When Igor Bulavko describes the Dark Web, it’s hard not to picture the online equivalent to a dank, steamy district of narrow alleys lined with seedy shops selling forgeries, forbidden pharmaceuticals, stolen identities and courses covering the many paths to ill-gotten gains.
But Bulavko, Credit Karma’s Trust and Safety Architect, doesn’t dramatize the the internet’s underbelly. He sees it with the clear head of a guy who’s spent untold hours scouring the sites and forums supporting illegal business and illicit practices.
“It’s a market,” he said as he wrapped up Signifyd’s latest Payment/Fraud Meetup for professionals in the field. “There is demand and supply. There is feedback, complaints, enforcement and all that stuff.”
All that’s helpful to remember for those whose responsibility it is to foil the attempts of fraudsters who rely on the vast trove of stolen credit card numbers and personally identifiable information that is being hawked on website after website in the internet’s nooks and crannies.
Fraudsters are running business enterprises
Those fraudsters and fraud rings, after all, are business enterprises, exhibiting many of the same motivations, practices, strategies and aspirations displayed by legitimate businesses.
That said, it’s hard not to sit in wonder when Bulavko talks about the Dark Web and the vast amount of stolen personal and financial information for sale there. For instance, he showed the room of fraud and payment professionals meeting at Signifyd’s San Jose headquarters, screenshots of a site selling 2.1 million stolen PayPal accounts.
“You select anything you want,” he said, describing the Amazon-like experience. “You want to filter out by the credit card type or credit card expiration date. Make your selection. Press search. You get thousands of results. Check what you need. Put it in a shopping cart. Check out. And you’re good.”
Bulavko gave something of a guided tour of the Dark Web, stopping at sites selling credit card numbers, complete with CVV, expiration dates and zip codes — for $7 to $12 each. He pointed out bank accounts for sale.
He described the Yelp-like rating systems and review sections, where criminals buying stolen identities could rate and critique other criminals selling stolen identities. And he pointed to a site where a fraudster can buy remote desktop access to an unsuspecting user’s computer for $7. That allows fraudsters to appear to be physically located where they are not.
Bulavko ran through a list of available tutorials offering advice on in-store pickup scams and online fraud techniques. Many of the courses are repackaged rehashes of long-running techniques, he said.
“Personal information is sold everywhere,” Bulavko said as his tour continued. “It usually includes first name, last name, date of birth, social security number, address. Sometimes mother’s maiden name, email, driver’s license.”
You can buy stolen identities in bulk
The data, which you can buy in bulk (250 names for $100), represents the fruits of phishing scams, malware attacks and data breaches.
“The amount of personal information on the underground is staggering,” he said.
Given the amount and variety of personally identifiable information available, it’s no wonder that account takeover fraud — online fraud in which a criminal commandeers an existing account — is on the rise. In fact, Signifyd’s Ecommerce Fraud Index found that account takeover fraud losses increased 80 percent between 2016 and 2017. (Fraud losses include orders resulting in fraud-related chargebacks and orders rejected because of suspected fraud.)
It is a dreary picture, no doubt. But Bulavko didn’t come to curse the Dark Web. He came to illuminate it. Beyond all else that the Dark Web is, it is a rich hunting ground for threat intelligence that could aid those who are looking to stymie online fraudsters.
Those sites selling credit card numbers? They provide enough information for the good guys to identify the stolen accounts and take action to protect them. The forums? They’re like standing around the watercooler with the crooks and thieves sharing tips and tools for defrauding commerce sites.
Bulavko ran through some advice for those ready to join in the digital spelunking that is descending into the Dark Web. Create a fake online persona. Familiarize yourself with the browsing tools you’ll need to protect yourself and the sites you want to see.
Don’t venture into the Dark Web alone
But, he said his best advice, when it comes to mining the Dark Web for threat intelligence, is: Don’t go it alone. Think about hiring a pro, any one of several vendors who make it their business to familiarize themselves with the Dark Web and bring up the data and information that can help you protect your business and customers.
“Vendors already do a lot of these things,” Bulavko said of the Dark Web detective work. “They will pull in massive amounts of information, gigabytes a day with millions of pages.”
Not only that, but the vendor will present its findings in a clean, easy-to-read-and-analyze format, he said.
And, that will save you a trip to a dark and scary place.
Contact Mike Cassidy at firstname.lastname@example.org; follow him on Twitter at @mikecassidy