The dark web is a haven of stolen goods and data, and limited visibility into activity targeting your brand leaves organizations at risk. Malicious behavior takes many forms, and a lack of understanding of what or how an asset is exposed on underground channels can lead to brand damage and financial loss.
Detecting stolen data on the dark web is demanding, as navigating volatile marketplaces can be both technical and time-consuming. To effectively protect against abuse targeting your organization, security teams should prioritize dark web threat intelligence including understanding of the types threats relevant to your brand and where they live.
The most common dark web threats targeting the retail space include:
- Gift Cards/Rewards/Promotions Fraud
- Account Credentials
- Consumer Goods / Counterfeit Goods
- Refund Services
In the previous piece, we highlighted examples of Promotions Fraud and Account Credentials targeting retail organizations on the dark web. Below, we take a look at real examples of Consumer / Counterfeit Goods and Refund Services found on underground channels.
Consumer Goods / Counterfeit Goods
The sale of consumer goods or counterfeit consumer goods can be found on most traditional marketplaces on the dark web. Many marketplaces have a section on their website dedicated solely to counterfeit goods. These sections will include replicas of goods such as: clothes, shoes, jewelry, electronics, and other high-value counterfeits.
These marketplaces will also often include guides or methods on how to obtain goods for a small fee. In the image below, threat actor “dictateur7” is selling guides/methods that will allow the buyer to ship two Bell iPhones to their location.
Refund Services
There are many dark web forums solely dedicated to refund services. These services include mentorship programs, documents, and virtual trainings. The examples below show refund mentorship services offered for $200+ specifically targeting Nike, Adidas, and Target.
Threat actors use models similar to ransomware-as-a-service or phishing-as-a-service in the refund environment. In these operations, potential customers typically reach out to threat actors through dark web forums to perform the refund fraud on their behalf. After services have been rendered the threat actor will take a percentage of the refund or a set amount as payment.
In the image below, the threat actor “Fullex” has set guidelines on the various limits of the refund and the payment needed to perform the scam.
Below is an example of a post within Telegram of how a popular refund service operates for Amazon.com.de refunds.
On traditional dark web marketplaces, it is common to see sections of the market dedicated to editable templates used to create document-based fraud. One example of this is an editable receipt template such as the one below. These templates are usually low in cost for potential buyers.
Threat actors use the dark web to buy, sell, and solicit stolen data tied to retail brands. The discreet nature of underground marketplaces and forums makes defending against abuse difficult, as many organizations lack visibility into relevant channels. Failure to gather dark web threat intelligence in a timely manner however can be damaging, and lead to future attacks. To prevent this, security teams should have a clear understanding of the types of threats targeting their brand and consistently monitor underground spaces for signs of compromised materials or criminal activity.
