Threat Intelligence

Dark web fraud: How-to guides make cybercrime too easy

Daniel Dimov
June 29, 2020 by
Daniel Dimov

Introduction to dark web fraud

Dark web fraud constitutes a global information security problem. The widespread availability of how-to guides providing instructions on how to commit such fraud exacerbates the problem even further.

Before examining these how-to guides in detail, we need to explain the meaning of “dark web.” The web includes two main layers: the surface web, which consists of any content indexed by search engines, and the deep web, which comprises all content that is not indexed by search engines. Content in the deep web can be hidden behind paywalls, firewalls and other types of protection.

Hands-on threat intel training

Hands-on threat intel training

Learn how to collect, analyze and act on cyber threat intelligence with expert instruction and hands-on exercises in Infosec Skills.

The dark web constitutes a small portion of the deep web and appeared as a result of the development by the United States of software known as Tor. It allowed internet users to encrypt their location and information they sent and received. This, in turn, ensured their anonymity and privacy. The dark web is often used by criminals for various malicious purposes, such as sales of guns, drugs and other illegal materials. It is estimated that the content available on the dark web constitutes less than 0.005% of the content available on the surface web.

Large volumes of content exchanged through the dark web include how-to guides. According to a Terbium Labs study that covers three major dark web exchanges, 49% of the data sold through those exchanges consists of how-to guides. 

In this article, we will examine the types of how-to guides sold through the dark web. Afterwards, we will discuss their reliability. Finally, we will provide concluding remarks.

Typology of how-to guides

How-to guides can, depending on their purpose, be divided into five categories: account takeover, phishing, doxing, cashing out and synthetic identity fraud. 

1. Account takeover

The term “account takeover” refers to a situation where a fraudster gets unauthorized access to a genuine customer’s account, such as online banking accounts, email accounts and accounts providing access to subscription services. Once the fraudster gets access to a customer account, he or she may use it for various purposes, including but not limited to purchasing goods or services, acquiring more sensitive information which can be used to blackmail the victim and spreading malware to the contacts of the victim.

How-to guides may include detailed instructions on how to use software for automatic detection of vulnerabilities in corporate computer systems. It is believed that such software was used to conduct the British Airways cyberattacks, which enabled hackers to access tens of thousands of frequent-flyer accounts.

2. Phishing

How-to guides may also teach criminals how to conduct phishing attacks. Research conducted by Cyren revealed that 5,335 new phishing how-to guides were made available in 2019 alone. The same research indicated that 87% of the phishing how-to guides included at least one evasive technique, such as content injection, HTML character encoding, and the inclusion of URLs in attachments.Let’s look at those a little more closely. Content injection refers to changing the content of a page on a legitimate website in such a way as to redirect users of that website to a phishing page. HTML character encoding means the inclusion of phishing code in a webpage in such a way as to prevent security crawlers from detecting keywords associated with phishing (e.g., “credit card” and “password”). The inclusion of URLs in attachments is a technique allowing fraudsters to hide links to phishing websites in files.

3. Doxing

Doxing is the practice of finding out sensitive information about an individual or organization and making it publicly available with the aim to harass, shame or extort the victim. Doxing how-to guides contain instructions on how to find sensitive information, how to post it in such a way as to prevent the removal of the information and how to obtain monetary gain through extortion.

4. Cashing out

Cashing-out how-to guides contain instructions on how to cash out voucher codes, bank accounts, credit cards, gift cards and other payment methods. In some cases, such guides may provide links to e-commerce websites that can accept stolen financial data purchased through the dark web. In other cases, they describe the steps one needs to take to clone payment instruments, such as debit and credit cards.

5. Synthetic identity fraud

To commit a synthetic identity fraud, one needs to combine stolen information from unsuspecting individuals and combine it with false information, such as dates of births, addresses and names. The resulting synthetic identities are less likely to be detected because of the lack of a clearly identified victim.A report from the US Federal Reserve indicates that synthetic identity theft constitutes the fastest growing type of identity fraud. In 2016 alone, the losses caused by this type of fraud exceeded USD 6 billion. Many how-to guides contain detailed descriptions of methods used to combine actual and fake data in such a way as to mislead the relevant financial institutions into believing that the synthetic identities are genuine.

The reliability of the how-to guides

How-to guides are highly unreliable. In many cases, they provide no useful information and the buyer cannot demand his or her money back. In this regard, Tyler Carbone, a CEO at Terbium Labs, noted: “Ironically, many fraud guides are themselves fraudulent. Bad actors create fake guides, and try to make a profit selling them before buyers catch on.” Of course, this is not surprising as people who teach others on how to commit fraud should not be expected to be honest and ethical. 

Some how-to guides may even include malware to be used by their buyers to commit fraud. Quite often, such malware may actually infect the computers of the buyers. Thus, the buyers who pay for purchasing how-to guides may actually pay for infecting their own computers.

According to the researchers of Terbium Labs, about 11% of all how-to guides are fraudulent. Although the remaining 89% how-to guides contain genuine information about how to commit fraud, many of them contain obsolete data (more than a decade old) or duplicated data (e.g., publicly available data repackaged by the hackers as their own).

Irrespective of the reliability of how-to guides, these materials may provide people with weak computer skills with the opportunity to conduct serious cyberattacks. This is not only because they often contain detailed and simple instructions, but also because they may include ready-made malware that can be used during the attacks and databases of stolen sensitive information which can facilitate fraudulent operations. The average price of stolen sensitive information on the dark web is about $8.50, but one can find such information even at the price of $1.

Concluding remarks regarding how-to guides

How-to guides have the potential to increase the number of global cyberattacks because they reduce the financial and competence requirements required for conducting such attacks. Anyone who can pay about $4 for a how-to guide or about $16 for a collection of how-to guides under a single listing is now able to engage in account takeovers, phishing, doxing, fraudulent cashing-out, synthetic identity fraud and other malicious activities. 

This means that how-to guides can be regarded not only as an information security problem but also as a social problem because their use can lead to the paralysis of the functioning of various social organizations such as governments, hospitals and companies.

Hands-on threat intel training

Hands-on threat intel training

Learn how to collect, analyze and act on cyber threat intelligence with expert instruction and hands-on exercises in Infosec Skills.

 

Sources

  1. What's Hot on Dark Net Forums? 'Fraud Guides', Bank Info Security
  2. How financial crimes are hidden in the dark web, Equifax UK
  3. What is Synthetic Identity Fraud?, ID Analytics
  4. Synthetic Identity Theft, Investopedia
  5. Account takeover fraud, Ravelin
  6. Bad news: Dark web sales of fraud guides are booming. Good news: They're useless fakes, ZDNet
  7. British Airways frequent-flyer accounts hacked, The Guardian
  8. Evasive Phishing Driven by Phishing-as-a-Service, Cyren
Daniel Dimov
Daniel Dimov

Dr. Daniel Dimov is the founder of Dimov Internet Law Consulting (www.dimov.pro), a legal consultancy based in Belgium. Daniel is a fellow of the Internet Corporation for Assigned Names and Numbers (ICANN) and the Internet Society (ISOC). He did traineeships with the European Commission (Brussels), European Digital Rights (Brussels), and the Institute for EU and International law “T.M.C. Asser Institute” (The Hague). Daniel received a Ph.D. in law from the Center for Law in the Information Society at Leiden University, the Netherlands. He has a Master's Degree in European law (The Netherlands), a Master's Degree in Bulgarian Law (Bulgaria), and a certificate in Public International Law from The Hague Academy of International law.