Dark web's top 4 document categories exposed: Unveiling the lucrative world of identity theft

October 26, 2023

Fraudsters were quick to recognize the immense criminal potential of the internet. In 2014, cybercrime cost the global economy $450 billion. Just a year later, that number had sky-rocketed to $3 trillion and some studies project that number to reach trillions in losses by 2025.    

Identity theft forms a large, and growing, proportion of this crime.

As our digital dependence has grown, criminals have jumped on vast new opportunities to exploit and profit from the sale of our personal information. With 2023 not yet over, losses due to identity theft are already estimated to have reached $10.2 billion; nearly double the amount in 2022 ($6.9 billion).

Identity theft now tops the list of the types of fraud most frequently reported to the Federal Trade Commission (FTC), with 1.4 million out of a total 5.7 million fraud reports made relating to identity theft.

And providing the gateway to all this stolen data, are criminal marketplaces including the dark web.

Online criminal marketplaces provide a place tailored to criminals’ nefarious trade. These marketplaces can be found on the ‘clear web’ (anything openly available on the internet),  ‘deep web’ (those parts of the web only visible with a username and password), and ‘dark web’ (hidden entirely from regular browsers that can only be accessed via special software). Using a combination of encrypted messages, aliases, and cryptocurrency, criminals can operate anonymously and away from the gaze of law enforcement.

In collaboration with DarkTower, they helped us look behind the curtain and shed some light on the shadowy corners of the dark web, where identities are traded.

Here is what we found most commonly being bought and sold on these criminal marketplaces

1. Username and password kits

Username and password kits

stolen account data kits i.e. fullz

Stolen account data kits ("Fullz")

CPN Kits

CPN Kits

counterfeit identity docs

Counterfeit Identity Documents

I. Username & Password Kits: The Hacking Epidemic

The hacking epidemic in the United States continues to be the country’s biggest security threat with 2022 seeing a huge rise in cyberattacks. Fuelling this rise is the marketplace for stolen data. An estimated 24 billion username and password combinations are now available on the dark web, the equivalent of nearly four for every person on the planet.

So how does such a large amount of sensitive information end up on the dark web?

Social engineering

In 2013, Yahoo was hit by a massive data theft. The personal information of all 3 billion Yahoo users was compromised when two Latvian hackers, employed by Russian agents, got access to Yahoo’s user database.

To infiltrate the company’s network, the hackers sent e-mails – designed to look trustworthy – to a number of Yahoo employees, inviting them to click a link. Once clicked, the hackers had complete access to Yahoo’s network including all customer databases and network management tools. This allowed them to install a backdooForm Handlersr, granting them return access.

This method needed just one employee to click the link – and one Yahoo employee did.

This kind of an attack is known as a ‘spear phishing’ attack. It is a type of social engineering, designed to dupe victims into opening an email, text or direct message containing a link that gives hackers access to a system.

A similar attack, in 2020, this time on employees at Twitter, led to the accounts of Microsoft founder Bill Gates, Democratic presidential hopeful Joe Biden, and reality star Kim Kardashian being compromised. It is believed the phones of Twitter employees were targeted this time. The attackers were able to tweet from the hacked accounts and net more than $100,000 after sharing details of a Bitcoin scam.

Data theft occurs through a variety of means.

Replay attack

A ‘replay attack’ (also known as a ‘repeat attack’ or ‘playback attack’) can be used to intercept login credentials which are then re-transmitted – making it seem as though the hacker is the original sender – to gain unauthorized access to a network. The main feature of a replay attack is that the person receiving the attempt at a login would receive the message twice, hence the name.

SQL injection attacks

On other occasions, hackers will steal data using techniques like SQL injection attacks. SQL injection attacks allow attackers to spoof identity, tamper with, destroy and steal existing data, and become administrators, taking control of the server.

