Diving into the Dark Web: Where does your stolen data go? By Charlie Osborne for Zero Day | April 8, 2015Aug 11, 2015
When a data breach occurs and personal information is stolen, where does it end up? Bitglass researchers decided to find out.
Target, Morgan Stanley, Sony, Anthem -- the list of today's major data breaches goes on. In the last few years alone, high-profile attacks have been launched against these companies and countless others, resulting in the theft of private communication, names, Social Security numbers, addresses, financial data and account credentials.
According to a report released by the Identity Theft Resource Center (ITRC), in the United States alone in 2014, 783 data breaches were discovered. Since 2005, 5,029 data breaches have been reported in the US, with an estimated 675 million records stolen.
Hardly a month goes by without another well-known brand discovering a breach, and yet, where stolen data goes is relatively unexplored. However, security researchers from Bitglass decided to remedy the lack.
The Dark Web is one place where stolen information is offered for sale. Accessible through the Tor network, the underground comprises of stores and websites entrenched in illegal activities ranging from the sale of data to hacking tools to drugs and weaponry. However, websites hosted on the network also offer free downloads of data, which is posted anonymously.
The security team decided to track data offered up in the Dark Web. After creating an excel spreadsheet of 1,568 fake employee credentials, the team placed the file on anonymous file-sharing websites in the Dark Web, as well as Dropbox. The data was then tracked through Bitglass' tracking technology, which embedded the file with an invisible watermark that "pings" the Bitglass portal whenever the document is opened. After being pinged, the portal displays information including geographic location, IP address and device type.
The company says that even if the watermarked document is copied and pasted elsewhere or corrupted, the watermark persists and remains trackable.
Bitglass found that within only a few days, the fake credentials had been downloaded in over five countries, three continents and was viewed over 200 times. By day 12, the file had received over 1,080 clicks and had spread to 22 countries on five continents.
"By the end of the experiment the fake document of employee data had made its way to North America, South America, Asia, Europe, and Africa. Countries frequently associated with cyber criminal activity, including Russia, China and Brazil, were the most common access points for the identity data.
"Additionally, time, location, and IP address analysis uncovered a high rate of activity amongst two groups of similar viewers, indicating the possibility of two cyber crime syndicates, one operating within Nigeria and the other in Russia," the team's report states.
While this is a small experiment, it does highlight how quickly data can spread online. A small set of fake staff credentials is one thing, but files related to well-known brands -- such as Target or Morgan Stanley -- are another matter altogether, and more likely to be downloaded and potentially exploited.
Security breaches are unavoidable. It can take months or even years for the enterprise to discover a security problem. By this point, stolen information may have already traveled worldwide. When so many data breaches are preventable, companies need to start investing more heavily not only in cybersecurity as a whole, but also begin tightening internal controls and data protection protocols to mitigate the risk of becoming a new victim in 2015.