How Threat Actors Monetize Stolen Data

The Philippines is experiencing a growing trend of cybersecurity incidents, leading to data theft and leaks. Reports of hacker enthusiasts and threat actor groups infiltrating the network of private organizations and government institutions have been increasing. Stolen data is often exfiltrated and posted (and even sold) in undisclosed locations on the dark web, social media sites, and messaging platforms like Telegram.

Deep Web Konek (DWK), a cybersecurity enthusiast group, has been actively tracking and reporting on these incidents in the Philippines. Most of their information comes from dark web forum posts by threat actors and social media pages where hackers publicly announce their latest attacks.

The Philippines is likely to face more cyberattacks as threat actors exploit the rapid digitalization of organizations across the country, according to the Department of Information and Communications Technology (DICT). While the demand for digitalized workspaces is on the rise, cybersecurity is an area not given much emphasis on due to lack of understanding regarding its importance and limited funding.

The shortage of cybersecurity professionals in the country further elevates the risk, leaving organizations’ IT infrastructures vulnerable. According to Fortinet’s 2024 Cybersecurity Skills Gap Report, 94 percent of organizations in the Philippines experienced a cybersecurity incident in the past year, largely attributed to a lack of cybersecurity skills and trained IT or security personnel.

“Organizations are increasingly recognizing that the lack of skilled cybersecurity professionals is a significant contributor to these breaches,”

-Alan Reyes, Fortinet Philippines Country Manager

Social Engineering Techniques: Precursors to Data Theft

Social engineering techniques are manipulation tactics employed by threat actors to exploit human error and gain unauthorized access to networks, systems, or sensitive data. These attacks rely on direct or indirect communication (whether online or in-person) between the threat actor and the victim, aiming to motivate individuals to unwittingly compromise themselves. Unlike brute force methods, social engineering relies on manipulation, making it a critical component to cybersecurity incidents. Some common types of Social Engineering Techniques include the following:

• Phishing: A type of social engineering attack used to steal sensitive information by manipulating victims in revealing sensitive information. Regular phishing attacks are generally sent randomly and have no specific target.

• Spear Phishing: This type of phishing attack is used to specifically target an individual or organization.

• Smishing: A type of phishing attack carried over mobile text messaging. According to the Cybercrime Investigation and Coordinating Center (CICC), threat actors have mostly shifted their operations of sending fake text messages from text to online messaging platforms such as Viber or WhatsApp.

Recommended Reading: LTO warns motorists of new online scamming that impersonates the agency via traffic violation notification

• Vishing: Another type of phishing attack that utilizes fraudulent phone calls. Threat actors often guise themselves as a representative of a legitimate and are executed using a real human voice or pre-recorded.  

Recommended Reading: Cops Arrest 2 Vloggers, 17 Others Ina Raid On A Vishing Hub in Cavite

• Scareware: A type of ‘scare’ tactic with the aim of frightening victims into believing that they are under imminent threat or that their accounts are compromised. Scareware often involves offering a ‘fix’ to the problem by clicking on a link or installing suspicious software. This type of attack is distributed through emails, text messages, or even through phone calls.

• Qui pro quo: This type of attack involves victims providing sensitive information or access in exchange for a service. A notable example occurred during the recent CrowdStrike outage incident. According to reports, threat actors impersonated CrowdStrike support staff, offering fake solutions to the outage in exchange for payment.

• Tailgating: Tailgating involves unintentionally allowing an unauthorized person access to assets or locations. While tailgating is mostly a physical security breach, allowing an unauthorized person access to your device or accounts is a form of tailgating.

Recommended Reading: Cops Arrest 2 Vloggers, 17 Others Ina Raid On A Vishing Hub in Cavite

• Deepfakes:  With the widespread use of artificial intelligence (A.I.)  threat actors can utilize deepfake technology for illicit purposes such as creating highly convincing and accurate fake audios and videos.

Recommended Reading:Audio Deepfake of President Marcos Jr. Ordering Military Action Against China Circulating Online;

Stolen Data: From Theft to Profit

While some hacker groups are known to publicly disclose their cyber attacks to pressure organizations into improving their cybersecurity measures, there are threat actors who operate with far more malicious intent. These include hacktivists linked to foreign entities who aim to spread misinformation and propaganda or cybercriminals targeting organizations to steal data for financial gain and fraud

Data Stolen from data breaches include:

• Personally Identifiable Information (PII)
  • Full Name
  • Birthday
  • Address
  • Phone and Mobile Numbers
  • Email
• Sensitive Personally Identifiable Information (SPII)
  • Social Security Number (SSS)
  • Credit Card Information
  • Biometric Data
  • Medical Information
  • Financial Details
  • Passwords

Threat actors involved in data breaches often put the stolen data up for sale in undisclosed locations on the dark web, social media sites, or messaging platforms. The data are then bought by other threat actors with varying intent, including:

• Fraudulent Activities: Threat actors use stolen data to impersonate individuals, using the victims name to conduct fraud.
• Ransom Demand: Threat actors hold stolen data and demand ransom from the affected individual or company, threatening to release or delete the data if payment or a demand is not met.
• Gaining Unauthorized Access: Stolen credentials such as usernames or passwords can be used to gain access to accounts or networks.
• Crafting Social Engineering Campaigns: Threat actors who have access to your information can craft highly convincing phishing emails, text messages, or phone calls – using the information to gain your trust.