A file containing fake employee records—including faux Social Security numbers—and posted to two dark Websites and Dropbox was viewed more than 1,000 times and downloaded to computers in 22 countries in less than two weeks, according to researchers at security firm Bitglass.
Half experiment and half publicity stunt, the project shows that cyber-criminals are quickly aware of any identity information posted to public and underground forums, but also shows patterns of activities that suggest criminals collaborate in certain countries. In this case, the file—tagged with digital watermarks to "phone home"—revealed two nexuses of activity: one in Russia and one in Nigeria.
Cyber-criminals are actively seeking to profit from stolen data, Bitglass CEO Nat Kausik, told eWEEK.
"There seems to be a pretty lucrative market for stolen entities and credit card data," he said. "We just stuck it out there and did not post any contact information. We don't know if anyone would have contacted us to buy more."
The company claims that the experiment is the first to track data on the dark Web, the colloquial term for the anonymized network enabled by Tor, proxies and other privacy-focused technologies. Sites and services on the dark Web range from collaboration platforms for whistleblowers to stores selling illicit goods to hubs for darker criminal activities.
Companies have focused more on protecting data as breaches have become an increasingly significant issue over the past decade. In 2013, cyber-criminals compromised retail giant Target's network, stealing information and financial details on more than 70 million customers. More recently, health care companies, including Anthem and Premera, are dealing with the impact of several breaches.
Bitglass created an Excel file with 1,500 identities, named it "employees.xls," and posted it to Dropbox and two dark Web forums. Within the first few days, the data had reached five countries and had been viewed 200 times, according to a brief report. By Day 12, the file had garnered 1,081 clicks and been downloaded to about 50 systems in 22 countries.
Much of the activity came from Internet addresses in Russia, China and Brazil, according to Bitglass' research. Collections of activity were also seen in Nigeria and Russia, suggesting that criminals in those countries were collaborating on some level, Kausik said.
The company did not try to measure whether criminals attempted to use the data. In addition, it is unclear whether other companies and researchers, searching for stolen information on the dark Web, could have skewed the results. However, given the regions involved, Kausik argued that legitimate activity likely did not have much impact on the search results.
"If we were to take out U.S.-based companies that might be involved in the active scanning for stolen data, there was a peak of use in Nigeria, and I doubt that those people are acting on behalf of the user," Kausik said. "Heisenberg plays a role in every experiment—the act of measuring does alter the value—but I don't think it was a significant problem for us."