How far do stolen data get in the deep web after a breach?

Pierluigi Paganini April 12, 2015

A group of experts at Bitglass used watermarks to track data through the Deep Web and discover how far does it get after a data breach.

Early detection of a data breach is crucial to limit the data exposure, unfortunately sometimes they are necessary many months before a breach is detected by security experts.

To give you an idea of how rapidly stolen data are spread following a data breach let me suggest you to give a look to the findings of an interesting experiment made by the firm Bitglass.

The experts used watermarks to track document data through Dark Web, the data appeared as realistic to the users that exchanged and spread them at an impressive speed.

The researchers used spreadsheets of 1,500 names, Social Security numbers, and other personally identifiable information and used attractive titles for them, such as “ssn_data_employees”, “Anthem” and “doxing.

“We watermarked the spreadsheet,” explained Bitglass CEO Nat Kausik. “You can’t see the watermark, but every time the file is viewed, it calls home and registers that its been viewed at this IP address.”

The files were hosted on a public Dropbox folder and a couple of other sites, including Onion-pastebin in the Tor Network.

“We created an excel spreadsheet of 1,568 fake employee credentials, then placed it on anonymous file sharing sites within the “Dark web,” using a Tor browser as our entry point. We tracked the data as it travelled to various sinister locations around the world, and as it was shared amongst cyber-crime syndicates overseas” states Bitglass.

According to the data provided in the recently released report, it took just 12 days for the data to be clicked more than 1,081 times in 22 different countries, in 5 different continents. This situation is alarming if we consider that a data breach, according to a report released last year by Mandiant, takes nearly 205 days be discovered.

This demonstrates how much rapid is the propagation of stolen data following a data breach, with obvious repercussion of the victims.

“The level of access after just 12 days was extraordinary,” reads the report. “Imagine how much further the data would spread in 205 days.”

The experts discovered that the countries historically associated with cyber criminals activities such as Russia, China and Brazil, were the principal access points for the identity data.

Deep web stolen data propagation

Further analysis on the time, location, and IP address revealed that the activities were conducted by two distict cyber crime syndicates, one operating from Nigeria and Russia.

The experts explained that the Deep Web represents an ideal environment where it is possible easy to sell stolen data.

“We noticed other posts where people would drop sample files and say, ‘Contact us if you want to buy more,’” he said. “People will buy it and then you just need to figure out what to do with the Bitcoins.”

Pierluigi Paganini

(Security Affairs –  stolen data, data breach, Deep Web)

you might also like

leave a comment