08:10 AM
Connect Directly

What Happens When Personal Information Hits The Dark Web

Experiment tracked the journey of a cache of phony names, SSNs, credit cards, and other personal information.

The bait--a trove of phony "stolen" data including several thousand Social Security numbers, credit cards, names, and email addresses--was swallowed within the first few days of being planted in the Dark Web. And when the 12-day experiment was over, the data had traveled to more than 22 different countries and been viewed nearly 1,100 times.

The experiment conducted by security vendor BitGlass was aimed at getting an inside look at just what happens after cyber criminals siphon personal information from retailers and other breached organizations. BitGlass researchers generated a list of 1,568 phony names, SSNs, credit card numbers, addresses, and phone numbers, rolled them in an Excel spreadsheet and then "watermarked" it with their code that silently tracks any access to the file.

They dropped the file on DropBox, as well as on seven infamous black market sites including Onion-pastebin and Paste-slampeech, and watched its journey across five continents, North America, Asia, Europe, Africa, and South America. In the end, it was downloaded by 47 different parties. It was mainly grabbed by users in Nigeria, Russia, and Brazil, with the most activity coming from Nigeria and Russia.

"Our goal was to see how liquid the market is for breached data," says Nat Kausik, CEO of Bitglass. "We were curious to see what happens to it after a breach."

Kausik says the experiment showed how people who frequent the cyber underground markets overwhelmingly preview the data to vet it. "People do cross-examine it and download it, looking for breached data," he says.

There was a significant participation of users from university networks overseas as well, he says, most likely because that's where open WiFi is most available.

The researchers were unable to see beyond the file's movements, but Kausik says once someone tried to use one of the "stolen" credit card numbers to make a purchase, for example, the transaction using a phony account ultimately would fail and the buyer would then realize he or she had been duped.

"We didn't put it up for sale," he says of the phony data sample file that BitGlass named "Employees.XLS."

The researchers spotted some forum users contacting the sources of other posted stolen data for more information on how to buy it in bulk. "We didn't post any contact information [with our file], so we don't know if the recipients were interested in buying more," he says.

Bitglass's watermark "phones home" when a file is opened or downloaded, grabbing IP address, geographic location, and the type of device accessing it.

The biggest takeaway of the experiment, Kausik says, was how easy it is to sell stolen information. "There is a well-established online marketplace" for it, he says.


Kelly Jackson Higgins is Executive Editor at She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
4/12/2015 | 4:23:15 AM
How they tracked the spreadysheet?
It looks like they just used the same tracking/tagging technology (but calling it "watermarking") as ReadNotify have been doing for over a decade.
User Rank: Apprentice
4/9/2015 | 12:01:40 PM
Which sites received the most attention?
I would love to know whether the file was picked up from DropBox as well as the more nefarious sites.  We have users who want to use DropBox and I'd love to have a real-life example of why we don't want them to use it.

Yes, I know there are security settings, but I would venture to guess that all of my users don't know what those are and/or wouldn't bother to use them.
Sara Peters
Sara Peters,
User Rank: Author
4/8/2015 | 4:32:50 PM
I can't decide if 1,100 views seems like a lot or not very many at all. I guess I would have expected that number to be higher, but then again, I imagine that the competition is pretty stiff on the black market -- high quality data from trusted sellers.
User Rank: Ninja
4/8/2015 | 9:02:58 AM
you will not have learned anything useful
You should follow Brian Krebs

the people who deal in stolen dox pride themselvs in selling only quality stuff.   and their reputations rely on it.   it is very unlikely that this data will be offered by any reputable darknet dealer
Kelly Jackson Higgins
Kelly Jackson Higgins,
User Rank: Strategist
4/7/2015 | 5:19:57 PM
Re: Honeypot
They kept it relatively low-key and generic, and didn't offer any "for sale" information, etc., so the file was more of a phony sample of stolen stuff. It's probably no more risky than a honeypot. 
User Rank: Ninja
4/7/2015 | 2:47:45 PM
Interesting to see the tracking of how fast the data moved and to what purpose in what used. I can't help but feel this is a very similar practice to a honeypot however. And I think that with this premise you would draw the same type of attention. 

The practice of bating a malicious person is a dangerous concept in its smallest measurements. But when the bated individual turns out to be a nefarious user with expert level knowledge then the situation becomes truly dangerous. If I were BitGlass, I would be wary of running these experiments with that scope. Wouldn't want to become the target of an unscrupulous hacker with a vendetta.

Russia Hacked Clinton's Computers Five Hours After Trump's Call
Robert Lemos, Technology Journalist/Data Researcher,  4/19/2019
Tips for the Aftermath of a Cyberattack
Kelly Sheridan, Staff Editor, Dark Reading,  4/17/2019
Why We Need a 'Cleaner Internet'
Darren Anstee, Chief Technology Officer at Arbor Networks,  4/19/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-04-23
The Siemens R3964 line discipline driver in drivers/tty/n_r3964.c in the Linux kernel before 5.0.8 has multiple race conditions.
PUBLISHED: 2019-04-23
The Linux kernel before 5.1-rc5 allows page->_refcount reference count overflow, with resultant use-after-free issues, if about 140 GiB of RAM exists. This is related to fs/fuse/dev.c, fs/pipe.c, fs/splice.c, include/linux/mm.h, include/linux/pipe_fs_i.h, kernel/trace/trace.c, mm/gup.c, and mm/hu...
PUBLISHED: 2019-04-23
Google TensorFlow 1.6.x and earlier is affected by: Null Pointer Dereference. The type of exploitation is: context-dependent.
PUBLISHED: 2019-04-23
Google TensorFlow 1.7 and below is affected by: Buffer Overflow. The impact is: execute arbitrary code (local).
PUBLISHED: 2019-04-23
VVX products using UCS software version 5.8.0 and earlier with Better Together over Ethernet Connector (BToE) application version 3.8.0 and earlier uses hard-coded credentials to establish a connection between the host application and device.