Name: HUMAN Dialogue: 15 Zeros-Insights from the Quadrillion Report: 2025 Cyberthreats BenchMark
Uploaded: 2025-06-30T18:30:08.224Z
Duration: 1 h 30 min 4 s
Description: HUMAN Dialogue: 15 Zeros-Insights from the Quadrillion Report: 2025 Cyberthreats BenchMark

Transcript for "HUMAN Dialogue: 15 Zeros-Insights from the Quadrillion Report: 2025 Cyberthreats BenchMark": Hello, everybody. Thank you for joining us for today's webinar presentation of 15 zeros, insights from the quadrillion report twenty twenty five cyber threat benchmarks. My name is Adam Sell, and I am senior research editor here at HUMAN Security. And I'm joined today by Gabi Cirlig, who is our senior manager on our Satori Threat Intelligence and Research team. For a quick moment of housekeeping, wanna encourage anybody if they have any questions to feel free to drop those into either the chat or the Q and A section that you can see in your webinar panel. We'll make sure that we leave some time for those at the end of the presentation. For level setting, we should expect today's presentation to last just over thirty minutes, so please feel free to pop in and out as you need to. We'll make sure that this is available on demand after we complete today's webinar. And without any further ado, let's begin our agenda today. We'll begin with a brief recap of the Quadrillion Report and the twenty twenty five cyber threat benchmarks that we covered, followed by some key insights from the report, some major figures that we found over the course of the research. We'll transition from there into talking a bit about dark web price signals and how much accounts and attacks cost on the dark web and what those mean for security defenders and how they're able to take that information and incorporate it into their security posture and learn from that price point and figure out how it means threat actors are perceiving their properties. From there, we'll talk a bit about downstream attacks and how threat actors can make the most of the profits that they gain from the attacks that they conduct. We'll talk a little bit about defender priorities, a short checklist of securing your businesses from the attacks that are outlined in the report, and then we'll leave a little bit of time at the end for some key takeaways and some time for q and a. So to start off, as I mentioned, we'll start with some conversation about the report itself, which we published in late April, but we're still sharing the information from that presently. The quadrillion report is the name of our original trend research publications that are derived from observations from the HUMAN defense platform. It's called the quadrillion report because over the course of one calendar year, the HUMAN defense platform observes more than one quadrillion. That's a one with 15 zeros after it, hence the name of this webinar, interactions in the platform and assesses their humanity and intent to make sure that only the right human at the right time is getting through to the point that they're reaching. This particular report is our annual cybersecurity report focused on surfacing baseline rates of threat activity across a wide variety of threat vectors and targets, And we cover it from not just a perspective of how many account takeover attacks we observed, how many fake accounts we observed, how many scraping attacks we observed, but also how threat actors are perceiving different industries. How are they looking at the retail and ecommerce industry? What's the breakdown of attack types targeting that industry as compared to, for example, travel and hospitality? We find this an interesting way to show the ways in which threat actors change their tactics, their TTPs, based on who they're attacking. And this year's report highlights not just those threat activity rates, but also how much threat actors can accomplish as a result of their activity. In the course of the report itself, we've got numerous points in which we talk about individual attacks that we observed in the HUMAN defense platform and what an extreme case looks like. If threat actors level their sights on your business, this is what you might expect in terms of threat activity levels. Some of the key insights from the report include that in the year 2024, we identified 67,000,000,000 attempted ATO attacks, 2,800,000,000 attempted carding attacks, and 215,000,000,000 attempted scraping attacks. And those are big numbers, obviously, and they carry a lot of meaning when you look at the entire problem that we're trying to solve in aggregate. But when you start to look at it from an individual business's perspective, it gets a little bit more, accessible, a little bit more understandable. So as an example of that, the HUMAN defense platform in 2024 found 800,000 fake accounts created and stopped per customer. And if that's not bad enough, that is a dramatic increase over the previous year. We included this number in last year's report as well, and this is an increase of more than 350% from the previous year's data. So fake accounts definitely continue to be a major threat vector for a lot of organizations. One way in which we position the data in the report is as a percentage of all of the attacks that we've seen of a certain type, the rate targeting x industry or y industry rose or fell. And that gives us a little bit of a sense of how threat actors are shifting their targets to find businesses that are going to be more susceptible to those attacks. And here's an example, that as a percentage of all of the attempted carding attacks that we observed in 2024, the rate of those attacks that targeted travel and hospitality businesses jumped more than 700% in one calendar year. And we believe that that's indicative of a shifting level of attention that threat actors have from, say, the retail and ecommerce industry to travel and hospitality industry. Similarly, when you're looking at carding attacks instead, more than half of all of the carding attacks that we saw over the course of 2024 were targeting retail and ecommerce organizations. That's a truly staggering percentage that there is just that much activity to be observed and stopped on these particular businesses. One