Prime Factors Blog

How the Black Market (Dark Web) Works When Buying and Selling Information

Posted by Pete Flagella on Sep 29, 2016 10:00:00 AM

Find me on:

image001.pngWhen you hear about a security breach your first reaction might be to feel a sense of relief because it didn't happen to you. After those feelings of relief subside, you may wonder more about what went wrong so you can avoid making that same mistake. However, it may be wise to carry those thoughts one step further by asking yourself what happens to the information that is stolen.  You may stand a better chance of ensuring that it never happens to you. Learn about a much more threatening world, and how you can protect yourself from such threats. 

To learn how encryption can lower the cost of regulatory compliance while enhancing security, download our white paper Reducing the Cost of Regulatory Compliance with Encryption 

How the Dark Web Works

The truth is that if you're not on the inside, it's hard to really know what is happening in the most untraceable corners of the internet, but what we do know suggests some very nefarious activity. Silk Road made headlines when it was discovered that not only was the creator facilitating drug trafficking, but also attempting to hire a law official posing as a contract killer. Of course, the standard dark web is slightly less exciting, and much of it is conducted with the same business practices as legitimate companies. There's cheap hacking equipment available, such as credit card skimmers that lift the numbers from swipe machines, or actual office buildings in places like Eastern Europe that house low-level hackers with a middle and upper management level of supervision.  All come with the express purpose of ransoming people's important files (or in some cases, the full hard drive.) The ransomware industry generally sets itself as a no-lose proposition, as hackers can sell information if the victim or business refuses to pay the ransom.  There are also lists of credit card numbers, email addresses, and social security numbers. Some of these lists are posted with outdated information (e.g., the credit card numbers have all been changed), and on some sites, there are actual review rating systems where criminals can communicate about which sources are the most trustworthy. Those unlikely to contain helpful information may be sold at a pittance on simple ecommerce sites, while high-level hackers who access major banking systems will sell their information at far higher price point. These deals could be coordinated beforehand, or they may find an interested party in a chat room, and not the kind you are used to.

What It Looks Like

You may be curious to know what it's actually like to access these dark corners of the Internet. Fortunately, because the Dark Web has to stay off the radar, it often takes a while to access due to the nature of websites' communication with host servers. Additionally, because these criminals reside all over the world, you can imagine that many of these websites are comical, entirely fraudulent, or just plain confusing. However, hackers are getting smarter and smarter about branding their 'products', meaning they will release certain sample information so that other criminals can verify whether it is true. It's clear there is a market out there for people who want to buy and sell information on these illegal sites.

A Tangled Web

With the expanding rate of hacking and its proven profitability, it is clear that people are willing to share their information in order to get other hackers into the game. For the most part, you need to know someone who has access to these protected places on the internet. There are a variety of safety measures blocking these sites from showing up in a Google search. All someone really needs to do is express genuine interest in computers and in disrupting the societal framework through the network. There are ways for law enforcement officials to infiltrate this world, but they often lack the skills to gain other hackers' trust. Police are also dealing with criminals who are outside the US, which makes it much harder for them to practice any type of enforcement of local laws — even when it's easy to trace the criminal to a specific location. Recently a security company found there were more than 400,000  healthcare records found on the Dark Web, and that it was small businesses and hospitals who were most likely to have lost the files. Under regulations like HIPAA and HITECH, many companies that lose data to hackers are subject to fines and government charges for failing to employ proper security standards. Much of the lost data was due to the aforementioned ransomware that has been shown to be on the rise in recent years.

Understanding the Landscape

Those who work with credit card numbers and health information are likely already familiar with how they can better stay compliant with the newest government regulations. Terms like AES and encryption should be familiar to CEOs and managers, even if not utilized in their organizations. But considering the amount of financial information that is lost every day, there's reason to believe a lack of awareness remains widespread. Also, with the new emphasis on the value of information, there's reason to believe data that at one time may not have been considered valuable (e.g., email addresses or user names) will be under greater scrutiny for companies to protect. Regardless of the type of information a company handles, it's clear that trying to survive by perimeter protections alone is simply not going to be enough in the ever-changing world of the Dark Web.

How to Protect Your Company


There are two options that can better reduce the odds of a company's information showing up on the Dark Web: tokenization and encryption. Both are recognized as being viable methods by the government (e.g., PCI DSS, etc.), and each offers its own safety measures. Businesses may be slow to implement these systems or fail to implement them correctly, due to the perceived notion they are too complicated to manage. While it's true that increasing security in any business will take time and effort, both to implement the security and to train employees in its use, that does not mean it has to be difficult. Not all software is created equal.  Often it just requires some additional research when it comes to finding a security solution that works for you. For example, a smaller hospital may want to insert tokens into all of their patients' social security numbers. In this case, the social security numbers will show up in the same format to a hacker, but they will be random characters unmatched to the patient's name (imagine what their reputation would be on the Dark Web if they tried to sell this information). Only the person in the hospital with the key to unlock these tokens can actually see the correct information. Larger businesses may opt for end-to-end encryption to ensure their clients can access data from wherever they are. For example, if a person checks their banking information at the airport, that information will be encrypted and useless to potential criminals who are hoping to score by watching the data on a public network. Regardless of what software a company deploys, proper key management and controls can simplify tasks and reduce operational costs significantly.  Prime Factors’ EncryptRIGHT is one example of a software solution that offers a better way to protect sensitive data.


To learn how encryption can lower the cost of regulatory compliance while enhancing security, download our white paper Reducing the Cost of Regulatory Compliance with Encryption


Topics: Enterprise Data Protection, encryption