Stolen Selfies Sold On The Dark Web

Cybercriminals are including selfies in leaked data dumps listed for sale on the dark web.
It is now no-brainer that you can literally get anything from the dark web.

Commonly perceived as the Internet’s “shrouded underbelly,” the dark web is famous for its exclusive hidden markets which make a brisk trade in the sale of weapons, personal documents and identities, not to mention narcotics.

Nonetheless, it is the category of “personal identities and details” that has in recent times taken a rather interesting turn. Apparently, some cyber-crooks have now gone as far as including selfies in their data dumps.

Recently, Sixgill, an Israel-based dark web research company, came across a significant data dump up for sale on a primarily Russian-language dark web forum.

What particularly set this dump apart from the rest of the large chunk of data available was that for every record, there was an accompanying selfie of the said user.

Inside the Dark Web Data Dump
In an interview with TNW, Sixgill Cyber Intelligence Lead Alex Karlinsky outlined that they stumbled upon an exclusive advertisement where one seller was offering about 100,000 documents for a significant sum of $50,000.

According to him, the advertisement was in a predominantly Russian-speaking closed-access forum and the documents mentioned included the victims’ proof of address, passport or ID and, surprisingly, a selfie.

Although data dumps that include various forms of information on the dark web are not a new thing, data accompanied by a selfie was a first and unusual discovery even for an accredited research firm such as Sixgill.

So exactly what is the purpose of selling selfies? In themselves, selfies have a very insignificant importance to an adversary.

Nonetheless, when incorporated with other more customary information proofs, they can enable a perpetrator to not only open bank accounts, but also access credits using the victim’s name.

3d illustration. Open "trash" button with yellow folders.
It is now no-brainer that you can literally get anything from the dark web.
Currently, some banks are allowing their customers to open bank accounts by uploading a selfie together with scans of various relevant documents, as a way of verifying their identity.

The popularity of this action has gradually grown since the banks are attempting to replace customary branch services with contemporary online alternatives.

This is particularly evident in the emerging swathe of online-only banks making their way into the banking sector in recent times.

Sixgill went on to state that the individual who had put these documents up for sale on the dark web was also offering them in smaller cheaper chunks.

Moreover, they also came across another dark web anonymous seller selling identities in an unusually piecemeal style. For $70 only, you would get yourself a person’s ID documents, together with a selfie.

Cloud Platforms Increasingly Vulnerable to Breaches
Unfortunately, Karlinsky was unable to trace back the dark web data dump source. According to him, the easiest way of obtaining a person’s selfie is from a malware-infected device.

What’s more, one other way to obtain selfies is gaining access to a system that safeguards people’s private information, or otherwise hacking into it.

The latter instance is more likely. Usually, one of the most common document leak sources is a cloud storage platform that is inadequately secured, such as Amazon S3.

Last month, the photo IDs and passports of about 119,000 FedEx clients stored in a publicly-accessible storage platform (Amazon S3) were identified on an unsecured server.

This particular server was under the control of Bongo International, a firm acquired by FedEx in 2014, rebranded in 2015 to FedEx Cross-Border International but eventually discontinued last year.

Researchers from Kromtech, a German security company, connected these ID documents to individuals from across the globe including nations such as Canada, the United States, Australia and several European nations.

These IDs were accompanied by shipping forms which listed address information and contacts.

Although there is yet a suggestion proposed citing that any malicious third-parties have accessed these FedEx documents, this instance, nonetheless, goes to show how inadequately-protected cloud platforms can lead to the wrongful exposure of potentially sensitive documents.

Adopting Cybersecurity Best Practices
While Karlinsky is not profoundly troubled that people are actively posting photos and “selfies” on Instagram, he strongly urges individuals to be vigilant when revealing their identities online.

According to him, before you can provide anyone with either your photograph or personal documents, it is important you ask yourself who you are proving your identity to and if it is at all worth it.

He further adds that as a precaution, he would advise users against taking selfies while holding their ID.

Lastly, he also recommends against having photos of personal documents and IDs stored in a mobile phone, computer or server.

This is in case the device contracts malware.