The Business of Fraud: Sales of PII and PHI

Posted: 17th February 2022


Editor’s Note: The following post is an excerpt of a full report. To read the entire analysis, click here to download the report as a PDF.

Recorded Future analyzed current data from the Recorded Future® Platform, dark web and special-access sources, and open-source intelligence (OSINT) between January and December 2021 to observe the sale of compromised PII and PHI and how this data can be used to facilitate criminal activities. This report expands upon findings addressed in the first Insikt Group Fraud Series report, “The Business of Fraud: An Overview of How Cybercrime Gets Monetized”.

Editor’s note: This research covers January to December 2021. Since then, the following dark web sources are no longer in operation: UNICC Shop (January 2022), ToRReZ Market (January 2022), and Amigos Market (January 2022).

Executive Summary

Personally identifiable information (PII) and patient health information (PHI) are highly sought-after data across criminal sources, both on the clearnet and dark web. Our research identified that threat actors use various attack vectors, including social engineering and infostealer malware variants, to obtain victim PII or PHI. Once this data has been harvested, threat actors monetize it through traditional cybercriminal sources (dark web, including forums, marketplaces, and shops) and messaging platforms. Threat actors interested in buying and selling PII and PHI data continue to improve their tactics, techniques, and procedures (TTPs), with vendors selling customized services and methods that include access to accounts with sensitive user data, methods to defeat security measures, and counterfeit documentation.

Key Judgments

  • Threat actors have various tools and capabilities at their disposal that facilitate access to victim networks to harvest and steal PII and PHI data.
  • Financially motivated threat actors will continue to use all aspects of the cybercriminal ecosystem (forums, marketplaces, shops, and messaging platforms) to advertise, discuss, sell, and purchase compromised PII and PHI. Each of the 4 aforementioned source types is independent but all share overlaps that enable cybercrime.
  • In addition to dark web and special-access sources that specialize in listing compromised user accounts containing PII, sources with a low barrier to entry, such as dark web marketplaces, are attractive destinations for threat actors to buy and sell scans and counterfeit documentation that contain PII.
  • Ransomware extortion websites are another attractive source for threat actors to obtain PII and PHI, as their records contain proprietary data made available for free download when victims do not pay ransoms. These extortion websites will likely continue for the foreseeable future, as this method of extorting ransoms has proven effective.

Editor’s Note: This post is an excerpt of a full report. To read the entire analysis, click here to download the report as a PDF.