Dark Web Monitoring: Overview

Report contents
Daily Dark Web Monitoring
Severity Scores & Risk Categories
Reading the Report
- The Main Report Page
- Supplemental Tables
Ways to mitigating risks associated with exposed data

Introduction

The Dark Web Monitoring Report provides our clients with a monthly report that highlights any sensitive data we’ve observed across the dark web within a given month. The data included in this report are points of data that a threat actor can leverage to gain access to either an account or use against an organization via social engineering, phishing, etc.

Report contents

The information in this report is gathered from typically hard to find and “protected” areas of the dark web; Telegram channels, forums, illicit marketplaces, and other places cyber criminals exchange this compromised data. The types of data in this report include:

Clear text passwords: this is a term used to refer to any password that is “in the clear”; fully exposed in plain text and available for anyone to purchase and or misuse.
Hashed passwords: These passwords are available to threat actors, but unlike cleartext passwords, these credentials are still encrypted. They are still of use to threat actors, but adds a layer of inconvenience to their attempts, when compared to cleartext.
Financial data: the most common data point in this category are, but not limited to, credit card and bank account numbers.
Personally Identifiable Information (PII): any information that can used with other data to help “triangulate” the identity of a user.

The information Field Effect collects is mainly derived from two sources:

Published Files: These are files published online by threat actors that contain information obtained due to a breach of an organization, website, service, etc. For example, in May 2024, the U.S.-based retailer Neiman Marcus suffered a data breach resulting in the exposure of 31,000,000 unique email addresses, names, phone numbers, dates of birth, physical addresses and partial credit card data.
Info Stealers: These records are derived from files published online that contain information collected by an info stealer. An info stealer is a type of malware whose purpose is to steal information stored in browsers, such as usernames and passwords, credit card information, and cryptocurrency wallets. The information collected by info stealers is often shared and sold on the dark web, for other fraudsters and cyber criminals to leverage for their own purposes. Most of the records derived from an info stealer will contain a username, password (cleartext or hashed) and the URL to the online service it is related to. (For example: test@username.com, P@$$w0Rd, http://test.myemailservice[.]com)

Every month, this report will be accessible via the MDR Portal's Reports view, where all other Field Effect MDR reports are stored. It’s also worth noting that the information we display in this report, while already published on the dark web, is obfuscated throughout our report in the interest of privacy.

Daily Dark Web Monitoring

While all clients will receive this monthly report, you can opt-in for daily dark web monitoring for an additional cost. If you opt in, a dark web scan will be performed daily, and AROs will be generated when new exposures are discovered.

If you are interested in opting in for this additional coverage, please reach out to your Field Effect MDR sales contact.

Severity Scores & Risk Categories

Your report will include a monthly severity, and it relates to the degree at which the compromised data can be used against your organization, and how quickly it can be used. Each record is given its own weight, and they all culminate to this score. The change in severity from month to month is based on the amount of data that has been exposed since the last month. This report will only flag new exposures found within the given month.

An overview of Risk Categories is provided below, but also included in every published report:

Critical: Records of information that can be quickly leveraged by threat actors. Critical risk records should be actioned as soon as possible. Examples include usernames with cleartext passwords, credit card information, etc.
High: Records of information that, when combined with other data, can be leveraged by threat actors. High risk records should be actioned as soon as possible. Examples include cleartext passwords without the username, credit card numbers without the expiry and/or CVV, etc.
Medium: Medium risk records contain information that requires additional processing (i.e. decryption) or must be combined with other information to be leveraged by a threat actor Examples include hashed passwords, partial credit card numbers, etc.
Low: Low risk records contain information that, on its own, poses minimal risk. But when combined with other information, it may enable unauthorized account access, fraudulent financial transactions, or identity fraud.

Reading the Report

The Main Report Page

The first page of the Report is where you can find all the essential information about the report. From here you can view your current score (for that month), a 3-month history of your score. There is also a dashboard that shows total exposed datapoints for each category along with the top risk records for the month.

Current Score and 3 Month History

The left half of the main page is dedicated to your current score overview, as well as historical graph for tracking changes in your score over time. See “Severity Scores & Risk Categories” above for more on how we calculate your organization’s score, and information about the risk categories your score may fall into.

The Last 3 Months chart can help you track, from your current report, your progress with exposed data over the last 3 months. A short text summary will report on any positive or negative changes in this report’s score since the last report and score.

Each bar in the chart represents a month, and each bar is broken down by exposed data Field Effect observed that month. In the example figure, the organization’s score increased by 6 and June had less hashed passwords observed on the dark web when compared to July or August of the same year.

Exposed Data Dashboard & Top Risk Records

The right-hand side of the main report page focuses on the most current and impactful risks discovered within the month being reported on. It contains two main sections: An exposed data dashboard and the top risks records observed in the month.

The dashboard tallies all exposed data types found within the month, and the Total Records entry in this section represents the total number of exposed records across all data types. In the example below, the report has identified 79 clear text passwords and 79 hashed passwords exposed on the dark web. Therefore, their total records observed for the month is 158. Any positive or negative changes will also be noted in this are, when applicable.

