The Business of Fraud: Sales of PII and PHI

The Business of Fraud: Sales of PII and PHI

insikt-logo-blog.png
Editor’s Note: The following post is an excerpt of a full report. To read the entire analysis, click here to download the report as a PDF.

Recorded Future analyzed current data from the Recorded Future® Platform, dark web and special-access sources, and open-source intelligence (OSINT) between January and December 2021 to observe the sale of compromised PII and PHI and how this data can be used to facilitate criminal activities. This report expands upon findings addressed in the first Insikt Group Fraud Series report, “The Business of Fraud: An Overview of How Cybercrime Gets Monetized”.

Editor’s note: This research covers January to December 2021. Since then, the following dark web sources are no longer in operation: UNICC Shop (January 2022), ToRReZ Market (January 2022), and Amigos Market (January 2022).

Executive Summary

Personally identifiable information (PII) and patient health information (PHI) are highly sought-after data across criminal sources, both on the clearnet and dark web. Our research identified that threat actors use various attack vectors, including social engineering and infostealer malware variants, to obtain victim PII or PHI. Once this data has been harvested, threat actors monetize it through traditional cybercriminal sources (dark web, including forums, marketplaces, and shops) and messaging platforms. Threat actors interested in buying and selling PII and PHI data continue to improve their tactics, techniques, and procedures (TTPs), with vendors selling customized services and methods that include access to accounts with sensitive user data, methods to defeat security measures, and counterfeit documentation.

Key Judgments

Editor’s Note: This post is an excerpt of a full report. To read the entire analysis, click here to download the report as a PDF.