How your stolen personal data is sent to the dark web, and what hackers can do with it

Michael Gazeley rattles off the number of online accounts that are leaked onto the dark web – a hidden corner of the web where that stolen data is traded.

“It’s 6.5 billion now,” the cybersecurity specialist says, standing in his office in Kowloon, Hong Kong, overlooking a control room where glowing computer screens display the pulse being taken of nefarious web activity. One dial acts as an algorithm-generated odometer for internet threat levels, while a pulsing world map shows regions from which cyberattacks and spam campaigns are launched.

Watchdog wants more ‘teeth’ after data breaches hit record high

“That [6.5 billion] could mean that everyone with a device has been hacked twice over. That’s mind-boggling stuff,” says Gazeley, managing director of Network Box, which sells cybersecurity services to businesses around the world.

Threats to cybersecurity play out daily on the screens before Gazeley’s eyes, and in the back room supercomputers that trawl the ever growing volume of account information leaked onto the dark web.

That growing threat is borne out by the numbers. Globally, the volume of cyberattacks doubled between 2015 and 2018, according to year-on-year analysis from the LexisNexis Risk Solutions’ ThreatMetrix global cybercrime report, which gleans its data from billions of global transactions.

In Hong Kong, the more than 10,000 cybersecurity incidents reported by businesses last year represented a 55 per cent increase from 2017, according to year-end updates from the Hong Kong Computer Emergency Response Team.

Technology scams netted more than HK$2 billion (US$256.4 million) from Hong Kong companies and individuals in the first nine months of 2018.

The year was also marked by high-profile data breaches, including the Marriott hotels group, with 500 million customer records stolen, and airline Cathay Pacific, with 9.4 million records stolen.

Though cybercrime and data leaks are well-known realities, what happens to leaked data – how it moves across the internet and enables cybercrime – is much less understood. Making matters worse, some breaches may go unnoticed by companies – or unreported (Hong Kong has no laws requiring such disclosure).

Whether it is coming from headline-grabbing website hacks or small-scale hacks of gaming apps and online shops, stolen data often ends up on the dark web.

Gazeley says staff at Network Box pretend to be hackers to trick their way into darknet pockets to monitor activity.

“There are hacker forums and you hear people boasting [about data they’ve hacked] … once they start boasting we have to check out if it’s real,” he says. While data sets from breaches are sometimes sold, they are often just openly released on the dark web.

Just last month, a data set with information on 900 million accounts was posted to the dark web, according to monitoring at Gazeley’s facilities. The information appeared to be cobbled together from different sources, some of which were old, but others looked new, he says.

Similar to how cookies anonymously follow users’ internet browsing history to compile profiles that can be sold to advertisers, disparate pieces of personal data released on the dark web can be linked together to build a more detailed profile, using unique data points such as an email address or a password as identifiers.

“These emails accounts are being used as the equivalent of fingerprints,” he says.

When only email addresses are leaked, the consequences might just be that your inbox receives more spam. But several dangers lie in the fact that unencrypted passwords are often leaked along with account names, or that such passwords are de-encrypted using graphics processing units – hardware that can be used to crack passwords rapidly.

If a hacker wants to gain access to a company network with excellent cybersecurity, for example, he does not necessarily need to execute elaborate coding. Instead, he could run a dark web data search for email addresses with that company’s domain name that have been leaked along with passwords from hacked websites.

“If there’s 100 people on there, chances are some of them will have used the same password [for the hacked account and their work account],” Gazeley says.

Too small fry to be hacked? Incidents at odds with assumptions

“You take that password and you’re in. It’s like prehacked, like going to the supermarket and buying a pre-cooked meal and just heating it up. It’s that easy.”

Gazeley and his team have also seen passwords being used as a way to strengthen the credibility of phishing campaigns. Fraudsters send targeted emails that include an actual password the target uses, hoping to trick them into thinking they’ve been hacked, and transferring money or giving them access to accounts.

A recent phishing campaign that Network Box’s filters picked up on used leaked passwords to try to convince people that their webcams and email accounts had been remotely accessed, and threatened to send out incriminating videos.

Often, however, the password isn’t the one that would allow hackers such access; it’s one from a different account that’s been hacked, for example for their gym website, not their home computer. It’s a distinction that people in a panic often miss, Gazeley says.

Such emails, while customised, are often automated. User information cobbled together from breached data is autofilled into the email and then blasted out across the internet.

“It was an interesting variation,” says Mark Webb-Johnson, Gazeley’s business partner and chief technical officer. “We have to write specific heuristics [problem-solving methods] for a specific campaign like this.”

As soon as security firms identify such emails coming into their spam-traps, they begin identifying the different recognisable pieces, creating a signature, or an imprint of the email, that filters can use to block it in the future.

When there’s a high volume of such emails coming through, more staff are called back to the control room to write smarter signatures and push back against the deluge of spam or viruses – part of a constant back and forth in the battleground of cybersecurity.

As for how people can protect themselves, both Gazeley and Webb-Johnson point to simple key steps: using two-point verification on account logins and different passwords for different accounts.

“It’s a bit like the old joke with the lion. One guy is putting his trainers on and the other says, ‘you can’t outrun a lion’, and the other replies, ‘all I have to do is outrun you,’” says Gazeley.

“If a hacker really wants to target you, then chances are he’ll succeed. But if he’s not after you and you’re well protected, well, then he’ll go after one of the other 6.5 billion accounts.”