The dirty dealings of data: Defining the darknet and the information bought and sold there

This story is the tenth in a statewide series about cyber security and small businesses, supported by the Michigan Small Business Development Center. (Read the rest of the series here.)

It's dark. It's shrouded in mystery. It's the source of frustration and fear for anyone seeking to protect sensitive information. It's the black market of data. And it's real.

If you're wondering where social security numbers, credit card numbers, financial information and passwords go after they're stolen, it's to a variety of sites that fall between the cracks in this network of shady dealers. For a price, pretty much about any piece of data is accessible online and these numbers and words are selling like hotcakes to hackers and data dealers. With the help of two data professionals, we shine a light on the black market, and get an inside look at the platforms of the dirty dealings of data.

"It has been estimated that over 80 percent of PCI-related data breaches occur within small businesses, and I've read several research papers written about it. It really is a huge problem," says Timothy Powell, founder of Ammonitrix, a GR-based cyber security platform for families, educators, senior citizens and small businesses.

After hacking into small businesses' networks and snatching sensitive and valuable information, hackers make their way to one of many sites on the darknet, where buyers are ready and waiting to purchase data like credit card numbers--which have been known to go for as little as $20.

"It's kind of funny how cheap that stuff goes for," says John Palmer, a systems engineer at Trivalent Group, a Grandville-based business-to-business technology firm. Some sites are invite-only, but many simply require a registered account to gain access and begin browsing the various data for sale.

Though the former top site for black market sales, Silk Road, has long since closed, other sites are alive and kicking, and sell everything from drugs to personal information, credit cards, counterfeit money and even eBay accounts with good reputations. The current top three, agree Powell and Palmer, are AlphaBay, the Valhalla Market, and DreamMarket.

"AlphaBay just recently launched an automated credit card-finder tool," says Powell. "Basically, it has compiled a large database of stolen credit cards, and makes them searchable by any characteristic of the credit card holder, including first and last name, birthday, location, and I think I even recall a social security number option."

Though just revealing these sites may be enticing, reader be warned: "It's not a place that you should go if you don't know what you're doing," says Palmer. Even posting a comment with an anonymous username can result in your data being captured, revealed and potentially sold.

Thus, individuals are at risk, no matter where they work. "It comes down to the person behind that keyboard," says Palmer. Though large companies invest in cyber security training for their employees at all levels, "you just don't get that in the small to medium market," he adds. Therefore, "I think the small to medium business market is a much bigger target for this kind of stuff."

Big businesses also invest in monitoring services--individuals with the knowledge, confidence and security to troll black market data sites and watch for trends in stolen data. If they find certain information that they believe belongs to them, they can perhaps attempt to retrieve the information or, more likely, work harder to secure that information in the future. Most likely, the data is already lost.

So how does this knowledge about the darknet help us? Like most situations with cyber security, awareness is key to prevention, and prevention is really the only option with the darknet.

Because small to medium businesses do their day-to-day work with a cyber target on their backs, the goal is to block hackers from obtaining their information in the first place, and to resist the temptation to go looking, falling into the rabbit hole of the darknet.

This story is a part of a statewide series about cyber security and small businesses edited by Lauren Fay Carlson. Support for this series is provided by the Small Business Development Center, which has just launched a free online security assessment tool and resources at www.SmallBusinessBigThreat.com to help small businesses measure their cyber security preparedness.
Enjoy this story? Sign up for free solutions-based reporting in your inbox each week.