Fraudsters are selling fraudulent fraud guides to wannabee fraudsters.
Almost half of the listings on the most popular underground marketplaces are guides on how to commit fraud, as aspiring cyber criminals look to find out how to conduct business email compromise and other online scams. But there's a twist – many of the how-to guides are useless fakes.
Cybersecurity researchers at Terbium Labs examined listings on three major dark web exchanges and found that 49% of all data being sold consisted of how to guides for online fraud. In many cases, guides are written on how to do this against specific organisations, particularly those in the financial sector.
Stolen personal data only accounted for 15% of listings, with non-financial accounts and credentials (12.2%), financial accounts and credentials (8.2%), fraud tools and templates (8%) and payment cards (7%) accounting for the rest. The average price for a single personal record was $8.45, while the cost of a single personal record can drop as low as $1.00.
Credentials available for sale on the sites included usernames and passwords for services ranging from email accounts, streaming services and even food delivery accounts.
The average price for this data is $7 – although in come cases it reaches triple figures – and leaked usernames and passwords, linked to other personal details can provide attackers with a means of compromising the victim's other accounts – potentially even their corporate ones.
Credentials for financial accounts listed on the dark web potentially provide cyber criminals with direct access to bank, payment card and PayPal accounts that have been compromised – and direct access to the funds within. Attackers can either simply steal this money, or alternatively, use the card details to make purchases for themselves, or even set up loans.
The potential for this data proving lucrative means that these accounts command a higher sum that others, with listings in this category selling for an average of $33, but sometimes they can be listed for as high as $500.
Buying guides on how to commit fraud isn't risk-free because some are fraudulent themselves, providing readers with no useful information – and it's not as if the buyer can demand their money back.
"Ironically, many fraud guides are themselves fraudulent. Bad actors create fake guides, and try to make a profit selling them before buyers catch on," said Tyler Carbone, chief strategy officer at Terbium Labs.