An overview of the most commonly advertised information related to financial institutions on the Dark Web in 2021
- Over 300 advertised financial institutions in 64 different countries around the world. The United States is the most targeted;
- In Europe, the most affected country is Germany. In Asia it is India and in LATAM it is Mexico;
- The most commonly sold information was customer and bank data;
- The second most commonly sold information was access to banks’ internal networks;
- Protecting against ransomware is a priority. There were over 40 ransomware victims in the financial sector during 2021.
Thanks to the continuous monitoring of hundreds of sources in the underground communities it was possible to collect for the entire 2021 the data presented below. The research focuses on what cyber criminals actually sell in various forums and chat groups regarding the financial sector and banks around the world.
“Hey banks! what kind of data do you expect to find on the dark web about you?”
2021 Data analysis
- Millions of customer data for sale;
- Many unauthorized internal network accesses for sale;
- A lot of SQL Injection or Remote Code Execution vulnerabilities as a bargaining chip.
Databases rank first among the huge amount of information that can be found for sale in various criminal forums or chats. This means that the first things cyber criminals try to monetize are customer and bank data that must be kept flawlessly to avoid data leaks and reputational damage.
In second place there are the sales of unauthorized access to the networks related to financial companies or banks via compromised hosts, remote code execution vulnerabilities, VPN access etc. This information suggests that after the data, criminals are interested in accessing the internal network in order to compromise it with ransomware, malware or steal information (which can then be sold in turn).
In third place we find ransomware which in the last year has impacted over 40 victims in the financial sector globally. Various ransomware groups have successfully carried out attacks against banks around the world. The entire finance sector, like many other sectors, should be ready and resilient to this type of threat as it is real and very harmful.
Money laundering and money mules are still a threat with a lot of bank drop services and bank accounts for sale on different cyber crime forums and telegram groups. This is primarily because any threat actor who receives payment must use these services to actually cash out and retrieve their money.
- Victims in 64 different countries around the world;
- The most affected country is the US followed by Mexico and India;
- In Europe, the most affected countries are the UK, Germany, Italy and France.
- In LATAM the most affected countries are Mexico, Brazil and Colombia;
- In Asia the most affected countries are India, Turkey, Iran and China.
The common thread linking all of these nations together is that their financial institutions are vulnerable and therefore exploitable by threat actors. As such, the general takeaway from these statistics is not so much which countries are present, but rather that they are present because of their number of at-risk financial targets.
Malicious activity trend:
- High malicious activity in the period between March and June 2021;
- Cyber-criminals also go on vacation;
- The pandemic has raised these numbers compared to previous years.
The criminal activity that targeted banks and companies in the financial sector was very high in the period between March and June 2021. During the summer there was a sharp decrease in advertisements and victims posted on various forums or compromised by ransomware affiliates. The same happened during the Christmas period where the activities and threats against the financial sector went down.
What this research has shown is that cyber criminals are more interested in databases than money laundering, malware, ATM attacks and all other types of threats commonly associated with the finance industry.
The key takeaway from 2021 is that if you are a financial institution: focus on protecting your databases, make sure to patch all vulnerabilities present on your organization's perimeter and monitor for potentially compromised hosts.