Data Breach Sales: What’s Trending on the Dark Web?

Financial, Retail, and Healthcare Sectors Among Hardest-Hit

Every year Flashpoint analyzes all of the activity that we observed in threat actor communities where the discussion centered on the sale and distribution of breached data. In our observations this year, we found that over 69% of all data breaches were concentrated within five industry sectors (see Figure 1): Financial Institutions (19%), Retail (17%), Healthcare (12%), Technology (12%), and Government (10%).

COVID-19 Cybercrime Disrupts Organizations Worldwide

The global COVID-19 coronavirus pandemic played an outsized role, altering threat activity and tactics as security and fraud teams scrambled to transition to entirely remote workforces, surging eCommerce transactions, and new trending fraud schemes.

Financial institutions dealt with a wide gamut of COVID-19-related cybercrime, including stimulus check fraud and new social engineering tactics, tricking bank customers into handing over their personal and banking information. The US Federal Trade Commission (FTC) is now warning of more than USD $343 million in coronavirus fraud. With a new wave of stimulus checks likely on the way soon in 2021, this number is poised to surge yet again.

Retail and healthcare industries were also badly battered by coronavirus-related threats. Retail cybersecurity teams dealt with the rapid transition of online sales, as threat actors sought to exploit misconfigurations, such as SQL injections and other web vulnerabilities. Meanwhile, hospitals, which were already stretched thin treating COVID-19 patients, were left exposed to increases in threat actor attempts to gain admin-level access to data and patient health information (PHI) to sell or use in their own extortion schemes.

Threat Actors Concentrate Data Breach Ads on Exploit and Raid Forums

Threat actors most frequently posted about or advertised data breaches on Exploit and Raid Forums (see Figure 2). Data breach advertisements on these forums typically promote sellers’ access to victim networks, offering information to prove the validity and value of the access offered.

Breach advertisement details vary, most commonly including details about the victim organization, the type and level of access, pricing and escrow information, and proof to verify the validity of the access. In some cases, particularly on the Exploit forum, cybercriminals will auction their breached data and indicate if they’re willing to work through escrow (with those who are deemed as more credible).