The Terbium Take: Synthesizing Academia's Insights on Stolen Data

Next: Finding Forward—Thinking Fraud Fighters at the ACFE Conference...
Previous: Book Review: Into the Web of Profit
Writer Emily W.
July 09, 2018

Emily serves as the VP of Research at Terbium Labs. With a background in International Relations, Emily alternates between quiet rants about Russian politics and foreign policy, while crafting blog posts about the realities of the Dark Web (hint: red rooms aren't real).

In an industry lacking a shared understanding of or framework for digital assets, we at Terbium Labs appreciate the analytical contributions from the academic and policy communities. In this post, we examine three papers from these communities.

While each of the papers approaches a different segment of the dark web and the illicit economies, they all align on one key theme: the dark web’s ease of access lowers the barrier to entry for new players, whether for criminals new to the trade or for those looking to cross over into a digital platform for their existing, albeit shady, enterprises. Once embedded in the underground economy, criminals have access to a host of resources and a wealth of information from the existing community, with toolkits and instruction manuals to develop and scale lucrative enterprises.

A Shared Structure

In testimony before House Financial Services Committee’s Subcommittee on Terrorism and Illicit Finance in March 2018, Lillian Ablon of RAND proposes a series of frameworks for understanding the variables that make up an the underground economy for stolen data. By understanding these variables—people, products, places, and prices in the market—and by identifying the myriad of motivations, skills, resources, and force of will behind each variable, we can begin to form patterns and shared understandings for the manifestations of cybercrime. Not all attacks, actors, platforms, or data types are created equally.


One of Ablon’s frameworks juxtaposes the motivations of the four groups of actors in the illicit economy: cyber terrorists, hacktivists, state sponsored actors, and cyber criminals. Cyber criminals, as Ablon defines them, are primarily motivated by financial gain. However their activities manifest, “they care about making money.” While these groups may overlap, we can see delineations in motivations, techniques, targets, and ultimately, the use of stolen data once obtained.

Understanding the structure of people allows us to evaluate how the professionalization of cybercrime has allowed for segmentation of skills and for specialization. In order to run an operation more effectively, people are performing the functions they have grained professional experience in—platforms are broken into hierarchies to allow for scalable, functional enterprises.

Ablon’s testimony goes on to present the foundation for a shared understanding of the marketplace for data, tools, and services. The sooner we understand this cybercrime system for what it really is (a mashup of a structured economy, and illicit business school, and a scalable criminal operation), the sooner we can begin to collaborate in identifying and disrupting the supply chains of cybercrime.

A Set of Risks

We cannot contemplate account security and prevention of account takeover until we understand what we are securing—which digital assets and which sensitive data.

It is easy to think of breaches, phishing, and malware as distinct from one another, and as three separate functions in cybercrime. These three vectors are inseparably linked by the exposure of account information. An account exposed in a breach can be used to facilitate another breach, can be used as part of a phishing campaign, and can be manipulated to most effectively deliver a malware payload. We cannot think of security as being cleanly broken down into discrete pieces. Security is an overlapping, intermingled beast, with the consequences of one lapse immediately and irrevocably impacting other pieces of the system.

In Data Breaches, Phishing, or Malware? Understanding the Risks of Stolen Credentials, Kurt Thomas, et. al, use exposed or collected account information as a proxy to measure ease of criminal access to digital identities. Using account data as a proxy for identity is an effective metric—account credentials are a gateway to a host of personal information and financial data, along with information about purchasing habits, family members, and other sensitive details. Thomas, et. al., compare the effectiveness of breaches, phishing, and malware at generating access to viable account information.

The authors report that the risk of account takeover depends heavily on how the attackers first come to be in possession of a user’s account credentials, noting “7% of victims in third- party data breaches have their current Google password exposed, compared to 12% of keylogger victims and 25% of phishing victims.”

A Real-World Parallel

Finally, in Platform Criminalism: The ‘Last-Mile’ Geography of the Darknet Market Supply Chain, Martin Dittus, Joss Wright, and Mark Graham investigate the ties between the production, trade, and consumption of illicit drugs as a comparative analysis between dark web drug networks and traditional drug networks. While Terbium Labs does not focus on the activities belying the dark web drug trade, the authors’ analysis provides valuable insight into the ways in which the dark web mirrors, integrates, and disrupts existing criminal infrastructures.

The authors find that, at least for two of the three drugs reviewed, the patterns indicate that the dark web is keeping some of the traditional trade routes intact—what Dittus, Wright, and Graham call “the last mile”—providing yet another example of where the dark web is less disrupting and more augmenting, building and expanding on the criminal structures already in place. The economy for sensitive information—the data fueling payment fraud, identity theft, and account takeover—is operating in parallel, serving, in many cases, as the banking function for these drug networks.

Security Is Ongoing

Data is not going to become more secure—cyber criminals will continue to build off of each others’ successes and develop new tactics and techniques based on the same technologies that organizations develop, except cyber criminals are not bound by laws or conventions. They will use existing systems—illicit and legitimate—to mine the resources they need to continue building their enterprises. The data trade is well established, and vendors will continue to supply goods (read: account information and other sensitive data) so long as the market demands.

analysis June 28, 2018
Shady Business: Commoditization of Data in the Dark Web Economy

Terbium's new report, Shady Business: Commoditization of Data in the Dark Web Economy, examines the underground data trade, investigates the shady business side of dark web operations, and challenges existing ideas about data valuation....

events May 24, 2018
Cyber Fraud Summit: How to Fight Fraud by Eliminating Easy Targets

While the essence of fraud is constant, criminals are constantly finding new methods and tools. People across all three of the main fields—law enforcement, finance, and information security—were represented at the International Association of...