A review of fraud guides by Terbium Labs reveals the tactics used by cybercriminals to steal and exploit your data.
The Dark Web has garnered a reputation as a shady online hotspot where people trade in stolen data, hacking tools, and illicit information. Among the many items up for sale on the Dark Web are fraud guides—instruction manuals designed to teach criminals how to ply their trade. A report released Wednesday by web intelligence company Terbium Labs analyzed a large number of fraud guides, providing a look into the cybercriminal mind and methods as a way to help you better protect yourself and your organization.
Entitled "Fraud Guides 101: Dark Web Lessons on How to Defraud Companies and Exploit Data," the report examined almost 30,000 different fraud guides to determine what criminals are selling, what they're teaching, and what they're learning. In particular, Terbium's report revealed which types of data are the most valuable to criminals, and therefore the most vulnerable.
SEE: Dark Web activities: 10 signs that you've been breached (free PDF) (TechRepublic)
Among all types of data, email addresses are the most desired, as they were mentioned in more than 5,000 of the guides examined. Email addresses give criminals a reliable and unique means of identifying individuals for phishing campaigns and account takeovers. Using one's email address, criminals can easily track down that person's associated financial, retail, and social media accounts.
Other types of data in high demand are passwords, Social Security numbers, and dates of birth.
Passwords are popular in fraud guides, with tips and tricks on how to exploit them and sneak past them. The guides analyzed explain the best methods to hack a password, such as brute-force attempts, password resets, and bypassing certain controls to gain access. Criminals also know that people tend to use the same passwords across the Web or use the same password formula when creating a new account, and they use the knowledge to their advantage.
Social Security numbers are always vulnerable, as they act as a pointer or verification means to health records, government files, and financial institutions. Criminals can use SSNs to look up more information on an individual or create a fake identity as that person, the report noted.
Payment cards are the primary kind of financial data that crop up in fraud guides, according to the report. Payment cards are mentioned in 36% of the guides analyzed, followed by accounts and payment processor information. Criminals favor credit cards over debit cards 85% of the time, according to Terbium. That's because debit cards have certain limitations, so they're less useful for typical payment card schemes.
"Fraud guides illustrate the most popular, easy-to-use methods to commit cyber-enabled fraud," Emily Wilson, vice president of research at Terbium Labs, said in a press release. "The guides provide unique insights into how cybercriminals think, talk, and operate on the dark web. By evaluating the contents of these guides, we can better understand the dark web fraud trade and deploy effective strategies and technologies to protect our most critical data."
The report also discovered that fraud guides are cheap. The average cost for a single guide was $3.88, while a collection of guides sold for $12.99. The average price across all guides was $7.80. The most expensive individual guide ran $58 and taught people how to build synthetic identities. The cheapest individual guide cost 99 cents and was a brief tutorial on how to hack home Wi-Fi passwords.
Fraud guide collections about identity theft or account creation came with the greatest amount of supporting material, including templates, vector images, official seals, and examples of actual documentation. Criminals also tend to reuse the same guides. More fraud guides appear from 2010 than from 2017 and 2018 combined, the report found, with 26% of the guides more than a decade old. A full 75% of the guides examined were duplicates as people simply repackage and resell the same content under their own names.
For more, check out The Dark Web: A guide for business professionals on TechRepublic.
- Cheat sheet: How to become a cybersecurity pro (TechRepublic)
- Phishing attacks: A guide for IT pros (TechRepublic download)
- Information security policy template download (Tech Pro Research)
- Online security 101: Tips for protecting your privacy from hackers and spies (ZDNet)
- The best password managers of 2018 (CNET)
- Cybersecurity and cyberwar: More must-read coverage (TechRepublic on Flipboard)