Surface web used in private data sales

Personal information is sold both on the dark web and the surface web, according to a report by UK fraud prevention service Cifas and digital forensics firm Forensic Pathways.

The report on where personal data is compromised online highlights the fact that alongside the dark web, the surface web (the 10% of the internet that is indexed) plays an integral role in the selling of personal information.

The research, launched at the Cifas Annual Conference 2018 in London, reveals that personal data is being sold on the surface web via forums and is available through online shops, which are accessible via normal search engines.

A simple Google search of the term “Fullz” will bring up various online shops advertising personal details for sale, the report reveals. These details typically include full name and date of birth, online banking details, email addresses and passwords, as well as security questions and answers.

Such Fullz, including personal data and financial information, sell for about £31 on the suface web, researchers found, while data held on the magnetic strip of bank cards sells for around £70.

“One of the reasons for advertising the selling of personal details on forums may be due to the enhanced level of exposure,” the report said. “Forums on the surface web are more easily accessible than those on the dark web and therefore the possibility of more people seeing such posts is heightened.”

The findings also show that those selling the data give some individuals’ data away for free by using it as an advert to display what information can be purchased.

In a sample of 30,000 victims of identity fraud, almost one-third (8,646) were found on the surface web using name, date of birth, email and/or telephone number, with the majority of those identified on a social media platform.

More than two-thirds (69%) of individuals were found on Facebook, with 38% on both Facebook and LinkedIn. If privacy settings are set to public, then a wealth of personal information can be obtained, the report warns.

Individuals aged 61 and over were found to have a smaller social media presence, but they were more likely to have had an account compromised through a data breach.

However, the report found that phishing remains a key method of obtaining personal data, and may account for the 35% of victims of impersonation who have not been compromised through social media or data breaches.

As well as “kits” that are sold on the dark web that replicate well-known banking and government brands, phishing also occurs on social media in the form of encouraging individuals to “share” a phishing scam post in the hope of winning a prize.

This tactic is supported by recent research which shows that scams offering a “reward” to an individual, such as a prize or refund, rather than threatening them with restriction of access to a service, have a greater chance of success. This is because threatening scams are more likely to trigger a defensive response from the victim and be rejected.

Cifas, an independent, not-for-profit membership organisation, said it refers about 800 fraud cases a day to the City of London Police for potential investigation.

Cifas data also shows that identity fraud accounts for most fraud cases. In 2017, 95% of cases involved the fraudster using the identity of an innocent victim.

In 2017, almost 175,000 cases of identity fraud were recorded by Cifas, which is a 125% increase on 10 years ago, with 84% of identity fraud cases occurring online.

As highlighted by last year’s Who are the victims of identity fraud? report launched with LexisNexis Risk Solutions, the latest research shows that victims who are company directors are more likely to be identifiable from their social media presence and public director registers.

This is particularly the case when the correspondence address is the same as a company director’s home address, with 76% of company directors citing their home address as their correspondence address. In some cases, this is related to dissolved companies.

Deborah Leary, CEO of Forensic Pathways, said the report demonstrates the vulnerabilities of personal data held on surface web platforms and highlights the pressing need to monitor these with more vigour.

“It also reminds us that although illegal activity occurs on the dark web, it is also prevalent on the surface web, where the selling of personal data through forums and online shops is clearly evident,” she said. “We welcome further collaboration from all industries and sectors in the fight against identity fraud.”

Sandra Peaston, director of insight at Cifas, said individuals can take steps to protect their identities online, such as minimising the data they reveal online.

“For those who want to promote themselves, either professionally or personally, the real dilemma is whether this promotion outweighs the risks of revealing personal sensitive data,” she said.

“With identity fraud reaching record levels in recent years, more personal information available online, and increasing numbers of data breaches, the protection of personal data must be viewed as a collective responsibility.

“Everyone should play their part, from social media platforms taking more responsibility around security settings, to organisations prioritising the security of personal data.”

Based on the findings of the new research, the report recommends that:

• Individuals delete or deactivate old profiles on social media sites that are no longer in use.
• Social media platforms should automatically set profiles to the highest security settings available.
• Individuals minimise the data they display publicly online because the more personal information published online, the more comprehensive a picture a fraudster can create to commit fraud.
• Owners of forums monitor and manage them to ensure they are not used for selling personal data and provide channels to report abuse.
• Organisations should consider the transparency and proportionality of publicly available data.

Individuals or businesses who have fallen victim to identity fraud should report it to Action Fraud on 0300 123 2040 or online at www.actionfraud.police.uk and Victim Support.

Information about those committing identity crime can also be reported to independent charity Crimestoppers anonymously on 0800 555 111 or at www.crimestoppers-uk.org.

Cifas offers protective registration for individuals whose identities are at risk of being used fraudulently, for instance after a burglary. It also runs a scheme called Protecting the Vulnerable, offered free of charge to local authorities to protect those under the care of court deputies who are unable to access financial products and whose identities may be at risk.