Security Experts:

Connect with us

Hi, what are you looking for?


Risk Management

Financial Industry Insiders Put the Keys to the Kingdom at Risk

Monitoring for Illicit Insider Activity Shouldn’t Focus Exclusively on Dark Web and Criminal Forums

Monitoring for Illicit Insider Activity Shouldn’t Focus Exclusively on Dark Web and Criminal Forums

Insider risks are on the rise, according to the Ponemon Institute 2018 Cost of Insider Threats study (PDF), and the financial services industry is paying the highest price, at a total annual cost at $12.05 million. This isn’t surprising given that in many respects banks and financial institutions hold the keys to the kingdom, containing vast amounts of sensitive and financial data and playing a critical role in national infrastructure. How do cybercriminals go about getting copies of these keys? One way is to find or actively attract insiders who may be disgruntled and seeking retribution, or simply looking to make a profit. 

Searches across the dark web reveal that it is not uncommon for insiders and cybercriminals to trade in high-value data or credentials across dark web and criminal sites. Some of these sites set up dedicated sections for insider information discussions. In these forums, individuals may ask about the best places to sell insider information or claim to be selling insider access. Meanwhile cybercriminals shop for data or use these venues to attempt to recruit insiders. We can find examples of these forums within both general and specialized dark web marketplaces. 

Insider activity on general dark web marketplaces 

Insiders or criminals recruiting insiders will often look to criminal platforms in order to connect with their accomplices. Dark web marketplaces and their associated forums can be used to make requests for insiders with specific knowledge or access. In February 2017, when the dark web marketplace AlphaBay was still operational, one user made multiple posts to the forum claiming to have access to a Society for Worldwide Interbank Financial Telecommunications (SWIFT) payment gateway and sought an experienced partner to help them monetize it. The user claimed to possess data that provided full administrator access to this system and would provide information on where SWIFT transfers should be sent, offering 10 to 20 percent of the profits in exchange for their services.  

This user had previously added similar posts to the “Wanted” section of AlphaBay claiming to have access to an Automated Clearing House (ACH) system at a logistics company and an automobile dealership in the United States. In these posts, the user even offered a bank drop service to receive and transfer payments to any account specified by the customer, charging 50 percent commission.

Specialized insider marketplaces on the dark web 

Given the uncertain future of dark web marketplaces and the clandestine nature of insider activity, specialized insider marketplaces are emerging. While large datasets containing personally identifiable information (PII) or credit card details can be monetized fairly easily and are likely to be shared and sold across online forums and marketplaces, the most valuable insider information is not advertised openly online. Insider access is often a very case-based and demand-driven process that is not well suited to general marketplace or forum models. 

As a result, some insiders prefer to conduct business in person to avoid raising the suspicions of law enforcement. Those that do trade insider access online look for cybercriminal locations that offer a level of exclusivity and closed or limited access – not only in the hopes of staying below the radar of the authorities, but also because insider information only remains valuable as long as access to it is limited to a small, restricted and trusted group. Specialized dark web sites like The Stock Insider maintain the appearance of legitimacy and exclusivity by claiming to have access restrictions. These restrictions provide inside sources and buyers with a level of perceived protection as they feel their identities are less likely to be exposed or compromised by having too many members in these networks.

How to Detect and Mitigate Insider Risk

While there is substantial interest in the data insiders have for sale, organizations monitoring for illicit insider activity shouldn’t focus exclusively on dark web and criminal forums. Instead, start by looking inside and engage in the following three activities:

1. Implement the principles of Zero Trust, including “trust but verify” through continuous monitoring, implementing segmentation, and restricting access on a need to know basis.

2. Know where your valuable data resides so that you can prioritize your resources on the right defenses, including processes and technologies. 

3. Understand how an insider would monetize that data to help focus your external investigations. 

Now that you have looked inward and strengthened your defenses accordingly, you can:

1. Monitor the open, deep and dark web for mentions of your brand and toxic information.

2. Work with legal teams to determine the appetite for purchasing items and services sold by potential insiders on criminal forums and market places.

3. Purchase or use a third party to acquire items and services sold by potential insiders to keep them out of the hands of criminals.

4. Conduct investigations on recruiters and the
sellers of goods and services to understand the history and reputation of an individual. Use Open Source Intelligence (OSINT) research and gather meta data where possible to aid in any investigations.

5. Don’t forget about the accidental insider. According to the same Ponemon study, when it comes to insider risk, employee or contractor negligence is the root cause of most incidents rather than a malicious insider selling the keys to your kingdom. 

Interest in insider trading across the online criminal ecosystem is high. But the most effective way to protect the keys to your kingdom is to start by looking for ways to mitigate insider risk.  

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem

Risk Management

In this virtual summit, SecurityWeek brings together expert defenders to share best practices around reducing attack surfaces in modern computing.

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...