While the dark web is a place where you can order drugs, guns and other items more commonly associated with criminal activity, one of its most valuable commodities is one that impacts the vast majority of us: personal and professional data. Vast numbers of user login details frequently obtained through third-party data breaches are bought and sold on the dark web every day. This is a crime that affects us all – putting individuals and companies at serious risk – and we must take action to prevent it.
There are over 24 billion username and password combinations on the dark web, according to a report last year - a number that has increased by 65% since 2020, which means it’s almost inevitable that every person reading this has probably had data leaked and shared in some way.
Personal data is highly valuable, no matter who you are - when criminals have access to it, there is almost no end to what they can do with it. From making purchases with payment details to using National Insurance numbers to apply for benefits, criminals will exploit whatever angle they can with the information that they have. Furthermore, the data can also be used to orchestrate and launch corporate cyber attacks.
When stolen credentials are used to successfully access a corporate system, the cybercriminals are privy to all kinds of sensitive information, including employee personal data, confidential client information, and financial data. They can also access email communications, which makes it easy to attempt to use techniques such as invoice fraud, or masquerade as a senior-level employee or client in order to instruct or authorise payment transfers.
Data breaches have a rippling effect, too, as it’s not just the organisation that’s getting compromised that suffers: it’s also their clients, suppliers and partners. And the data being lost is constantly being weaponised against other future targets.
So how are login credentials getting stolen?
Unfortunately, this isn’t as difficult as it should be – according to a Verizon DBIR report, 37% of all breaches involved stealing or using stolen credentials to gain access to online accounts.
Millions of usernames and passwords are leaked every week through attacks against applications people use every day, such as personal shopping sites, online games, business forums and so on. These credentials are then traded in forums on the dark web, where they are used for further cyber attacks.
Further attacks involve using phishing techniques - a well-known and highly successful way of targeting the owner of the email address. In this case, a convincing email is sent to someone with a link asking them to carry out some kind of online activity, such as updating their login details or newsletter preferences. The page presented is actually fake and controlled by an attacker who is rewarded with further valid, sensitive personal details, usernames and passwords if someone falls victim to the scam.
Alternatively, the stolen credentials might be used for wider, more automated attacks that attempt to use the stolen credentials to access other systems. This is known as credential stuffing and is very successful in the case where the same credentials are used for multiple accounts. And over 90% of people reportedly reuse passwords.
Consider this: if you use a password like Bristol#1995!, it might appear that this is a strong password. However, if you’re using the same password everywhere, the moment it has been stolen from a site, it could be traded on several dark web forums. It becomes clearly visible to multiple hackers, who can each use automated bots to try and login to every other service you have access to – including work systems.
Or, if your passwords follow a pattern, say different football players from the same team, or cities you’ve lived in, criminals can use automated password-cracking tools to identify your passwords in seconds and carry out wider attacks.
Defence in depth
In IT security, we talk a lot about defence-in-depth. In other words, there are multiple ways to be attacked, and therefore multiple layers are needed for protection.
Here are a few things to bear in mind:
Cyber attackers are a bit like school bullies: they pick on the vulnerable because it’s easier. Criminals are looking for the weakest industries and organisations. If IT is not well maintained or staff aren’t trained in what to look out for, then the business will become an effective target.
It’s not about being too big or too small to be worth the trouble - if security controls are weak, businesses will probably suffer an attack at some point. If an attacker can find a way to extract money, then it’s worth their time trying.
Despite what you hear in the news, most cyberattacks are not always highly sophisticated. They often use simple but effective tricks. So the focus needs to be on taking the appropriate security steps to avoid falling into the “weakest” bracket.
How can businesses protect themselves from being vulnerable to attack?
There are many preventative steps to help protect systems from cyberattacks:
- Avoid invoice fraud. Have a process that prevents payments to new or updated payee account details without rigorous checks and balances, even if the request is from someone well-known, such as a senior manager or trusted supplier. Never rely on an email being genuine; it could be someone manipulating the system from outside the organisation.
- Keep your IT infrastructure patched and up to date. Malware takes advantage of software flaws that are regularly fixed by vendors, but if you don’t patch your software, flaws remain exposed. If you work in retail – don’t forget your point of sales systems which are frequently neglected.
- Implement two-factor authentication for all employees and on all possible systems, including email. Have an additional security policy for legacy or third-party systems.
- Employ ethical hackers. If you have public-facing web applications, have them independently checked frequently (at least annually) for security vulnerabilities by ethical penetration testers.
- Have a recovery plan. Know that you can restore your files and systems if you get hit by ransomware. It’s here for the long haul, so be prepared.
- Avoid saving your passwords in your browser and use a password vault instead. Attackers are finding ways to extract passwords stored in browsers.
- Communicate. Nobody wants to be attacked, but that’s what it is – an attack. Organisations that quickly and transparently communicate an attack are often applauded by industry. Organisations that bury the news rarely enjoy the same admiration when the truth eventually comes out. There are lots of specialists available who can help you handle your incident if you need them.
- Invest in a monitoring service that will keep you aware and on top of breached credentials. Data breaches happen on a nearly daily basis, so having constant visibility of stolen credentials available on the dark web is critical to reducing your security risks.
Companies have a critical role to play in developing processes and encouraging practices that help employees keep their credentials out of the hands of hackers. But the financial and reputational risks of not doing so are high for all.