How Corporate Credentials Are Sold on the Deep & Dark Web

In the past year, of the 4.11 billion credentials detected by Axur's platform, 96.1% were exposed on the Deep & Dark Web, according to the Online Criminal Activity Report 2022. This marks a drastic shift from the previous year when 98.2% of identified credentials were found in significant data breaches.

This shift points to the growth of corporate credential marketplaces on the Deep & Dark Web. It's time to understand how cybercriminals operate these marketplaces and how to protect your company's credentials.

Credentials: The Soul of Authentication

First, it’s essential to understand why corporate credentials are so coveted by cybercriminals. Studies show that credentials are the fastest type of organizational data for invaders to obtain. This is concerning because corporate credentials refer to specific data or authentication tools needed to verify a user's identity, authenticate them, and grant access to a system or network ID.

Suppose an attacker acquires a credential that the owner or the security team hasn’t blocked. In that case, they access a gateway that can compromise an entire organization's security, allowing lateral movement and privilege escalation. Not surprisingly, studies show that invaders can access critical systems or data in 85% of privileged credential theft cases. In summary, we can understand that the existence of credential marketplaces is due to three main points:

• Credentials are still the most common form of authentication for companies.
• They are the link between companies, their assets, and their customers.
• They are fundamental components in data breaches.
  
  

Given their significant relevance and profit potential in credential exploitation, we begin to understand the existence of markets dedicated to selling these data. Let’s see how they function and how profitability is achieved.

How Cybercrime Marketplaces Work

The economy of the Deep & Dark Web is driven mainly by two groups: illegal markets and data storage. The first involves selling various illicit products and services, such as drugs, weapons, stolen gift cards, and prepaid cards. These activities are conducted through groups on Telegram, WhatsApp, and Deep & Dark Web forums, facilitating communication between criminals. The second group focuses on confidential data, such as credit card information, bank account details, cracking methods, and corporate credentials.

Credential marketplaces have existed for years, operating like standard websites. Their operation resembles any e-commerce site, with filters by product, price, and escrow purchases. Additionally, the administrators of these sites incorporate user reviews and ratings to reinforce their authenticity, just like a typical e-commerce site.

The prices of credentials sold on these sites vary according to their importance. Our analysis shows that credit card data can be found for $15, while a passport can cost up to $4,000. Criminals follow profitability trends to price their products.

But Who Operates These Marketplaces?

This question is challenging, as the Deep & Dark Web environment enables anonymity. Therefore, these markets are operated by groups using advanced security techniques capable of hiding their identities and server locations, making it nearly impossible for legal authorities to disrupt their activities.

Thus, it's crucial to have Deep & Dark Web monitoring to keep pace with tactics, techniques, and procedures and support more effective incident response strategies.

Damage Caused by Corporate Credential Theft

The profitability of cybercrime through the stolen credentials market is driven by the losses incurred by the victim organizations. The consequences are numerous, including financial losses, reputational damage, and even legal actions:

• Costs of Mitigating Credential Theft: Mitigating and recovering operations after or during an attack involves various costs for a company. A Ponemon study estimated the average annual cost for an organization to mitigate an incident at $6.6 million.
• Damage to Brand Reputation: A company's reputation is one of its most important assets. Credibility and consumer trust are essential for any company. Criminals who obtain corporate credentials with numerous attack possibilities indirectly hold the company's reputation.
• Legal Penalties Related to Privacy Laws: Privacy laws, such as the General Data Protection Regulation (GDPR), have become highly relevant concerns for companies, as they hold companies accountable for data breaches and incidents involving customer and employee privacy.
  
  

Criminals employ various strategies to obtain corporate credentials, in addition to using advanced techniques to hide their identities and locations.

Major Frauds Against Companies

Vendors' products on the Deep & Dark Web marketplaces are typically obtained through phishing attacks, malware, ransomware, Business Email Compromise (BEC), and credential stuffing attacks.

• Phishing Attacks: These are used to steal company credentials, often through fake websites. The strategies are well-known and involve a phony site designed to look like a legitimate login page, such as an online bank or application. To lead the user to the fake site, the attacker sends a spear phishing message from a trustworthy source, such as a bank, colleague, or authority. When the user tries to log in to the phishing site, the credentials are sent directly to the attacker.
  
  
• Ransomware Attacks: Cybercriminals can obtain credentials in the initial phase of the invasion, where encryption is applied to seize the company's confidential data and prevent access to information. The action can start like phishing, with a user clicking on a fake link or downloading an apparently legitimate file. The damage caused by ransomware attacks is enormous annually, with about $621 million in 2021 and $692 million in 2020 just in ransom payments. The losses from company shutdowns reach billions.
  