A breach that affected Heartland, Hannaford Bros., 7-Eleven Inc., and three other retailers in 2008, used SQL injection to penetrate corporate systems and ultimately resulted in the theft of 130 million credit card numbers

Password security

Weak passwords and poor password hygiene can provide a gateway for data theft. The 2022 Verizon Data Breach Investigations Report found that 81% of hacking breaches involve the use of stolen passwords or credentials.

Credential stuffing preys on poor password hygiene. Attackers buy stolen username and password combinations and test them across multiple websites and social media platforms to see how many accounts they can gain access to. This approach works when people repeat username and password combinations across various accounts.

A brute force attack uses trial and error to guess login credentials. It is a simple yet reliable tactic and despite being an old cyberattack method, it remains a popular method for gaining unauthorized access to accounts. The hacker will try multiple usernames and passwords, often using software that can test a large number of combinations at speed, until they land on the correct login information.

Insider threats

Some of the greatest threats to cybersecurity do not come from external sources. ‘Insider threats’ are security breaches caused by current or former employees at an organization. They are one of the most difficult categories of cyber risk to mitigate because they defy most traditional, external-facing security strategies.

Insider threats generally fall into three categories: accidental breaches stemming from actions such as clicking on a link in a phishing email; employees taking damaging actions deliberately for financial gain; or aggrieved former or current employees with an axe to grind trying to cause a serious security issue to cause harm to a business or another employee.

In 2020, 36% of reported data breaches were caused by internal malicious actors. The most common cause was disgruntled former employees with around 20% of companies reporting breaches stemming from ex-team members.

However, it is not uncommon for employees to be approached by third parties with offers to pay for access to data. Often this information is the personal data of customers which criminals can use to fraudulently access their accounts or attempt identity fraud, for example posing as a customer when calling financial institutions.

 

THE IMPACT OF DATA BREACHES

Once in possession of stolen username/password combinations, criminals may assume the identity of victims and:

  • Use credit or debit card information to make unauthorized purchases

  • Apply for credit cards or loans

  • Steal money from bank accounts, retirement accounts and other financial accounts

  • Change billing addresses and add new users to accounts

  • File for government benefits

  • Rent an apartment, car, or apply for a job

  • Apply for driver's licenses or passports

Or:

  • Sell the information on criminal marketplaces.

Login details, or ‘Logs’, are archives of data stolen from compromised web browsers or systems using malware, and their most important aspect is that they commonly include account credentials, cookies, and saved credit cards.

With a single hacker is able to obtain the sensitive data of hundreds of millions of individuals in just one breach, the damage caused by the theft of data can be immeasurable both to individual victims, but also trust in organizations.

 

II. Stolen Account Data Kits: Fueling SIM Swap Fraud

Fullz

A stolen account data kit is often referred to as a ‘fullz’ by criminals on the dark web. Fullz are a set of stolen personal information that can be used to impersonate the victim, steal from them, or conduct illegal activity in their name.

It will usually include a person’s name, social security number, date of birth, address, phone number, account numbers, and other personal information that cybercriminals use for identity fraud. That could mean opening new lines of credit in the victim’s name or taking over and emptying their bank accounts. Additional data, such as a driver’s license number, or photo, will raise the price of a fullz.

The geographical location of the identity for sale largely determines the sale price. Americans have the cheapest fullz, averaging $8 per record. Japan, Australia, the UAE, and Europe have the most expensive identities at an average of $25. The sale price is also determined by the credit limit available on a stolen account.  The average price for stolen credit card details is currently around 0.33 cents per dollar of credit available*.

Job scams

There have been rising cases of ‘job scams’ where fraudsters have posted job advertisements on online job boards. Sometimes, as part of their application, victims are asked to provide their name, date of birth, address, and a variety of scanned documents containing highly valuable personal data which can contribute to identity theft.  However, more often, job scams can involve the person being “hired” to unknowingly participate in reshipping fraud, money laundering, and check fraud.  These job scams are often posted in Work from Home groups on social media, or can even be posted to look like legitimate jobs on job boards like Indeed and LinkedIn. 

