Bad actors use the dark web to exchange compromised data and goods anonymously, often unnoticed by the victim organization. Malicious activity can manifest in many ways on underground channels and, because of the technical obstacles associated with accessing the dark web, visibility can be limited, making it difficult to know which assets might be at risk.
If sensitive information is left undetected on the dark web, businesses risk brand damage and monetary loss. In order to prevent this, organizations should be knowledgeable of the types of dark web threats and actively monitor underground channels for activity associated with their brand. The most common threats targeting the retail space on the dark web include:
- Gift Cards/Rewards/Promotions Fraud
- Account Credentials
- Consumer Goods / Counterfeit Goods
- Refund Services
In this two part series, we address these threat types and provide examples of real examples found on dark web platforms. Below, we highlight Promotions Fraud and Account Credentials targeting retail brands on the dark web.
Gift Cards/Rewards/Promotions Fraud
Fraudulent gift cards and rewards are widely available on the dark web. The exchange of these types of promotions are popular among bad actors due to the minimal security protections compared to credit or debit cards.
Fraudsters obtain legitimate gift cards that have been illegally provided by employees in addition to purchasing counterfeit versions created by other criminals. There are also numerous forum threads dedicated to gift card generators and gift card configuration collections. Below are common examples of gift card configuration collections, gift cards, and team member discounts for sale.
Content targeting rewards programs for the Airline and Hotel Industry are highly sought after on account-based marketplaces on the dark web. The examples below have various points attached to the accounts. The threat actor has added print screens (now redacted) to show that the accounts are legitimate, and the logins captured are active/working. Airline accounts with status are also popular with buyers.
Marketplaces that specialize in the sale of account credentials made up nearly 20% of Dark Web activity in Q4. These marketplaces are in steady supply of newly compromised data often sold for minimal fees. It is especially important for security teams to monitor credential marketplaces as they may display varying levels of consumer Personal Identifiable Information (PII), and will aid in the identification of compromised customer data before it is purchased and distributed further.
Below are examples of holder names and address information of Home Depot and Kohls customers on credential marketplaces.
Marketplaces that specialize in the sale of retail-based account information are also commonplace. The image below is a typical example of a vendor selling Sephora accounts with linked credit card credentials, as well as Sephora accounts with reward points attached. Similar to traditional account-based marketplaces, these accounts can be purchased for a small fee.
Free data dumps of customer data and alleged insider access to organizations are also readily available within account marketplaces.
The screenshot below shows both Kohls and Target employee logins being sold over a popular dark web hacking forum.
Cybercriminals are using the dark web as a means of exchanging stolen or falsely branded assets belonging to legitimate retail organizations. Tracking this activity can be challenging, as dark web marketplaces and communication channels are regularly influx and hidden. If left undetected, however, compromised information can be used in targeted attacks against an enterprise and its customers. Protecting against malicious dark web activity means understanding what types of threats live on the dark web and monitoring the sources that house them.