Dark Web Sales Driving Major Rise in Credential Attacks

Summary: This article discusses the rise of infostealer malware attacks and how cybercriminals are turning credential stealing into a profitable business. It highlights the increasing value of corporate credentials in the cybercrime market and the impact of these attacks on victims, particularly in the Asia-Pacific and Latin America regions.

Threat Actor: Cybercriminals
Victim: Individuals and corporations

Key Point :

  • Infostealer malware attacks have increased sevenfold over the past three years, allowing cybercriminals to compromise millions of personal and corporate devices and steal login credentials and sensitive data.
  • The growing value of corporate credentials in the cybercrime market has led to a 643% increase in data-theft attacks, with cybercriminals selling stolen credentials on dark web forums at premium prices.
  • Darknet markets have played a significant role in enabling cybercrime by facilitating the sale of stolen corporate credentials and victim profiles to cybercrime groups.
  • The Asia-Pacific and Latin America regions have been particularly affected by credential stealing attacks, with millions of credentials stolen from countries like Brazil, India, Colombia, and Vietnam.
  • The number of initial access brokers operating worldwide has increased, with a significant rise in the APAC region, fueling the operations of other criminals such as ransomware and nation-state adversaries.

Cybercrime as-a-service
,
Fraud Management & Cybercrime
,
ID Fraud

Cybercriminals Netting Over 50 Credentials Per Infected Device, Kaspersky Says

Dark Web Sales Driving Major Rise in Credential Attacks

A rise in infostealer malware attacks over the past three years has enabled cybercriminal groups to turn credential stealing into a major money-making business, paving the way for new entrants in the field and sophisticated hacking techniques to breach corporate defenses.

See Also: OnDemand | Identifying and Reducing Risk Faster in Multi-Cloud Environments

Cybersecurity company Kaspersky said data stealing attacks rose sevenfold over the past three years, enabling malicious actors to compromise more than 10 million personal and corporate devices in 2022 and possibly 16 million more last year.

Data-stealing malware has evolved over the past decade, improving hackers’ ability to lurk unnoticed, and collect login credentials and sensitive data from device storage and applications. Kaspersky said hackers engaging in data exfiltration attacks stole close to 400 million logins and passwords for a wide range of websites in the past year, averaging 50.9 login credentials per infected device.

Stolen Credentials Fetching Rich Rewards

The growing value of corporate credentials in the cybercrime market contributed to a 643% increase in data-theft attacks over the past three years, Kaspersky said. Cybercriminals typically serve as initial access brokers, steal corporate credentials and sell them on dark web forums at a premium to fellow criminals looking for an easy way to infiltrate corporate networks and launch further attacks. Kaspersky researchers say the they are offering multiple sales models.

“Credentials may be sold through a subscription service with regular uploads, a so-called “aggregator” for specific requests, or via a shop selling recently acquired login credentials exclusively to selected buyers,” said Kaspersky researcher Sergey Shcherbel. “Prices typically begin at $10 per log file in these shops.”

According to Packet Labs, access brokers advertise stolen information heavily on dark web forums, with prices ranging from $17 for stolen credit card details, $40 for hacked logins for web services to $120 for high-value credit cards and associated information.

Data from Chainalysis found that a number of darknet markets have taken the lead in the cybercrime enablement businesses in the past few years, helping initial access brokers sell corporate credentials and detailed victim profiles to cybercrime groups who used the data in activities like scamming, identity theft and ransomware.

Genesis Market, which global law enforcement took down in April 2023 as part of Operation Cookie Monster, was best known for enabling identity theft and was soon replaced by emerging hubs such as the Kraken market, DNM Aggregator and Exploit.in. These fraud shops integrate crypto payment processors on their websites via APIs, enabling a seamless payment and checkout experience for customers.

APAC and LATAM Particularly Affected

Data obtained by Kaspersky from infostealer malware log files actively traded in the underground markets reveals that a major share of credential stealing attacks in 2023 took place in the Asia-Pacific and Latin America. The company said hackers stole more than 28 million credentials from Brazil and more than 5 million each from local web domains in India, Colombia and Vietnam, respectively.

In Australia, compromised or stolen credentials accounted for a majority of cybersecurity incidents and one-in-four firms reported data breaches in the latter half of 2023. The Australian Information Commissioner said attacks involving compromised or stolen credentials accounted for 56% of all cybersecurity incidents, compared to 27% for ransomware attacks (see: Most Australian Breaches in 2023 Began With Credential Theft).

Cybersecurity company Group-IB noted last year that the number of initial access brokers operating worldwide rose by 45% year-on-year, but their numbers in the APAC region almost tripled. The market for selling access to corporate networks in the Asia-Pacific rose from a mere $223,000 in 2019 to more than $3.3 million in 2021.

“IABs play the role of oil producers for the whole underground economy. They fuel and facilitate the operations of other criminals, such as ransomware and nation-state adversaries,” Group-IB CEO Dmitry Volkov said. “As access sales continue to grow and diversify, IABs are one of the top threats to watch.”

Source: https://www.bankinfosecurity.com/dark-web-sales-driving-major-rise-in-credential-attacks-a-24893


“An interesting youtube video that may be related to the article above”