Android malware

A newly discovered form of Android malware steals passwords, bank details and cryptocurrency wallets from users, bypassing multi-factor authentication protections. The malware has been detailed by cybersecurity researchers at F5 Labs, who've dubbed it MaliBot. It's the latest in a string of powerful malware targeting Android users. 

As well as remotely stealing passwords, bank details and cryptocurrency wallets, MaliBot, can access text messages, steal web browser cookies, and even take screen captures from infected Android devices. It can also get around multi-factor authentication (MFA) – one of the key cybersecurity defences people can use to protect themselves against cyber criminals. 

MaliBot is distributed by sending phishing texts to users’ phones or encouraging victims to visit fraudulent websites. In both cases, victims are urged to click on a link, which then downloads the malware to their phone.

SIM swapping

SIM swapping is another technique used by fraudsters to gain control of users’ phones and overcome the challenge of two-factor authentication. SIM swap attacks occur when a fraudster convinces a mobile phone provider to transfer a victim's phone number to a new SIM card. Once the fraudster has control of the victim's phone number, they can access sensitive information such as bank accounts, cryptocurrency wallets and email accounts. In 2021, over $68M in losses due to SIM swapping was reported to the FBI's IC3.

While security experts recommend two-factor authentication to protect online accounts, it isn’t a perfect system as SIM swapping demonstrates. A third party with your handset or phone number can bypass it, leading to biometric authentication having more of an advantage to traditional passwords and MFA. Biometrics are extremely hard to spoof as they are 100% unique to each individual and cannot be falsified or counterfeited.

 

III. CPN Kits & Synthetic Identities: Unlocking Opportunities for Fraud

Data breaches have made valuable personal information like social security numbers (SSNs) more susceptible to theft and sale on the dark web. By combining a stolen social security number with fabricated details such as a new name, incorrect address, made-up date of birth or new phone number, criminals can create a ‘synthetic identity’.

Synthetic identity fraud

Synthetic identity fraud is a type of identity theft in which criminals combine both real and fake personal information to create new, fictitious identities that can then be used to obtain lines of credit to rent apartments and cars, purchase expensive goods, and take large pay-outs before abandoning the identity. It can be hard to spot as it is often cultivated over several years.

To the financial institution, the fraudster’s fake profile seems like a regular person with a job, a salary, and a home, working hard to steadily build their credit score. Some fraudsters go to great lengths to appear as genuine customers, even creating false employment histories. 

It is the fastest-growing form of financial crime in the United States and costs US financial institutions billions of dollars annually. 

The SSNs of minors and deceased individuals are often used to build these false identities. According to the IRS, thieves steal the identities of nearly 2.5 million deceased Americans every year to fraudulently open credit card accounts, claim unemployment or disability benefits, and obtain loans and tax refunds.

Ghosting

The tactic, called ‘ghosting’ is possible because of the delay between a death being reported and financial institutions, credit bureaus, and government departments updating their records. Fraudsters can exploit this lag and use information found in obituaries which often includes a deceased person’s full name, maiden name, date of birth, place of birth, place of residence at death, mother’s maiden name, and even where the victim went to school and was employed to build a synthetic identity.

Children are also often targeted for their SSNs as they are less likely to notice when it has been compromised. A criminal can request a child’s SSN is mailed out, then intercept the mail before it reaches the intended address. It can be sold on the dark web without the victim’s family even being aware their child’s identity has been stolen. Alarmingly, the House Ways and Means Testimony has found that roughly 1.25 million children were the victims of identity fraud in 2021; that is nearly 1 in 50 children.

CPNs

Stolen SSNs are also repackaged and sold as Credit Profile Numbers (CPNs) – nine-digit identification numbers that look like social security numbers. CPNs are sold to unsuspecting consumers by credit repair companies as a way to ‘wipe the slate clean’ when they have a poor credit history. Customers are told they can be used in lieu of an SSN. Credit repair companies often make entirely erroneous claims that celebrities use CPNs to protect the privacy of their SSN and that they are legal. They do not disclose that all CPNs are in fact stolen SSNs and that using a CPN to apply for credit is a crime that can result in a jail sentence.

