The bait--a trove of phony "stolen" data including several thousand Social Security numbers, credit cards, names, and email addresses--was swallowed within the first few days of being planted in the Dark Web. And when the 12-day experiment was over, the data had traveled to more than 22 different countries and been viewed nearly 1,100 times.
The experiment conducted by security vendor BitGlass was aimed at getting an inside look at just what happens after cyber criminals siphon personal information from retailers and other breached organizations. BitGlass researchers generated a list of 1,568 phony names, SSNs, credit card numbers, addresses, and phone numbers, rolled them in an Excel spreadsheet and then "watermarked" it with their code that silently tracks any access to the file.
They dropped the file on DropBox, as well as on seven infamous black market sites including Onion-pastebin and Paste-slampeech, and watched its journey across five continents, North America, Asia, Europe, Africa, and South America. In the end, it was downloaded by 47 different parties. It was mainly grabbed by users in Nigeria, Russia, and Brazil, with the most activity coming from Nigeria and Russia.
"Our goal was to see how liquid the market is for breached data," says Nat Kausik, CEO of Bitglass. "We were curious to see what happens to it after a breach."
Kausik says the experiment showed how people who frequent the cyber underground markets overwhelmingly preview the data to vet it. "People do cross-examine it and download it, looking for breached data," he says.
There was a significant participation of users from university networks overseas as well, he says, most likely because that's where open WiFi is most available.
The researchers were unable to see beyond the file's movements, but Kausik says once someone tried to use one of the "stolen" credit card numbers to make a purchase, for example, the transaction using a phony account ultimately would fail and the buyer would then realize he or she had been duped.
"We didn't put it up for sale," he says of the phony data sample file that BitGlass named "Employees.XLS."
The researchers spotted some forum users contacting the sources of other posted stolen data for more information on how to buy it in bulk. "We didn't post any contact information [with our file], so we don't know if the recipients were interested in buying more," he says.
Bitglass's watermark "phones home" when a file is opened or downloaded, grabbing IP address, geographic location, and the type of device accessing it.
The biggest takeaway of the experiment, Kausik says, was how easy it is to sell stolen information. "There is a well-established online marketplace" for it, he says.