  
• Business Email Compromise (BEC): In 2021, this strategy accounted for 8% of the most applied cyberattacks against organizations, according to Unitrends. Application scenarios can vary, such as:
  • • CEO Fraud: occurs when the scammer poses as a director or executive, such as the CEO or CFO, to persuade the victim.
    • Employee Account Compromise: When a company employee's account is hacked and used by a cybercriminal.
    • Attorney Impersonation: The scammer poses as a lawyer to pressure the victim and obtain information.
      
      

Threat actors focus their BEC attacks on regions where Multi-Factor Authentication (MFA) implementation is still weak, such as in Latin America, where attacks are often successful.

• Malware Attacks: Malware is designed to steal browser session data, stored passwords, and other confidential information like vaults and cryptocurrency wallets. An example is the Oski malware, created in 2019 and written in C++. Oski is designed to steal data from approximately 60 applications and uses two obfuscation techniques, such as string encryption and dynamic loading of DLLs and functions.
  
  
• Credential Stuffing: This method involves using bots to test leaked credentials on other sites or commonly used passwords by users. If successful, the credentials can be sold as products in Deep & Dark Web marketplaces.
  
  

These strategies are just a few ways cybercriminals obtain corporate credentials and feed marketplaces. Despite the brief analysis, these insights are crucial as criminals exploit all possible vulnerabilities to gain credentials. In addition to the products and strategies mentioned, other channels are used, such as content streaming that promotes fraud, selling fake likes and followers, fraudulent advertising, etc.

Unsurprisingly, the data points to the urgent need to identify these activities and adopt more effective strategies to combat the trade of corporate credentials, as we will see next.

Identifying Stolen Credentials

Just as cybercriminals employ tactics to steal and sell corporate credentials, security professionals also strive to analyze and use strategies to identify these illegal markets, monitoring the Deep & Dark Web. Here are some examples:

• Snowball Sampling: is a methodology for locating hidden Deep & Dark Web services, including data collection and CTI flows. This method involves a web crawler architecture that uses a root URL and crawls the site for outbound links to other sites. It is similar to how early web crawlers worked and is widely used for Deep & Dark Web forums where information about leaks, thefts, and data trading is present.
  
  
• OSINT Intelligence Site Monitoring: Another way to identify stolen credentials and data is by monitoring obscure sites. Open-source intelligence (OSINT) uses advanced strategies to identify attacks, vulnerabilities, and successful attacks. Security professionals can obtain contextual information through surveillance, information sources, data collection, processing, and analysis, as well as by conducting more accurate threat landscape analyses.
  
  
• Social Media Analysis: Like the surface web, the Deep & Dark Web also has its social media, mainly forums for communication and posting stolen data and services. Therefore, a good analysis of Deep & Dark Web forums can provide important information about current attack trends, newly collected data, and cybercriminals' strategies in the Deep & Dark Web environment.
  
  

These strategies and many others comprise threat intelligence for monitoring, combating, and proactively responding to criminal activities involving corporate data on the Deep & Dark Web.

Tips to Protect Your Business

Several strategies and approaches exist to prevent your company’s credentials from ending up on Deep and Dark Web marketplaces.

• Use Unique Passwords for All Accounts and Systems: It may seem obvious, but it’s always important to reinforce using unique passwords for each account and system. Despite being obvious, this remains a significant challenge for organizations and employees. Encouraging a password manager can be an excellent alternative to mitigate this problem, avoiding password reuse across different applications.
  
  
• Patch Management: Patch management is essential for company security, especially when dealing with threats like credential theft. Develop a patch management strategy and ensure that all system updates are current.
  
  
• Enable MFA: Multi-factor authentication (MFA) can prevent most control attacks and add an extra layer of protection to access points. However, MFA is not infallible; cybercriminals can intercept, forge, and break this system.

What to Do If a Breach Occurs?

Even with all protective measures, it is impossible to prevent data exposure completely. Particularly with corporate credentials, we often talk about variables affecting thousands of employees and their personal experiences.

Whether through accidental or criminal exposure, perimeter risk monitoring is essential, with inspection and detection technologies agile enough for an immediate response.

Specialized solutions like Axur's Deep & Dark Web Monitoring allow detection in the main groups, channels, and closed and unindexed forums on the web, with technology to automate the handling these threats.

Learn more about Axur's Deep & Dark Web Monitoring and how to monitor and protect your business from these risks.

The Vital Role of MSSPs in Safeguarding Corporate Credentials

Managed Security Service Providers (MSSPs) are critical in protecting businesses against threats posed by the sale of corporate credentials on the Deep & Dark Web. By leveraging advanced threat intelligence and continuous monitoring, MSSPs can provide real-time alerts and rapid responses to potential breaches and ransomware attacks. Using sophisticated tools and platforms like Axur's, MSSPs proactively identify and mitigate risks associated with stolen credentials, ensuring their clients' sensitive information remains secure. This proactive approach helps maintain the trust of their customers while effectively combating sophisticated cyber threats, highlighting the indispensable role of MSSPs in modern cybersecurity.