Black Market Data: The Economy of the Dark Web

The Ease of Access to the Dark Web

Over the last year and a half, COVID-19 raked across the globe laying waste to our sense of normalcy. Our doors shuttered as Mother Nature sent us all to our rooms like petulant children who needed scolding. We isolated ourselves from society, we began working and schooling remotely, and our economy suffered. We have been living through grim times, and yet while we hid away in our homes, beneath the cover of the darkest parts of the internet, cyber criminals thrived.

When one discusses any sort of cybercrime-related topic or event, there’s often this image that comes to mind of a bad 90s movie portrayal of high-tech portals in shadow agencies and complicated binaries being executed in basements. Shady dealings occurring in Russian forums and difficult to reach corners of the internet only accessible by a l33t few. This is simply not the case. In fact, absolutely anyone can quite easily log in to these forums, build rapport, and take part in the black market. For some select goods and services, you need look no further than Facebook groups or Reddit. Our dark economy has become a lot more consumer-friendly, offering an interesting customer experience for those who care little about legality, or are otherwise driven to it in desperation. Furthermore, with the advent and growth of cryptocurrency’s popularity, many of these marketplaces offer favorable methods for anonymous money laundering.

What’s for Sale and What’s it Worth?

So what’s actually sold in these marketplaces, and what does any of it mean for individuals and businesses?

The short answer is anything and everything you could possibly think of. Illicit substances, prescription medications, weapons, proprietary or custom hacking tools, and counterfeit currencies are definitely up for grabs and is what many people imagine being part of these underground transactions, however it goes much deeper than just the most despicable of goods. Accessibility has broadened the market.

According to the Dark Web Price Index of 2021, a valid social security number goes for as little as $2 USD on average. Some pricier items include cloned or stolen credit cards–ranging from $20 to $250 USD.

It would be easy to note that a good many of the products listed in this index have such a vast range in cost, and there’s a simple reason as to why that is: higher privilege increases the cost, but availability keeps it in balance. The details of a cloned Mastercard is worth inherently less than the credentials to a banking account with a couple thousand dollars sitting in it. 

But even then, an average cost of $250 USD for that sort of product seems a touch insulting, doesn’t it? The unfortunate reality is that policies regarding cyber defense particularly in the United States have been woefully misguided and utterly inadequate, having left us vulnerable such to the point that just over a third of the banking and credit card information sold in these forums comes from US-based victims. We are cheap because we are easy and plentiful targets. 

Corporations need to be conscious of the fact that they generate a lot of sensitive data and documentation. If a company has been involved in a breach, it’s guaranteed that administrative account credentials, database contents, employee information, and other company secrets are being sold in underground markets. Administrative accounts and the personal information of managers and other high-level executives go for top dollar, depending on how devastating the information is.

On top of data actually being sold, companies of every size and type are popular targets of ransomware campaigns, which can be leased quite cheaply. These attacks are responsible for the complete destruction of 60% of affected SMBs. 

You can also find forged documents; after all, how else is one to fake their own death and run away to tropical exile? Everything from state IDs to forged vaccination records and passports can be used in a variety of different attacks and provide a fair bit of value. For example, sim swapping attacks are made severely easy with the purchase of a selfie holding an ID card. It is worth noting here that this is just another reason to ditch SMS-based, multi-factor authentication. 

MaaS: A Booming Enterprise

As mentioned earlier, malware is a favorite product for criminals.

Malware-as-a-Service and DDoS-as-a-Service is a particularly fascinating aspect of the dark economy because it enables absolutely anyone to perform malware attacks at massive scales. Once upon a time, every virus, worm, and botnet had to be meticulously coded from scratch. Bad actors had to be extremely technologically savvy to do serious damage to any individual or business. These days, anyone with $50 can change the contents of a website for about 24 hours via DDoS or Distributed-Denial-of-Service. The leased usage of an advanced keylogger—a computer program that records every keystroke made by a computer user, especially in order to gain fraudulent access to passwords and other confidential information—will run for about $130. 

You no longer need any particular skill to do serious damage. Many of these vendors offer subscriptions and 24/7 customer service. Patrons and vendors equally vet and rate each other, allowing their activities and transactions to remain safe from law enforcement. This business model allows more freedom for cybercriminals to specialize, resulting in more advanced tooling and greater impact. 

Cybersecurity Should Always Be Top of Mind

It’s easy to paint a dark, foreboding picture that demonizes every vendor and patron in the dark economy, but no form of criminal activity exists in a vacuum. The underground marketplaces make up an astonishing fifth of the global economy. For context, the Global GDP for 2020 was $81 trillion USD. The dark economy makes up a whopping $16.1 trillion of that. Criminal activity is incredibly lucrative and now anyone can join in. But to what end? Outside of money, what motivates this incredible market? 

Unfortunately, so little research has thus far been done on the psychological and sociological factors that come into play here. It is strictly my personal opinion that most of the motivating factors can be thrown into three categories: activism and ideology, financial gain, and scarcity. The dark economy is little more than an economy. It functions as such, and each economy, regardless of what form it takes, thrives first and foremost on need. This is also what makes the observation of an economy indicative of the strengths and weaknesses of the society in which it exists. A fantastic example of this is the effect online drug markets have had on harm reduction in addicts. Due to the rigorous communal vetting process, vendors are held more accountable to sell safer, higher-quality substances. Would this market even exist if we had more effective approaches to helping addicts, especially here in the US where our legal system operates on a racist, outdated model of criminalization and zero tolerance when evidence shows the system’s inefficacy? To an extent, possibly, but it’s doubtful it would be as big as it is now. 

