Hardly a day goes by when we don’t hear news of a new data breach. Thousands of breaches expose millions of personal and business data records every year. On a personal level, many people have had the unfortunate experience of being notified their personal data has been compromised, or worse, their identities and personal assets stolen. And when businesses get breached, they may lose revenue when websites stop working or their customer’s sessions are hijacked, resulting in stolen credentials or data.
Behind each breach is a labyrinth of illegal activity, where cybercriminals collude and operate on cyber underground forums and marketplaces. The latter component, underground marketplaces, likened to Etsy or Facebook-like marketplaces for threat actors, facilitate the buying and selling of stolen data. Dozens of underground marketplaces and single vendor stores exist. Intel 471 has covered this topic further in our recent blog, How Threat Actors Use Underground Marketplaces
The challenge for threat analysts
Cyber threat analysts face the daunting task of keeping up with the daily onslaught of breach notifications that threaten their organization. Filtering the signals from the noise to get prioritized alerts on breaches of interest, assessing the risk and deciding what action to take is usually a slow, manual process. Moreover, analysts and researchers often lack efficient and reliable tools to identify high-priority data impacting their organization across the cyber underground. With the steady stream of attacks and volumes of information to cull through, it’s a painful job. Until now.
Introducing Marketplaces Intel
Intel 471 is excited to announce our new offering to address these challenges: Marketplaces Intelligence. This new capability offers insights and intelligence into the most critical and active underground marketplaces. Customers can access details about the products on sale, historical research data, understand the activity, and most importantly, set alerts and get notified when something of interest is on or coming to market.
Marketplaces Intel enables cyber threat analysts to easily track breached information in underground marketplaces to better defend their organizations from threats posed on these marketplaces. Users are provided with current and breaking information from dashboards (as seen in the screenshot below) to detailed screen-scrapes.
Users can set and get alerts for products of interest, enabling them to assess the overall risk and then decide what action to take. Intel 471 TITAN users can also receive email alerts with a summary of the findings and the ability to log in to the platform quickly to act. Additionally, Marketplaces Intel helps teams assess if breached data is a threat to an organization by indicating which products are in underground marketplaces and their prices relative to other products and the rest of the market.
Analysts can also investigate known and unknown security breaches using Marketplaces Intel to search and view statistics, analytics and historical data across different markets, industries, regions and countries. Searches can include, but are not limited to:
Name of Products
Name of Market
Name of Vendor
Type of Product
Price range
BIN ranges
Domains of interest
Why organizations need to track underground marketplace activity
At first glance, tracking underground marketplace activity may seem like a luxury. Most analysts and security operations center (SOC) teams are fully engaged every minute of the day. But by looking ahead and anticipating future threats, organizations are doing themselves a greater service. Tracking underground activity can allow teams to focus on preventing a growing attack technique, such as one that relies on stolen credentials or cookies.
Session hijacking is a method hackers use to take control of a user's session and is usually conducted by purchasing cookies on underground marketplaces. These cookies essentially fool the remote server that an individual has accessed into thinking the threat actor is the same authenticated individual, enabling the attacker to do anything the original user is authorized to do. Depending on the target, this can range from accessing sensitive information or systems, such as credentials or internal workspaces, to compromising banking information and using it for fraudulent activity. Moreover, in a worst-case scenario, this initial access through session hijacking could provide the platform for actors to launch a ransomware attack against an organization.
Therefore, a team monitoring these marketplaces can watch for any potential compromise of its systems and improve security controls such as logging out user sessions after a set amount of time to reduce the risk of such an attack.
With Marketplaces Intel, analysts (and by extension, their organizations) now have a unique, innovative tool for researching and analyzing cyber threats and anticipating future, specific threats to them. Marketplaces Intel makes available a mountain of data to mitigate unexpected and unknown risks. For more information about Marketplaces Intel or to become an Intel 471 customer, please contact us via our contact information page on our website.