One Frank on Fraud investigation found a single company claiming to have sold 250,000 CPNs to consumers for between $79 and $299 each. That means total sales were somewhere between $19 million and $49 million on stolen SSNs. It’s easy to see the incentive for criminals.

 

A DEVASTATING IMPACT ON VICTIMS

This type of identity theft can have a devastating impact on victims’ lives. In the case of children, it may be years before a victim realizes their identity has been compromised by which time there may be huge damage to undo. Recovering a stolen identity is time-consuming, stressful and comes with challenges. Victims may, in the meantime, be confronted with letters and calls from creditors chasing debts, bills for purchases they have not made or taxes they do not owe. They may be locked out of their accounts and have mail diverted to other addresses, making it even harder to recover their identity.

 

IV. Counterfeit License and Credit Cards: The Perfect Identity Kit

The internet provides those seeking a new identity unparalleled access to counterfeit as well as stolen documents. Forged passports, birth certificates, drivers licenses, bank cards, SSNs, and even educational documents like bachelor’s and master’s degrees are all available to purchase.

Counterfeit identity documents are useful tools for various types of criminal activity. While obtaining counterfeit identity documents was once historically limited to individuals with connections to specialized providers, the growth of the dark web has increased the ease at which criminals can access such documents. This has increasingly caused problems for law enforcement, and as AI continues to aid the capabilities of criminals to dupe institutions, the challenges look set to rise and the role of biometrics in meeting these challenges becomes ever more important.

Prices vary dependent on a number of factors including the quality of the counterfeit and the geographical location the purchaser wants to relocate to. Counterfeit passports are available for as little as $10, with U.S. passports being the cheapest to obtain, and Australian being the most expensive. ‘Legit’ documents are advertised as meaning they could be used for legal entry/use and are most likely to be stolen genuine documents rather than fakes, which are generally sold at lower prices. The average price of all legitimate products in this investigation by the School of Criminal Justice at Michigan State University was $1,705.02, whereas the average price of all fake products was $741.95. The lowest listed price for a product was $2 for a Russian passport photoshop datafile while the highest priced product – a ‘legit’ Diplomatic Passport – was advertised at $10,000.

Although paying with fiat currencies like the US dollar is an option, Bitcoin is still the preferred method of payment on many of these marketplaces. But in other ways, the transactions are carried out in much the same way as legal trades. Vendors utilize a variety of different communication platforms, with most operating personalized email accounts affiliated with their shop or unique online identity. Some list phone and WhatsApp numbers for voice or text messaging. Bulk discounts are offered for large orders and legitimate delivery carriers such as DHL and FedEx are used to fulfill orders.

In our investigations, DarkTower uncovered counterfeit license and credit cards often sold together as an ‘identity kit’. This combination gives the purchaser a working credit card with a drivers license and social security number. Purchasers are asked to send in photographs of themselves which are used to create the documents which are ‘aged’ to make them look more authentic.  

Conclusion

The cost of fraud is felt by everyone in society. As rates of identity theft continue to rise, growing numbers of individuals and organizations will become victims. The necessity to put in place deterrent and detections systems is greater now than it has ever been.

By sharing information and intelligence about fraudulent activity, such as which documents are most in demand on the dark web, and how they are obtained, used and sold, we can work together to detect and prevent fraud before it occurs and identify the individuals responsible for committing it.

Protection for those categories of data identified by DarkTower – usernames and passwords; stolen account data and SSNs – must be a priority. In partnership with DarkTower, Mitek is tackling the marketplaces where fraudsters hide and exposing stolen data to financial institutions before it becomes an issue.

To find out more about Mitek’s Check Fraud Defender with real time access to compromised account data, get in touch.

*As reported by Comparitech on August 12th 2023.