Going shopping on the Dark web

I've recently learnt the impact of what, we the, 'entrenched' take as the norm. Case in point

 

To the vast majority of security, this is not 'news', but that doesn't take away the fact that this is equally as important to those affected. Graham Cluley also has some thoughts on it here

But what hackers frequently do these days is use a technique known as “credential stuffing” - taking the information they have stolen from one site, using it to log into another site, and then using any information they gather on any accounts they manage to access to gather additional personal information which could be used for fraud.

— https://www.grahamcluley.com/2016/07/yes-data-breach-really-fault/

So with that in mind, i thought i would demonstrate what is available on one of the more popular 'Darknet Markets' - A primer here on that area here

Firstly, some markets are usually quite accessible.  A good list here There is an exception to the rule for some markets that do require a deposit, or a cosign from someone legitimate enough to 'vouch' for you.

What can i buy?

Lots, you can can usually identify the interesting things in much the same way as most auction sites do, by way of feedback. A quick run down on some of the items, physical and virtual and the services associated with them are below

  • Banking

I wrote about muling here but the level of services used in between these are not limited to muling, there are 

  • Carding Services - Hotel fraud, such as booking services and ticketmaster gift cards.

Screen Shot 2016-07-26 at 21.23.54.png

Damaging to the brand associated with the theft & fraud.

  • Bank Account transfers - Often taken from compromised devices or those botnet owned.


  • British Airways accounts - Often from RATTED machines


  • Weapons - Yes, you can order a weapon from the internet


Personal information is a commodity in itself and arguable the most valuable, however its value is dependant on those who can best use it to gain most profit, its for sale here too as mentioned in relation to the original o2 article.

The insider threat is something which is gaining a lot of attention and will only grow as a exponential threat to businesses who do not understand the concept.

This advert offers an insider inside all of the UK's most popular Phone stores


Boggalertz - Best Seller in the world, just wait and see.

Please read this carefully************

To take advantage of these profiles you will need the following
1) An insider in any phone shop
2) A credit or debit card, which you know the pin and registered address for
3) there must be at least £10 on the card
4) This is for UK only

Heres how it works.......
* You send me the door number and the postcode of the registered card, EXCLUDING the LAST 2 LETTERS. ( SO I DON’T EVER KNOW THE ACTUAL ADDRESS)
* I will send you back a profile which will pass for mobile phones in ANY phone shop, providing you use the correct card
*You go to your insider and place orders for as many handsets as you can get your grubby little mitts on
*You leave me nice feedback and tell the world that BOGGALERTZ is the worlds best seller!

—————————————————————————————
You will need an insider because of 2 reasons
1) the DOB may not match what you or your striker looks like
2) the name will not match the name on the card (which I will never know)


Again, to the majority of the security community this is not a 'new' concept. However encouraging mainstream media to take an active interest in this will highlight its availability and ensure that those at risk are educated more and understand the risks.