The Top risk records section brings the three most severe exposures to your attention. These records should be mitigated as soon as possible, and please see “Mitigating Risks Associated with Exposed Data” below for more on acting on your report’s findings.

The top risk records include the following data points:

Date: This date represents when the exposed record was first published to the dark web.
Email Address: the email address of the affected user or account, obfuscated.
Breach Type: the type of breach that resulted in this data being published to the dark web.
Published File Name: The common name of the breach, or the file, published on the dark web containing the exposed record. You can use this file name to perform further investigations about the breach and itss impacts.
Login URL: The URL of the service that was breached and and resulted in the data becoming exposed. This URL is usually associated with the published file name.
Username: If the exposure includes a username, it will be listed. If the username is the email address, this field will be left blank.
Password: If the exposure includes a password, it will be listed here, obfuscated.

The image below shows an example of the Top risk records area of the report’s main page.

Supplemental Tables

The supplemental tables included in this report groups exposed records based on the type (See “Introduction” above), source (the breach that resulted in the records becoming exposed), and the date upon which Field Effect became aware of the exposed data. This section includes a subsection for each type, and if you have no exposures of a given type within a month, that subsection will be left blank.

From these tables you can see all the exposed records from every data type that the report discovered. With these supplemental charts, you can reach out to all affected parties to mitigate the risks facing them. Using the example of clear text passwords, with this report, you can inform everyone affected by the breach that if does in fact impact them, and that they need to change their password immediately.

If the report discovers compromised data across more than one breach of the same content type, a separate supplemental table will be included for each breach in that section. In the example below, the organization’s hashed passwords were exposed in three separate breaches, so there are three separate tables in this report’s Supplemental Table section for hash passwords.

Mitigating Risks Associated with Exposed Data

Now that your Dark Web Monitoring Report has identified at risk data, it’s imperative that you act on these finding to mitigate the risks associated with any exposed data. We recommend the following methods:

Change Passwords for all Compromised Accounts

For all accounts listed in this report, change passwords as soon as possible as there is evidence that the password may be compromised.

Enable multi-factor authentication on all accounts

Multi-factor authentication (MFA) requires a user to provide more than one type of authentication before they can access an account or resource. Even if a threat actor obtains a user’s credentials, via a breach or otherwise, the extra layer of security provided by MFA will make it nearly impossible for a threat actor to login with credentials alone.

For more information on the importance of MFA, please read the following blog post: MFA and passkeys: Why a password is not enough.

Most exposed data stems from the compromise of third-party services that users have signed up for using their corporate email addresses, and possibly phone numbers, home addresses, etc. If the service is breached, this corporate information may become exposed and leveraged by threat actors.

For example, in 2016, the dating website Mate1.com was breached and the information of over 17 million subscribers was disclosed. This information contained cleartext passwords and other sensitive information (date of birth, geographic locations, phone numbers, etc.).

While this type of breach may not affect your corporate network directly, they could still have indirect repercussions, especially if the breach includes cleartext passwords, and/or corporate email addresses. Bottom line, the less employees use their corporate email address for non-work-related services, the less the chance it will be exposed in data breaches.

Maintain strong password hygiene

There are many general reasons why organizations should implement strong password hygiene. But when focusing on the risks associated with exposed data, employees who use strong, complex passwords for business may be less likely to reuse those same, complicated passwords while creating personal accounts for third-party services. This makes it harder for threat actors to leverage these credentials against the corporate network, should they be disclosed. Additionally, the frequent rotation of passwords means that exposed passwords are only valid for a short period before they are changed, and no longer carry the potential risks.

Use a password manager

A password manager is an application that helps users create and securely store “hard to guess” passwords. While the passwords are complex, the workflow usually ensures that it's easy for the user to retrieve these passwords when needed.

For more information on password managers, please visit our blog post: Why use a password manager?

Another method to mitigate the risk posed by exposed information, specifically credentials, is to enable monitoring and active blocking of suspicious and unusual login attempts, which may include:

Impossible travel (For example, an employee logs in from Canada, then China a minute later)
Login attempts from suspicious ISPs and high-risk IP addresses.
Login attempts from TOR nodes and VPNs.
Login attempts from unusual or suspicious user agent strings.

Field Effect MDR users are automatically notified of the above incidents via ARO in the MDR Portal, and we are encouraged to review these ARO types as soon as possible. Field Effect MDR also allows users to enable active blocking, if they choose.

Implement human verification (captcha) authentication

A popular cyberattack that leverages exposed data is called credential stuffing. Since this attack involves attempting to log in to hundreds, if not thousands, of online services, hackers usually automate this attack using bots. Adding a captcha, or some other human verification control, can help mitigate these risks since they help identify credential stuffing bots proactively, preventing the attack before it happens.

Actively monitor for exposed information

Organizations must be able to identify and monitor for data exposures that could potentially be used by threat actors for fraud or to enable cyberattacks. This isn’t easy, since exposed information could be anywhere from dark web forums and marketplaces to social media posts and everything in between.

This is why Field Effect monitors these, and other, sources frequented by cybercriminals looking to buy, trade, or sell credentials, PII, and financial information, and provides our users with a monthly summary of what was detected.