own or Rent; Years_At_Residence; Months_At_Residence; Age; Military; US_Citizen (UK if UK..); Marital_Status; Income_Type; Is_Dependent; Occupation; Net_Monthly_Income; Years_Employed; Months_Employed; Supervisor;_Name Supervisor;_Phone Supervisor;_Phone_Ext Work;_Address Work;_City Work;_State Work;_Zip; Pay_Period; Next_Pay_Day; Second_Pay_Day; Paycheck_Type; Employer Shift_Hours; Account_Type; Bank_Name; Bank_Phone Routing_Number (Sort Code for UK); Account_Number; Years_Bank_Account; Months_Bank_Account “
More than enough information to steal someone’s identity and either get credit cards or acquire other services.
It seems pretty clear to me that this information was stolen from a bank. Sometimes they tell you which bank and at other times they don’t. Sometimes a buyer can request information from a particular bank and sometimes they can’t. Sellers realize that security breach investigators may buy some cards to see if they can trace the identities to certain banks. Banks, companies, and other institutions may choose to buy back stolen information to avoid damage to their reputation and avoid disclosing a breach. Some deep web sellers don’t care about this, since money is money, but others may be nervous about working with investigators.
Nervousness is a hallmark of the deep web and much of it is justified. You would expect sellers to be suspicious about sending information directly to an email address with the degree of surveillance going on out there. This is why they use something called, SMS4TOR. This is a free, anonymous, secure, encrypted messaging service available to use with the Tor browser. You write a message, then, get an encrypted URL which you send to the recipient. The recipient of the message visits that URL to get your message and the message then self-destructs. The message that is sent is usually a link to a site where you can download your file. Once you finish downloading, that link disappears forever. Again, I see no reason why legitimate businesses couldn’t use this to send sensitive information or documents from one person to another.
But what if you just want to get started in the hacker game? Is there anything here for you? Of course. As they say, you can buy anything in the deep web. For example, take a look at this item.
“Quick, fast like a spier, This USB Key takes all passwords on the victim’s computer(google,firefox,ftp,mail,netpass,wifipass,explorer…all). He will stop the firewall and viruses-defenses and will install silently one keylogger who hook all keyboard entries (he will send you all logs by email thanks to a configuration-files and kill himself in countdown as you has defined it) You just have to Plug and unplug the usb Key !”
The English may be a bit convoluted but you get the idea. The message is to be suspicious of anyone who gives you a USB as a gift.
If you wanted to start your deep web career, you can get a lot of help down in the deep. Here, you can buy guide books that can help you hack just about anything. For example,
“This document will show you how to make a DNS Serveur ,a Fake Wifi hotspot,a phishing web page And how to redirect ANYBODY to steal THEM password And account (PAYPAL,FACEBOOK,TWITTER,BANK ,HOTMAIL) 100%working method!!!”
And if you have trouble writing a good phishing email, no problem. Here’s the ideal solution for you.
“What if you could learn exactly how to get more opens from your emails? (No matter what you want the email to do afterwards, the key is getting people to open it.) What I have for you are 11 email open hacks; that will practically force your victims to open and read your emails. These hacks are simple to implement, and you can literally start using them immediately to pull more information/money out of your victims.”
However, most people who come to the deep web find it is easier just to buy the pre-hacked information they want. Maybe you’re a spammer and you want to get some names and email addresses. No problem, there are plenty available. The sellers will even give you some free samples. I’ve tried to see if some of these free addresses were legitimate and they were. I balked at trying the passwords. Other similar samples also checked out and it appears that the person referred to has little idea that he or she is on this list. Some of the databases are huge. One of them I saw had 5GB of information: More than enough to start a major business on the deep web.
Government takedowns of deep web sites get plenty of news coverage. However, after my visit, I concluded that little has changed down here. Business seems to be booming. Yes, people are more nervous, wary, and paranoid, but that’s not without foundation. In a land where trust is everything, no one really trusts anyone. The unexpected result is that more security measures are in place which, strangely, make deep web business sites among the most secure anywhere. As long as breaches continue to increase and there is a market for information, business in the deep web will continue to thrive.
A BYOD Paradigm Shift
BYOD (Bring Your Own Device) was inevitable. It was good for business and easy for the employee. With the use of their mobile devices (smartphones and tablets), employees could work from everywhere which meant that businesses could be more efficient. Unfortunately, hackers soon realized that these connected devices offered an easy way to compromise a network. Software solutions were put in place as well as Mobile Device Management (MDM) architecture. Still, the breaches occurred. All software solutions had vulnerabilities. It was then that security organizations began looking at hardware solutions that could not be compromised. One that seems to hold the most promise is InZero’s Workplay architecture. It separates irresponsible employee behavior from important company data. No malware on the user’s device can penetrate the specially designed hardware barrier. The user can access the company’s network but the malware cannot. If security is a primary concern, this solution deserves a look.