We hear about leaked passwords in the press every week and the dangers these leaks pose, particularly to those who reuse passwords across several sites. In Project Cumulus, we set out to understand just how fast credentials spread once they are leaked onto the dark web, what kind of data hackers are looking for, and how many other accounts are compromised in the process.
The Bitglass research team decided a bank employee would be a compelling target. Hackers could easily be convinced to take a small risk and attempt to download bank files in the hope of finding sensitive account information. It's the potential value of the leaked data that makes it so compelling to these underground criminals. Our team created a Google Apps for Work account and a complete online identity for an employee of a fictitious bank and a web portal for the bank. The "phished" credentials were then leaked onto the dark web for all to see and use.
One interesting thing to note about the dark web is the sheer difficulty of finding and accessing illicit sites. Unlike the surface web, there are no readily accessible search engines and in the case of Tor, an anonymization service, all URL's must be accessed through a special browser that routes your traffic through remote servers. The big advantage for hackers is that Tor provides a means of masking your identity, making it appear as if you are accessing a site from another location.