Similar statements can be made for the sale of prescription drugs. In the US, many people have to choose between rent and medication, and medical neglect and malpractice is a plague. It’s no wonder that some may be driven to self-medicate with prescription drugs they find in illicit market places out of sheer desperation. 

Hacktivism and APTs (advanced persistent threats, or government-backed hacking groups) is another area of nuance. Large attacks targeting infrastructure are so rarely just about money or the sheer entertainment; a statement is intentionally being made. A cause is being fought for— and with the darknet being a safe haven for whistleblowers due to its anonymity, others either being more skilled or having more money to bankroll an operation are liberated to take action. DDoS-as-a-Service can be used to find other vulnerabilities, dox a website or group of people, or provide cover for other activities. When a group of individuals believe strongly enough in a cause, many things are possible—and there are casualties. 

When it comes to the targeting of most individuals and SMBs, it really is mostly about the money, and we are all but unlucky losers in a vast numbers game many people don’t even know they are playing. Our data is collected by large corporations and made recklessly available with insufficient protections, and this makes exploitation for financial gain easy. Attackers utilize our lack of education, our fear, and our senses of urgency to mine for and exploit our personal data. Small businesses are particularly popular as targets, as many of them do not have the funds or controls in place to mitigate risks and protect themselves. 

Cybersecurity is not generally a thought that comes to mind when building a business. 

Cybersecurity is not generally a thought that comes to mind when scrolling through social media. 

Attackers know and use this information. Many seasoned hackers will know us far better than some of us know ourselves because they are skilled at the art of human hacking. They have to be, in order to be successful and to remain under cover.

Self Defense

The Pandemic has undeniably accelerated the sophistication of technologies available to criminals while simultaneously spreading thin the world’s defenses. Data breach campaigns, botnets, and ransomware have whipped through the networks of businesses and individual users alike at unprecedented levels. How do we mitigate these devastating risks? While there is no way to completely and totally prevent your data from being stolen and sold in these forums, it is the responsibility of a given community to make it as difficult for these bad actors as possible and have a plan in place for when you find yourself being sold as an illicit commodity or the target of one.

First and foremost will always be practicing and encouraging good cyber hygiene. Cyber hygiene is just the processes and steps taken by users that affect their overall online safety—for the better or worse. Good cyber hygiene is ultimately the root of the rest of your defense and mitigation tactics, and the difference between good cyber hygiene for organizations and individual users comes down ultimately to scale. The process at its core is the same.

Educate yourself, your peers, and your employees on best practices. Password management, phishing awareness, and broad enforcement of multifactor authentication are excellent and critical first steps. Go deeper. Learn the signs of malware infection and pay attention to security alerts provided by vendors. There are so many attacks that could have been prevented by enabling a simple security control. Don’t let yourself or your company be an easy target.

Develop a plan for everything from accidentally clicking on a suspicious link to account compromise and malware infection. How are you going to respond and remediate?

Utilize antivirus software and endpoint protection. There are a variety of both proprietary and open-source options available for businesses and individuals. Just be sure to vet those solutions and install them on devices known to be healthy. If your baseline scan is infected, your solution is already useless.

Keeping backups on all necessary information, files, and infrastructure is your next best step. This is especially important given that ransomware is projected (and proving itself to be) the most prominent cyber threat for 2021 and for the foreseeable future—and governments are beginning to actively penalize users and businesses that opt to pay the ransom; sometimes the best solution is to simply wipe the device in question and restore from a recent backup. 

If you’re hosting a web application, server, or you’re a super nerd like me, get to know your traffic and plan for both redundancy and scalability. Knowing the standard traffic can help identify more specific symptoms of DDoS attacks and other attempts of compromise. And, building on that, ensure your firewall is prepared to block malicious traffic and signatures.

There’s no 100% guaranteed protection. You will be targeted. You will, at least once, find yourself hacked and your data being sold for nefarious purposes. That doesn’t mean that all hope is lost.

It is important to remember that the Dark Economy is just an economy, and crime doesn’t exist in a vacuum. The dark web is an intricate, complex place but it’s ultimately populated by people, and as such, can be dissected and understood. It is in understanding that we can make ourselves, our data, and our businesses the safest.

How Cybersecure is Your Data?

It’s never too early to incorporate DevSecOps into your technology build or existing application. If you’re embarking on a tech build and are unsure about its security, schedule a chat with us using this link. Whether you’re just scribbling out your technology vision or are on the brink of production, it’s never the wrong time to talk about technology security. 

This post was written by ‘Security Jackie’ Callaway, Security Analyst for Bitwise Tech Consulting. You’ll find them hunched over a cup of coffee like a rabid gremlin.

Shining a Light on Policing of the Dark Web: An Analysis of UK Investigatory Powers – Gemma Davies, 2020

Dark Web Price Index 2021 – Dark Web Prices of Personal Data

Dark Web Price Index 2020. Check all 2020 Dark Web Prices

Dark Web Markets for Stolen Data See Banner Sales

Does Legalization Reduce Black Market Activity? Evidence from a Global Ivory Experiment and Elephant Poaching Data 

Dark web: The economics of online drugs markets Dark Web Marketplaces and COVID-19: before the vaccine