Argus - Fotolia

Top dark web indicators of compromise

There are 10 common activities on the dark web that indicate a data breach or some other security compromise has taken place, according to a specialist monitoring firm

Monitoring the dark web can alert organisations to potential security breaches, enabling them to identify and respond faster to minimise the impact, say researchers at Terbium Labs.

The latest cost of data breach study by the Ponemon Institute and IBM Security shows that breaches are becoming increasingly expensive with the average UK data breach costing £2.69m including “hidden costs” that are difficult to manage.

According to Terbium, monitoring the dark web for 10 common activities is one way organisations can monitor proactively for stolen data or other security and privacy risks. These activities are:

1. doxing (collecting) information

Perhaps the most obvious indicator of a data breach is the posting of personal, financial and technical information relating to target organisations on dark web sites.

There is often a motivation behind these posts, such as political beliefs, hacktivism, vigilantism and vandalism.

2. The sale of payment card details

There is a robust economy for payment cards on the dark web and potential breaches can be identified by monitoring for new card details.

According to Terbium, a single card can cost between $5 and $20, with sellers updating markets with new cards regularly, sometimes daily.

Read more about threat intelligence

  • There are five key challenges to cyber threat intelligence sharing, according to a report by McAfee Labs.
  • Threat intelligence tools are a growing market, and enterprises need to be able to see through the hype to get the best product for them.
  • Learn how threat intelligence services benefit enterprise security and how to subscribe to the right threat intelligence service.
  • Threat intelligence is quickly becoming an essential ingredient for protecting corporate systems and data.

3. Posting of guides for opening fraudulent accounts

The dark web offers guides for sale containing detailed, step-by-step instructions on how to exploit or defraud an organisation, indicating the potential breach of inside information.

For example, Terbium said that as the result of a major US bank changing security policies, fraudsters issued updated guides and techniques to circumvent the changes.

4. Posting of proprietary source code

A leak of source code can enable competitors to steal intellectual property and allow hackers to review the code for potential vulnerabilities to be exploited.

5. Database dumps

Third-party breaches can put organisations at risk by revealing employee credentials that can unlock other accounts or provide fodder for phishing attacks.

Posting internal databases can also reveal private contracts or partnerships between organisations, asid Terbium, such as one database that revealed all companies that had contracts on a construction project in Qatar.

6. Posting of templates to impersonate a customer account

The dark web is full of account templates that allow fraudsters to pose as customers of financial institutions, telecommunications companies and other service providers. These templates are then used to solicit loans, open accounts, or as part of a broader scheme for identity theft or fraud.

7. Posting links between employees and illicit content

Posts linking individuals who engage in illegal activities on the dark web, such as child exploitation, can draw undue negative attention to their employers or affiliated organisations.

One such post, said Terbium, listed the full name and contact information of a tech company that inadvertently provided technical support to a child exploitation site.

8. Posting tax-fraud documents

Before tax season each year there is a rush of activity on the dark web gather compromised identity information in order to file fraudulent tax returns before the legitimate taxpayer can. 

9. Sale of specialty passes

While most of the materials on the dark web are for generalised personal information, Terbium said dark web suppliers sometimes offer special access materials, which can range from the benign, such as amusement park tickets to military IDs.

One freshly launched dark web market offered physical press passes designed to help cyber criminals pass as legitimate journalists for specific events, for example.

10. Inexpert dark web searching

Security suppliers not properly immersed in the dark web can expose an organisation to harm by simply searching for information related to the company, said Terbium.

For example, one security supplier searched for a CISO's name so many times on the now-defunct dark web search engine, Grams, that the full name made it to the front page “trending” section of the site.

Read more on Hackers and cybercrime prevention