of the other industries that we speak about in this report, and I would encourage everybody to look at the docs folder here in the webinar platform here and pick up that report and take a read through it, is the streaming and media industry. Looking at a lot of individual news organizations and publishers and scraping attacks on streaming and media organizations have been growing steadily over the last few years. More than 16% of all of the scraping attacks that we saw in 2024 were on streaming and media organizations. And there's a number of potential implications of having that number continued to go. It's interesting to speculate as to what threat actors might be looking to do with that information that they've scraped from these publishers. And as mentioned, I would encourage everybody to read through the report itself. There's tons and tons of data in that report that, go above and beyond everything that I've spoken about for the last couple of minutes. But at this point, I wanna pivot to one of the, more interesting parts of this conversation, and that's about what the prices of hacked accounts and hacked data on the dark web mean to a security defender? So let me preface the slide by saying that I am not an economist. I came up as a journalist, and I'm now a researcher. And I don't play one on TV, and I've never stayed in a Holiday Inn Express as far as I can recall. So anything that resembles economic speculation here is me doing my best. But this is kind of my take on what these, prices reflect about threats, and that's to say that really a simple supply and demand that threat actors are going to set their prices at a point where they're going to profit from an attack. Otherwise, what would be the point of spending the effort on conducting an attack and collecting this and harvesting this information? And the prices are going to reflect the scarcity and complexity and the risk to a threat actor of creating the product that they're trying to sell, so to speak. And simple laws of economics here is my one college class reminds me, if the prices go up, that means it's harder for the threat act to to acquire that particular product, be that an account, be that hacked or a fake account, be that stolen data, anything along those lines. And that in turn means that security measures are working. That if it's harder for them to get it, it means that the security that's put in place to protect it is successful. But the flip side of that is also true. If the prices are going down, that means that the threat actors are finding more ways to acquire those products, and that might mean that your security needs to be revisited because threat actors are successful. And my big takeaway from this, and I'll reiterate this later as well, is that vendors need to monitor dark web prices of the products most closely associated with their businesses because they can be a really, really important lagging indicator for success or failure in their cybersecurity protections. And right about here is where I want to throw it to Gabi to offer some extra commentary on dark web price indexes. Hello. Hi. I'm Gabi. I'm, the manager of the enterprise side of our sales intelligence operation over here. And, we look a lot on the dark web. We try to figure out how we're being attacked, how our clients are being attacked, what are they being attacked with. Right? And we discovered there is a whole ecosystem, like, an entire ecosystem being built. Because when we say the prices for the accounts, it's not only for the accounts. It's the prices for the accounts, for the tools that are being used to track the accounts, for the methods of exploitation after all of those accounts are being discovered. And, it looks like we've got a tiny threat actor in the room right now. So if you're hearing bells and whistling, it's from my parrot who is, an actual threat actor targeting the Internet and objecting when his rules are being exposed. Now, if we could go to the next slide, I'm gonna get a bit into the nitty gritty of what each account is doing. So what type of business, TTPs are being used. So if you look at the streaming streaming and media platforms, usually, set back doors, sell premium status on various platforms for a few dollars. So you've got hundreds thousands of accounts for popular streaming platforms, and they're being sold in bulk and a lot of times with warranty. And, yes, I think we are recording. Adam, can you correct me if if I'm wrong or without the question from the public? We are. That's a great question. We are, in fact, recording, and we'll be able to share out the recording of this webinar after we complete it in another fifteen, twenty minutes. Perfect. So with that being said, we're gonna continue to our, to our Safari. So we've got the the the the the streaming yeah. The bird is fun. The streaming platforms where, everything is sold in bulk. You've got warranty, and keep keep, like, keep track of this concept because it's gonna pop in more often. There's a whole ecosystem being built where the the the threat actors that actually sell you the accounts also sell you a quality of service, like, have a certain quality of service assured. So even if your account is down, you will get a fresh key and a different like, a fresh password and a fresh account to use for a specific date, time after you purchase that account. Then for financial services, this is a bit more harder. There's no warranty because the bank can close that account at any point. Usually, that's sold for tens to hundreds of dollars. And tens of dollars is usually accounts that are pretty, let's say, weak. You might get banned, after you use them a couple of times from whatever shady activity that you do as a Yank enterprising hacker. You can get a $100, for example, for an account with basic access, which is also Google Voice number, some, data that you can use to kinda, like, social engineer the support people in case your account gets banned. And for $300, you get the all inclusive treatment. You get the, like, fake IDs, fake documentation, fake, bank statements that you can use to prove, the money that you would be circulating through that account. And for financial