SOCRadar® Cyber Intelligence Inc. | Top 5 Threats in the Dark Web | Finance Sector April Edition


May 06, 2021
7 Mins Read

Top 5 Threats in the Dark Web | Finance Sector April Edition

Financial organizations enable people and other organizations worldwide to manage savings, conduct trade transactions, and operate their assets in different areas. Due to its direct proximity to money, the digital banking industry and FinTech organizations were by far a primary target for threat actors in recent years. However, this year, there has been an extraordinary increase in the number of cyber-attacks on financial institutions.

Threat actors’ motivations vary from tracking the financial operations of specific clients to stealing personally identifiable information (PII). They can design organized attacks combining unauthorized network access with fraudulent activities or dumping customer databases with credit card information. According to 79% of CISOs from financial institutions, threat actors are deploying more sophisticated attacks in time.[1]  

1- POS Malware for Sale on the Dark Web


Credit card associated thefts usually involve four main phases:

  • Reconnaissance – identifying weak points
  • Stealing credit card information (POS malware is used to steal information)
  • Selling stolen data 
  • Shopping  

In the first phase, threat actors need to find weak points on the target system. Then, the attack phase starts. In order to obtain credit card data, financially motivated attackers utilize specific methods like vulnerability exploitation, keylogging or POS memory scraping malware.

Since cybercriminals are usually looking for the best returns with minimum risk level, they prefer easy-to-build POS malware. Remotely-controlled POS malware can be operated from outside the countries, making the criminals more difficult to track. Stolen card data are sold on the dark web, and the buyers can use this data for creating fake cards or different fraudulent activities. 



On April 15, SOCRadar has detected a vendor offering to sell a new POS malware and botnet panel named MemPOS. The malware with the bot panel is claimed to have a wide array of features such as scanning for CVVs and dumps (Track1/Track2 read by the POS service) stored in memory, utilizing RegEx and other algorithms to find out files and network packets in different formats.

2- Carding Services 


The last two steps of credit card associated thefts are more related to using the stolen data. In order to use the stolen credit or debit card details on shopping, threat actors firstly need to utilize online carding. Nowadays, the SOCRadar Analyst Team is observing an increase in online carding service sales on the dark web.


On April 15, a vendor advertised a carding service for one of the largest banks from the USA. According to the dark web post, the service could be carding all information offered on the bank. The vendor also determined a limit for carding as €250. On the post, there is no information about whether the carding service provides CVVs or not. If buyers could not seize CVVs from the carding service, they would have to find these numbers with following different techniques such as phone or email phishing attacks.  

3- New Recruitment Post is Detected 

In recent years, social engineering attacks have become widespread in different forms, which contains tailgating, vishing, baiting and phishing. Especially phishing attacks are seen as the root cause of most data breaches. According to the FBI, phishing was the most common type of cybercrime last year. 

In the finance industry, threat actors focus on two types of phishing attacks as “customer-targeted” and “employee-targeted”. Sensitive account information, credit card data, or clients’ credentials can be compromised with customer-targeted phishing attacks. On the other hand, cybercriminals can obtain access to management panels of the bank at the admin level with employee-targeted phishing attacks.


Threat actors sometimes look for different hackers who specialize in specific attacks on the dark web forums. On April 5, SOCRadar detected a vendor seeking people for designing phishing pages for a global banking organization operating in Germany. The vendor was contacting hackers on Telegram and was offering $300-500 for the phishing page. According to the SOCRadar Analyst Team, the vendor can gather personally identifiable information (PII), banking credentials, PIN and bank account numbers by performing the phishing attack, which can obviously pose a significant corporate risk for the bank.  

4- User Data of Indonesian Banks is on Sale


In recent years, the majority of financial institutions’ assets have been transferred to the digital world as a result of technological advancements. Thus, the attack surface of banks and other financial institutions has substantially increased. Moreover, customers provide almost all of their identity information, address, and contact details to financial institutions. That’s why financial institutions with digital banking services have become a popular target for hackers looking for personally identifiable information (PII). 

There is an array of motivations for threat actors to obtain the personally identifiable information (PII) of customers.   Gaining access to customer accounts, committing identity theft, extorting targeted companies, selling the data on dark web marketplaces are different ways to benefit from stolen data.




On April 2, on a dark web forum monitored by SOCRadar, a user database sale was detected for an Indonesian Bank. While there is no information about the victim bank, according to the dark web post, the database had full names, ages, emails and various personally identifiable information (PII) of 53 thousand clients. The vendor also stated that the database is obtained in SQL format.

5- Brute Force Tools on the Dark Web


Brute Force Attack is a cryptographic technique that’s become more frequent in recent years. It’s principally used to acquire personal information, including usernames, passwords and ID numbers. Threat actors’ objectives, using brute force attacks, range from confidential data harvesting to spreading malware. For these purposes, they use different ways, including dictionary attacks, hybrid brute force attacks, and credential stuffing.

In the financial industry, brute force and credential stuffing attacks are the most prevalent vectors. Threat actors may use trial and error approaches to discover a user’s account password, or they may use beforehand surfaced data to gain access to user profiles. With the seized profiles, threat actors can immediately carry out financial transactions, which pose a significant threat both for clients and institutions.

Financial institutions that are continuously targeted by cyberattacks have a robust cybersecurity infrastructure. Hackers, who try to infiltrate finance firms’ framework but cannot detect any vulnerabilities in the system, resort to “Brute Force Tools”.





On March 30, a vendor attempted to sell a brute force tool for a credit cooperative from the USA on a high-profiled dark web forum tracked by SOCRadar. The victim organization has around 1900 employees and a revenue of over $390 million. According to the vendor’s claim, the brute tool is powered by an API. Moreover, the vendor stated that the tool has an excellent speed on medium proxies, which is one of the most typical problems of brute force tools.

Dark Web Monitoring Plays an Important Role


While identity theft is not a new type of cybercrime, those on the dark web is sophisticated financial fraud. Interesting data has followed the growth of identity fraudulent activities over the last few years. There are a lot of methods of online financial crimes like social engineering attacks, online carding, credential stuffing and more.     

These attacks clearly present a severe corporate threat, particularly at a time when authorities are enforcing tougher penalties on financial institutions involved in data breaches. The problem of cybersecurity is becoming more prominent for CISOs as a result of recent attacks and tougher regulatory penalties.

Since the majority of these threats are linked to the dark web, it is important for companies to be conscious of these marketplaces. Although there is an array of mitigations, understanding and actively monitoring adversary activity on the deep web is the first step to depreciating the danger.