Although the stolen data market is not new, Industrial
Spy didn’t scare the victims by blackmailing companies and GDPR fines, but promoted itself as a market where companies can buy competitors’ data to obtain trade secrets, manufacturing drawings, accounting reports and customer databases. However, the market may also be used for blackmail, so that victims can buy data to prevent it from being sold to other threat participants.
Industrial
Spy market provides different levels of data products, among which "advanced" stolen data packets are worth millions of dollars, while lower-level data can be sold as a single file for as little as $2. For example, Industrial
Spy is currently selling high-level data of an Indian company for $1.4 million, paid in bitcoin.
High level stolen data
However, most of the data in this market are sold as separate files, threatening participants to buy the specific files they want at the price of $2 each. The market also provides free stolen data packets, which may induce other threat participants to use its website.
Buy a single file
Industrial
Some companies in the "regular" data category of Spy market have been attacked by ransomware in the past. It is likely that the threatening participants downloaded the data from the leaked site of the ransomware gang and then resold it to Industrial.
Spy。
MalwareHunterTeam, a security research team that distributes software by cracking and adware, found malware executable files [1,2] and created README.txt file to promote the website. When the program is executed, these malware files will create text files in each folder on the device, which contain service descriptions and Tor website links.
The README.txt text file reads: "There, you can buy or download competitors’ data. We use loopholes in IT infrastructure to collect data from the world’s largest companies and activities, and disclose relevant plans, drawings, technologies, political and military secrets, accounting reports and customer databases. "
The README.txt file created to promote the market.
These executable files are distributed through malware downloads disguised as cracking software and adware. For example, STOP ransomware and password stealing Trojans are usually distributed through cracking software, and Industrial
Spy executable files are installed together.
In addition, VirusTotal, an online killing platform, shows that the README.txt file was found in a large number of password-stealing Trojan logs, which indicates that the two programs are running on the same device, Industrial.
The operator of Spy website may cooperate with advertising software and crack down on distributors to promote it.
Although Industrial Spy has not been widely used at present, companies and security researchers need to pay close attention to the website and the data to be sold.