Fraud experts have long known that “dark web” sites provide information, support and illicit goods to hackers and other criminals. But security company Terbium Labs recently published a report analyzing a treasure trove of fraud guides for sale on shady sites. These “educational” publications provide crooks with detailed instructions on exploiting security weaknesses to hack networks, obtain financial information and steal identities.
Although Terbium found that most of the guides it downloaded were relatively useless, there were still plenty that provided effective tips on compromising networks and disrupting antifraud procedures. The guides cover everything from account takeovers to phishing to counterfeit documents to stolen credit cards. Often, they discuss specific companies. For example, a “Bank Drop Creation Guide” provides detailed instructions on how to create a fraudulent bank account at nine specific financial institutions.
Some of the most dangerous information contained in these fraud guides tells would-be hackers how to use social engineering to breach companies’ security. Using the above example, a guide might contain a script crooks can follow to persuade a bank employee that a fraudulent account is legitimate.
Terbium’s analysis of the guides found that certain types of personal information were particularly prized by thieves. Email addresses, which enable phishers to personalize their come-ons and track down a target’s full name and social media accounts, led this list. Passwords, not surprisingly, were a close second. User names, Social Security numbers and dates of birth were also highly sought after.
Among financial data, hackers prefer payment card information — though they show a clear preference for credit cards over debit cards. Card numbers are considered easy to obtain (millions of card numbers are available on the dark web), so the guides provide tips on maximizing profits before fraudulent purchases trigger alarms with the victim or card company.
What can you do?
Given the number of fraud perpetrators and wealth of information available to help them commit crimes, you may wonder how you can protect your personal financial or business’s customer data.
Individuals can reduce their risk by ignoring suspicious emails and disclosing financial information only on sites that provide SSL certificate authentication and encryption. Also, they should share even innocuous-seeming information, such as email addresses, only when necessary. Businesses need to work with experts to build a data security system that addresses their specific risks — and to update it religiously. Also, be sure to implement policies and procedures that prevent employees from inadvertently assisting fraud perpetrators. Contact Ashley Sparks, CPA, CFE at firstname.lastname@example.org for help creating internal controls that will reduce your company’s fraud vulnerabilities.