Amount of Bank Data for Sale on Dark Web up 135%: Report

The shadier parts of the internet are bursting at the virtual seams with account logins, card numbers and other stolen financial data put up for grabs, according to a new report from cyber intelligence platform company IntSights.

The New York City-based firm reported a 135% year-over-year increase in financial data for sale on dark web black markets between the first half of 2017 and the first half of 2018, and it saw a 149% spike in the amount of credit card information for sale on black markets over the past 18 months, according to data collected on its platform for the top 50 banks and financial services organizations in the United States and Europe.

Selling stolen financial data nets big money for criminals, according to the report. A single bank account login with full name, date of birth and full address can bring in about $20; a block of 1,000 bank account logins can sell for $5,000, for example.

“Black markets are full of vendors that offer ‘high balance bank accounts logins’ at major banks within the U.S., Europe and Asia,” the study said.

Using and selling stolen card data is also easy money for criminals, the study noted. Criminals get a double paycheck from the data – they use it to commit fraud and they sell it.

“The most common use for these illegally-obtained card numbers is purchasing goods. Whether online or in physical stores, small purchases of tens of dollars don’t attract unwanted attention, but can generate nearly 10 times more ‘free money’ than what the card is worth on a black market. This trend is expected to keep rising, as this is the most simple and safe way to reap profits with minimal to no risk,” IntSights said.

But for a single card with a relatively low balance (around $100), thieves can get at least $20 for full data (name, address, email, CVV, PIN and expiration date); data on high-balance cards (around $10,000) fetches up to $1,000 per card, according to the report. Data dumps, which usually contain CVVs, expiration dates and PINs, can garner $150 to $500 per group of 100 cards, depending on the quality. Payment service accounts run anywhere between a few dollars and $50.

IntSights also noted financial organizations are the most-attacked industry, and the number of attacks is rising. During the first half of 2017 there were an average 207 attack indications per U.S. bank. During the first half of 2018, however, that rose to 520, it said.

Attack indications included dark web chatter mentioning the company or financial institution, as well as the appearance of company data on target lists or in campaigns, and malware or malware code targeting these companies.

Many attacks involved targeting major transfer platforms such as SWIFT, as well as phishing emails and phishing websites that steal member and employee credentials, ATM scamming methods, ATM and point-of-sale attacks, DDoS campaigns and attacks on e-banking interfaces.

“Another growing trend is fake mobile banking applications,” the study added. “With this method, threat actors develop fake mobile applications to steal account credentials and login details from users who unknowingly download the app. Additionally, they will typically infect their victims with malware, usually for harvesting credential and personal information.”

The company reported a 24% increase in mobile banking malware infections between the second half of 2016 and the second half of 2017.

“We see many financial organizations too focused on stopping direct attacks to their corporate systems, however, our research shows that cybercriminals have begun circumventing these defenses using social media, mobile application stores and phishing schemes,” IntSights Director of Threat Research Itay Kozuch said.

One of the most sophisticated mobile attacks tools is the Android/LokiBot malware, which has crypto-ransomware capabilities, among other features, it said.

“This malware can encrypt files and lock devices, send phony notifications to trick users to open their online banking apps, and even allow the attacker to impersonate the victim’s IP address for use in other fraudulent activities. Android/LokiBot has targeted more than 100 financial institutions around the world,” IntSights warned.

In some cases, criminals are starting their own businesses selling “kits” online to help other criminals launch attacks. IntSights estimated that LokiBot has generated close to $2 million in revenue from kit sales on the dark web.