Sign in / up

back to article Bad news: So much of your personal data has been hacked that lesson manuals on how to use it are the latest hot property

With more people looking to get into the online crime racket and huge caches of personal information cheap and easy to come by, documents describing the process of committing (and getting away with) online fraud are becoming hot commodities. This according to a study [PDF] from security biz Terbium Labs, which analyzed three …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. Pascal Monett Silver badge

    So, basically businesses should acquire fraud guides

    Meaning that they should have an account on the Dark Web, a computer that accesses that account, and pay the crims for guidance on they can be compromised.

    While I accept that buying a guide would certainly be less expensive than actually having a breach, I would wager that it would be in the best interest of those businesses that deem themselves important enough to do this that the computer they use to access the Dark Web be physically isolated from the company network, with an IP address that cannot be traced to the company and absolutely no company references whatsoever on said computer.

    Time to set up the Dark Web Room !

    9 0 Reply
    1. Roger Greenwood
      Reply Icon
      Pint

      Re: So, basically businesses should acquire fraud guides

      Pad that out a bit and you could sell it :-)

      9 0 Reply
    2. Joe W Silver badge
      Reply Icon

      Re: So, basically businesses should acquire fraud guides

      Time to set up the Dark Web Room !

      ... said the actress to the bishop.

      Well... that term sounds a bit.... hm. sketchy. Might attract the, ahem, other kind of customer.

      3 0 Reply
    3. Flywheel
      Reply Icon

      Re: So, basically businesses should acquire fraud guides

      physically isolated from the company network, with an IP address that cannot be traced to the company

      Oooh, wishful thinking, or you work for the UK "Government"...

      1 0 Reply
    4. Version 1.0 Silver badge
      Reply Icon

      Re: So, basically businesses should acquire fraud guides

      No need, just ask the PFY to write one for you. Chances are the PFY can figure it all out in an afternoon.

      0 0 Reply
    5. John Brown (no body) Silver badge
      Reply Icon

      Re: So, basically businesses should acquire fraud guides

      Is all that different to paying to go to an InfoSec course/meeting/exposition to be told by ex-Blackhats how it's done and how to defend against it? It certainly sounds cheaper :-)

      3 0 Reply
    6. Gaius
      Reply Icon

      Re: So, basically businesses should acquire fraud guides

      This is a guide on how to exploit information that has already been negligently mishandled by various companies, not one that will assist in preventing such negligence in one's own company.

      0 1 Reply
  2. Christopher Reeve's Horse

    When there's a gold rush on

    Don't join the rush, start selling shovels.

    Piffy aphorisms aside, why would anyone trust a guide to fraud that's sold by fraudsters? Honour amongst thieves? Do they have some sort of 5 star ratings and review system? I barely trust reviews on most of the 'normal' internet (the Light Web?).

    8 0 Reply
    1. doublelayer Silver badge
      Reply Icon

      Re: When there's a gold rush on

      Very good point, but they actually do have a ratings system where accounts need to be verified in order to post reviews. It's weird how normal these sites can look if you ignore what the products are.

      5 0 Reply
  3. Pete 2 Silver badge

    Less than you'd think?

    > The Terbium team reckons that these guides, ...

    > make up just under half (49 per cent) of all data transactions on the store (not including drugs or for-hire services like DDoS attacks)

    So in reality, just a tiny fraction - when you exclude all the high profit stuff!

    It also makes you wonder what is in these "how to" guides for online fraud.

    I can imagine how the advertising goes:

    Buy my book on how to commit online fraud. Only ₿1

    and inside the book is just the sentence:

    Create an advertisement for a book telling people how to commit online fraud.

    7 2 Reply
    1. Yet Another Anonymous coward Silver badge
      Reply Icon

      Re: Less than you'd think?

      Dress that up with a fancy logo and you are basically a management consultancy

      9 0 Reply
  4. Doctor Syntax Silver badge

    If each business buys a copy for its own information it means there's still a lot of money in it for the publishers and an incentive to produce more versions. A better option would be to disseminate the contents as widely as possible for free in order to destroy the market. There doesn't seem too much scope for alleging copyright infringements when identifying yourself opens you up to prosecution for conspiracy to commit fraud.

    9 0 Reply
    1. doublelayer Silver badge
      Reply Icon

      True, but if you publish them where the general public can read them, then you'd better hope that you and everyone else have protected against what it says. What would be useful is to create a closed group of organizations that distribute them internally when they are obtained (and if they can be obtained by theft or without completing a payment I'm all in favor) and another public site where the pathetic wrong ones get released publicly. Anyone who finds that public site won't be able to complete a fraud with the instructions, and we avoid funding the how-to-commit-fraud industry.

      An alternate suggestion is that we create some guides of our own, which we submit to the reviewers on these sites until they let us on, then we send all those who purchase it a PDF of that guide but with extra malware inserted. Bonus points if the malware can be written to turn these people in.

      3 0 Reply
  5. Mike 16

    Like Amazon and eBay?

    So, fake reviews, laundered seller IDs, dodgy return policy, commingled inventory...

    And don't forget "track you relentlessly" (so you can later be approached with a "I know what you did last night" message).

    4 1 Reply
  6. hoola Silver badge

    Data Amalgamation

    I have been saying for some time now that these data breaches are far more disastrous than people admit.

    The problem is that as more and more data is available both legitimately and through breaches/theft it becomes easier to join the dots and put together data sets that have all of the critical information. The likes of Experian and other headline breaches simply walk away from the consequences of what has happened. Credit cards can be reissued but other information that many services use are fixed:

    Birthday

    Mother's Maiden Name

    Place of birth

    NI number (or whatever)

    Driver number

    Some of these can be changed but there is no way of doing it AND crucially you have no way of knowing if it has been stolen. Add the increased use of bio-metrics and we are reaching the point where any security is just a cover to the point of access. Anyone with the information can get in.

    Compute has reached the point where is is easier and cheap enough to do this and the money to be made has now increased to such an extent that the investment required is will worth the cost.

    The loss of the data is the easy bit, taking responsibility and fixing the ongoing security issues is just being ignored because it is too difficult to fix. Massive fine only go so far much will just go unreported but still don't fix the problem that once the data has been accessed, that is it. You can never get it back, it is not like a stolen telly where the police recover it and you get it back.

    3 0 Reply
    1. MachDiamond Silver badge
      Reply Icon

      Re: Data Amalgamation

      It's not just the blackhat sellers that hoover up all of the PII that they can. Big Data companies also jump on any breached data that gets posted and fold it into what they already have on you. While they might not list or sell you mother's maiden name, they may have it. They might not sell your NI of driver's license number, they might use it to verify your file if somebody was inquiring about you. Somebody like a company you've applied at or your current employer. Could be a vicious Ex or a stalker.

      Thanks for the tip. I'll have an eye out for some of this tutorials. You can't form a defense if you don't know what the enemy is bringing to the battle.

      1 0 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like