The Dark Web is a hidden universe contained within the “Deep Web”- a sublayer of the Internet that is hidden from conventional search engines. Search engines like Google, BING and Yahoo only search .04% of the indexed or “surface” Internet. The other 99.96% of the Web consists of databases, private academic and government networks, and the Dark Web. The Dark Web is estimated at 550 times larger than the surface Web and growing. Because you can operate anonymously, the Dark Web holds a wealth of stolen data and illegal activity.
Dark Web ID service is designed to help both public and private sector organizations detect and mitigate cyber threats that leverage stolen email addresses and passwords. Dark Web ID leverages a combination of human and artificial intelligence that scours botnets, criminal chat rooms, blogs, Websites and bulletin boards, Peer to Peer networks, forums, private networks, and other black-market sites 24/7, 365 days a year to identify stolen credentials and other personally identifiable information (PII).
Dark Web ID focuses on cyber threats that are specific to our clients’ environments. We monitor the Dark Web and the criminal hacker underground for exposure of our clients’ credentials to malicious individuals. We accomplish this by looking specifically for our clients’ top level email domains. When a credential is identified, we harvest it. While we harvest data from typical hacker sites like Pastebin, a lot of our data originates from sites that require credibility or a membership within the hacker community to enter. To that end, we monitor over 500 distinct Internet relay chatroom (IRC) channels, 600,000 private Websites, 600 twitter feeds, and execute 10,000 refined queries daily.
Typically, this data means that an employee used their work email as a user login on a third-party website, that website got breached, and the logins and passwords of that website are now compromised. So ultimately what is compromised is their work email along with a password.
In most cases when a password is coming up that an individual has never used, they have either forgotten they’ve used it before, someone is testing a password, or someone is creating a fictitious account for fraudulent purposes. Often, when nefarious characters handle breach data, they work to put a value on the data. This may involve attempting to confirm the validity of a username/password combination. If such testing is positive, the password is often left in the source data. If the test is negative, the handler may fill in some placeholder value such as noted above to indicate that the username/password could not be confirmed as valid. The DWID platform has controls in place which allow us to filter out password values that have been identified as “invalid;” you may notice some results from Live Search that have blank password fields. We do this to help avoid confusion. You may be asking how much weight you should give a Compromise with a blank password or placeholder value. Our guidance is to treat such Compromises with the same weight you would one that has a clear text password. There may be a variety of reasons the handler chose to put in a placeholder value, but your clients’ credentials were found in a place known to be a source of nefarious activity and you should work to help them protect themselves from further exposure.
We pull in very large data sets that include passwords. Sometimes in those data sets a variety of credentials do not include passwords, while in other cases, several categories of PII (Personally Identifiable Information) may have been exposed. (Ex. Name, DOB, Address, SSN) Why does the PII matter in lieu of the password? Often, the categories of PII are extremely sensitive and may include credit card information or home addresses. These can be catastrophic to the individual, and it is an excellent opportunity for you (the MSP) to sell SpotLight ID as a secondary product offering.
While employees may have moved on from your organization, their company issued credentials can still be active and valid within the 3rd party systems they used while employed. In many cases, the 3rd party systems or databases that have been compromised have been in existence for 10+ years holding millions of “zombie” accounts that can be used to exploit an organization. Discovery of credentials from legacy employees should be a good reminder to confirm you’ve shut down any active internal and 3rd party accounts that could be used for exploit.
In most cases, someone is testing a password against a series of users to gain access.
While we can’t say definitively that the data we’ve discovered has already been used to exploit your organization, the fact that we are able to identify this data should be very concerning. Organizations should consult their internal or external IT and/or security teams to determine if they have suffered a cyber incident or data breach.
Once the data is posted for sale within the Dark Web, it is quickly copied and distributed (re-sold or traded) to a large number of cyber criminals, within a short period of time. It is generally implausible to remove data that has been disseminated within the Dark Web. Individuals whose PII has been discovered on the Dark Web are encouraged to enroll in an identity and credit monitoring service immediately. https://www.idagent.com/products/access-identity-management/ be used for exploit.