Before his eyes, the products parade as if he were surfing on a classic online sales site. At the other end of the line, journalist Damien Bancal, founder of the cybersecurity information site Zataz.com, describes in real time to L’Express the hacked data put up for sale on a specialized darknet forum: “There, for example, I have data from the town hall of Sartrouville, which was hacked a few weeks ago.” Other hackers claim to hold “data exported from the Insee site, dating from 2021” and offer them for sale for 700 dollars. Still others offer “software that would allow you to retrieve payment information from any French number, via its operator” for the modest sum of 2,000 dollars. “You never know what the quality of the final product will be. Because, in this marvelous world of piracy, there are also pirates who hack pirates, even if they generally fizzle out,” says Damien Bancal. In recent months, the specialist has only been able to observe the “impressive” multiplication of these online sales forums.
A click away from any Internet user slightly interested in the question, thousands of data illegally recovered from the sites of private companies or public institutions are thus made available to buyers on the darknet. Some forums are free, others have an entry fee of up to $500. Many rank their sellers according to their notoriety: like a luxury store or online sales giants, those whose content is the most qualitative will earn small stars, which then allow them to access a VIP sales area reserved for the most serious transactions. Everywhere, the prices of these files oscillate between “a few tens and a few thousand euros”, depending on the quality, quantity and freshness of the data published. “There are so many forums or dedicated Telegram channels that it would be impossible to quantify them. It’s simply unquantifiable, I’ve never seen so many”, blows Damien Bancal, comparing this small virtual world to a huge one. shopping mall.
Some “shops” sell Netflix or Disney+ codes, others specialize in exchanging scanned and pirated passports on tour operator or hotel sites, and still others in personal email or account passwords. on social networks. Not to mention the “classic” more or less detailed databases from hospitals, town halls or public institutions, such as Pôle emploi. At the end of August, Damien Bancal recalls that the personal data of more than 10 million job seekers were put up for sale “for around 900 dollars” on the darknet after the hacking of a provider of the organization.
“Every day, sites are hacked”
But how can these data, which are sometimes very complete and personal, be found so easily on such forums? “The virtual world is much less secure than we think, and ordinary users leave personal data absolutely everywhere”, answers Baptiste Robert, cybersecurity researcher and CEO of the consulting company Predicta Lab. While the slightest registration on a website now requires an e-mail address, a password, sometimes even a date of birth or a telephone number, the databases stored by companies or online services are full of this information. more or less well protected. “The problem is that there is almost always a vulnerability, and especially in large systems, like that of a hospital. All the hackers have to do is find that vulnerability and then get inside the servers. and steal everything that interests them,” he said. According to the specialist, data theft would thus have become common: “Every day, sites are hacked and, every day, files are found everywhere on the Internet.”
On specialized forums, real companies are thus created according to the data revealed and the needs of the crooks. “Once a scammer has the phone number and bank address of hundreds of users, for example, he subcontracts to fake operators, often young people with a bit of chat who want to earn money. money easily, who will call each recipient pretending to be their banker until one of them falls into the trap”, testifies Pierre Penalba, former head of the group to fight against cybercrime within the Nice judicial police, now a cybersecurity consultant. Others specialize in grouping and exploiting data, in order to sell them as a “package” to the highest bidder. “This can allow a hacker to send fake advertisements to all of someone’s Facebook contacts, for example, or even attempt to break into their company’s servers and steal new data there,” says the developer. Honorary Police Commander. Theft of bank cards or sensitive files, identity theft, blackmail… The possibilities of fraud are endless. “The overall damage is colossal”, warns Pierre Penalba, who wishes to warn Internet users, who are often poorly educated about the risks of such thefts.
A “colossal” overall damage
“You have to adopt good habits: take the time to analyze an e-mail or a text message that you receive for no reason from a service provider, delete all your files on your e-mail address, never reveal your bank details on the phone,” he said. Last week, Pôle emploi also called on its hacked users to “stay vigilant against the risk of phishing or attempted identity theft”. An investigation has also been opened by the cybercrime section of the Paris public prosecutor’s office for fraudulent entry and maintenance in an automated data processing system – an offense punishable by seven years’ imprisonment and a fine of 300,000 euros.