A study of advertisements on the dark web showed that hackers are mainly interested in databases (42% of messages), access to company systems (23%) and carding — advertisements for the sale of bank card data (10%). What is interesting is that not all of this data is put up for sale: Positive Technologies experts note that most databases (66%) are distributed on the dark web for free. This is explained by the activity of hacktivists in India and the activities of extortionists who post confidential data in the public domain if the victim refuses to pay the ransom for it.
More often than not, the attackers’ focus is on data from scientific and educational institutions, financial institutions, as well as government agencies and trade. Purchase requests most often concern financial sector databases and, in total, purchase announcements occupy 5% of the region’s dark web. The cost of databases in 40% of announcements does not exceed $ 1,000. The vulnerability and insecurity of such data can be considered a serious problem for the country’s infrastructure, the study says. For example, a cyberattack on just one major Indian electronics manufacturer in April 2024 led to the loss of 7.5 million instances of personal customer data. In general, India is in the top 3 countries in terms of the number of dark web announcements related to database leaks.
The second most popular topic on the shadow market for cyber services is access to resources – 23% of announcements concern this topic. Here, supply exceeds demand – the portion of announcements for the purchase of access amounts to 1%. “This may indicate that the market for access to Indian company resources contains a sufficient number of offers, and cybercriminals can choose a suitable option from the existing ones,” comments Positive Technologies analyst, Anastasia Chursina. “We have also recorded the share of free distribution of access to company infrastructure at 20%. This trend is associated with the activity of hacktivists against the backdrop of geopolitical conflicts.” Access to the infrastructure of the Indian trade, financial institutions and service sector is offered for sale on the dark web. According to the study, more than 60% of all access can be purchased for less than $ 1,000, and such a low cost makes it easier for cybercriminals to gain initial access to the infrastructure of companies. More costly access to financial institutions is also offered for sale. For example, access to an Indian bank with administrator rights and the ability to connect to internal portals, servers for working with ATMs and mobile applications is offered for sale at $ 70,000 and above. As for the nature of access, every second ad contains an option to connect to the company’s resources via RDP (29%) or VPN (23%) protocols. Hackers obtain these accesses by infecting devices with stealers, Positive Technologies observes. Access to content management systems such as Magento and WordPress also accounts for a significant percentage (22%).
Carding accounts for 10% of the criminal cyber services market. Offers on this topic contain bank card data (date and card number, card expiry date, CVV code), cardholder data, as well as their residential address, phone number and email. Leakage of such data is dangerous because attackers use it in fraudulent schemes with subsequent withdrawal of funds. However, on the Indian shadow market, carding is not valued very highly – data sets are sold, on average, for $500 per 100 units of bank card data.
Low cost of access and free distribution of personal data can provoke an increase in attacks on companies and government agencies of the country. What is more, it is certainly worth strengthening the protection of educational organisations, which are now an easy target for attackers. Positive Technologies recommends that organisations build comprehensive protection based on the principles of effective cybersecurity. From this point of view, a combination of SIEM and XDR class solutions is suitable for analysing security events. The MaxPatrol O2 metaproduct will help with effective monitoring and detection of threats in the infrastructure. Modern tools – new-generation NGFW firewalls, WAF and NTA class solutions, the MaxPatrol VM vulnerability management system – should be included in the protection systems. Given the prevalence of stealers and ransomware in cyberattacks on Indian infrastructure, the use of sandboxes for the timely detection of various types of malware should not be neglected.
