Selling stolen passwords in Africa is thriving

Posted on August 30, 2016 06:58 pm

To most folks in the Western World, Africa is a laggard.As much as that is a fact in different aspects, the continent isn’t a backwater when it comes to adoption of technology and young smart kids can rival their illustrious brothers and sisters in developed World.Just like in the West, data breaches are a regular part of Africa’s cyberthreat landscape. In Kenya, South Africa, Nigeria and Ghana they generate a great deal of media coverage, both because the quantity of information stolen is often large, and because so much of it is data people would prefer remained private. Dozens of high-profile breaches over the last few years have targeted defence organisations, security agencies, corporate organisations,retailers, health care among other service providers. Though breaches affecting consumer data have become commonplace, there are other resources that, when targeted, lead to major security concerns. Recently, a Kenyan based hacker claimed to be selling over 302,000 email passwords of Kenyans on an underground marketplace. The fact is that stolen data is usually sold by hackers to others in underground markets online just like the Kenyan based hacker is doing.The Kenyan hacker typically used his technical prowess to collect desirable information but I also have a feeling that he could be working on behalf of hackers as a front man to offer information. In this crazy Internet age, buyers want to use stolen information to its maximum financial advantage, including buying goods with stolen credit card numbers or engaging in money transfers to directly acquire cash. In South Africa, cases of social media accounts data, buyers hold user’s internet accounts for ransom and in a number of incidents am family with, they used the data to craft more targeted attacks on victims.In Nigeria, such crooks are creating fake followers that destroy legitimate accounts’ reputations.Because of the clandestine nature of the Africa’s online black market, the total number of completed sales of stolen information is hard to quantify. In my fact finding efforts, i realised that most sellers advertise their data and services in web forums that operate like any other online retailer where buyers and sellers rate each other and the quality of their products and personal information being sold.

I also examined feedback on dark web transactions involving credit and debit card information, some of which also included the three digit card verification value on the back of physical cards stolen in Nigeria, Angola, Ghana, Senegal, Ivory Coast and Namibia over the last one year.In addition, there were data sellers in 197 transactions that may have earned between US$780,000 and $2.9 million. I noted that buyers in 123 of these transactions earned an estimated $2.1 million through the use of the information they purchased. These massive profits are likely a key reason these data breaches continue in Africa will continue. There is a clear demand for personal information that can be used to facilitate cybercrime, and a robust supply of sources.Africa’s clandestine data markets are, it turns out, very similar to legal online markets. They only differ in the ways the markets are advertised or hidden from the general public, the technical proficiency of the operators, and the ways that payments are sent and received.An emerging number of markets operating on the dark web in Africa is growing and thriving.Several sites I visited in my research, are only accessible by using specialised encryption software and browser protocols that hide the location of users who participate in these sites. It is unclear how many of these dark markets exist in Africa, though it is clear such services will become more common as other underground markets use this platform.Data sellers from Egypt posted information about what type of data they have, how much of it, pricing, the best way for a prospective buyer to contact them and their preferred method of payment.This made me know that its not a Sub Saharan Africa business alone but the Northern African countries are also involved.For the Egyptian vendors, email passwords, credit and debit card details were up for sale.Bidders were plenty as well but I wonder what benefit someone has to spend money that doesn’t belong to his or her.Indeed we are all different species.In the case of South Africans, Kenyans, Nigerians and Egyptians sellers, they only accept online payments through various electronic mechanisms.The most preferred payment platforms that were being advertised include Bitcoin, Yandex, Web Money among others.

Some sellers whom i think are amateurs even accept real-world payments via Money Gram and Western Union, but they often charge additional fees to cover the costs of using intermediaries to transfer and receive hard currency locally.In the cases I researched on, most negotiations for data take place through online chatting platforms or email accounts designated by the seller and they don’t use Yahoo!, Gmail or such. In the case of South African and Nigerians, once the buyer and seller agree on a deal, the buyer pays the seller up front and must then await delivery of product. It takes between a few hours to a couple of days for a seller to release the data sold.It was interesting to note that challenges that are common with us who shop in real world, are also prevalent on the dark web.For example, if a Kenyan buyer makes a deal but the Nigerian seller never sends the data, or what arrives in Nairobi includes inactive or inaccurate information, the Kenyan buyer will not sue for breach of contract or call the coppers to complain he got ripped off. The illegal nature of the transaction renders the buyer largely helpless to use traditional means of dispute resolution.To rebalance this power, social forces come into play, maximising rewards for both buyers and sellers and minimising the risk of loss. In West Africa, buyers and sellers in many underground markets do publicly review each other’s adherence to a negotiated deal. However, the parties operate anonymously, but have usernames that stay the same from transaction to transaction, building up their reputations in the marketplace over time. In Kenya and South African marketplaces, posting reviews and feedback about purchase and sale experiences brings trust and makes the marketplace more crystal clear. In the case of Kenya’s dark web, feedback shows all users who operates according to community norms, whose behavior is worrisome, and which new users might not yet know all the rules.This ability to post and review feedback presents an interesting avenue for market disruption. In South Africa, if sellers within a market is flooded with negative and positive feedback, buyers have trouble figuring out who is trustworthy. I feel that approach could disrupt the data market without the need for arrests and traditional law enforcement methods. More studies into how to combat the dark web market for stolen data could investigate such and other potential tactics but at the moment, dark web will continue to grow.

Contador Harrison