services, set up some don't cash out on them, but they use them to move money, to launder money, and, as an enabler for other necessities. And since I I mentioned money laundering, if we move move to the next one, to the retail slash ecommerce section, usually, it's dollar for aged accounts, that you can use to spam, for example, or, cup stickers as, the the, script kitties on the dark web, say, which actually means to, just do, scalping, cut off scalping. And you will find gift cards, for thousands of dollars in value, and you can buy them at tenths of a price, even less, a hundredth of a price. And, in a lot of times, these, again, are being used in money laundering operation. You go with your debt to cash. You buy, gift cards, from a platform, you then resell those gift cards, for crypto, and then you launder the crypto, and you get fresh money, that you can use in your other operations. So on the ecommerce, side, again, we're talking about, dollars, not a lot of money, but they are sold in huge amounts. And they are usually used as, a leverage for other types of operation, like price monitoring, grabbing, I don't know, Pokemon cards whenever they're they're all for sale and so on. Now for the travel special hospitality, it's a bit more complex because accounts will cost, like, from pennies to $10.01, each, which is, like, a a 100 x, scale. For example, an account with balance for sale will, will be, like, $10 for $250 of credit, and you can use that to purchase flights. You can use that to, purchase flights for somebody else, which is a scheme called buy for you in this case. Sometimes you do it with the credit that's already present on the account if you're lucky. If you buy them in bull, for example, and you just use them to set up a digital persona, you can activate, other credit cards that you bought from other marketplaces and do what is called the scheme called the buy for you, which I will be detailing in the, next slides. So now let's talk about downstream attacks. Let's see how, all of this is being exploited. As I said, ecosystem. It's no longer like one threat actor that tries the like, build the Combolyst tries the Combolyst, then, checks which account have credit and then sell the account. It's. Some of them make the config files, which are being used to brute force, your platform. Some of them will build, the combo lists. They will aggregate, cherry pick credentials, mix them, try to build new ones with AI enrichment in some cases. And then you put those combo lists let's say you're an aspiring hacker. You put those combo lists into your config. You fire up the config against your platform, and you get a bunch of hits. And this is where the second column over here enriched resale comes in. So the third actors now know which account which passwords are good. You'll try to pivot. You'll try to also get email access to that platform, and they will resell that as an account with SA with full access. So they've got complete access. Even if the, the the user changes their password on the retail website, they still have access to the email. Right? The hackers still have access to their their email and will change it back. And even worse, sometimes they lock the real person out of that account. Why? Well, try to sell them. So let's say, if you spend, 10¢, on a com per per user that you that you build with your combo list and with the config that you you bought. Right? Because you're attacking millions of accounts once you get one of those tools, which was in the hundreds of dollars. And then you start spamming your website and you start getting hits. Right? And then you take those accounts, you resell them, and you say, hey, guys. I found, 10 accounts. All of them have $200, each of credit, and you I will be reselling them for $20 each. And instantly, you've got $200 worth of credit that will cause damage through DDICs and chargebacks worth of $2,000, on that platform. And these numbers are go way higher. They go to millions in some cases from some platforms that we analyze of possible damage done by accounts for sale on the dark web. Another, enterprise they they do is buy for you. So hackers sometimes purchase accounts. They find account that have credit or they have credit cards that they can activate on those accounts, and they will say you'll advertise that they'll buy for you on Telegram channels, their services. And on those channels, you'll be able to, say, hey. I want these sneakers, from this website. How much does it cost? And it's usually 50%. You pay through crypto, 50% to that person. That person will then order, those products to you with your details. So you're kind of, like, handling the risk for this retactor when you're coming and buying, for this refactor, that's what I buy for you. While the refactor is getting clean crypto clean crypto, in exchange for, draining some credit cards. Then some of them and we, HUMAN ads, have actually seen this operation. Once they compromise the account, they will use the account to spread infostealers. And we've got we have an incident in the past where, somebody was spreading redline through one of our customers' private messaging system. And everybody was getting infected with redline, and then they would steal redline is a popular stealer as a full disclosure, like, one of the most popular ones. They packaged it with some novel way that was bypassing antivirus. Fortunately, our TI team reversed it, found the detection, and worked with that team to prevent the infection, like, future infection. But the idea is that they were having this noble effect until we managed to get on top of it, where they infected just a couple of users, then those couple of users would infect, more more users, and it would exponentially grow and would like, it would the the PMs would would evade all of the, inboxes of everybody. And, something interesting that we've seen is that a lot of these services have warranties. They have support tech support. They will teach you how to use an account to Dubai for you, for example. They will teach you how to activate the malicious credit gift card. And if your account gets banned because of that, they'll offer you another account, to activate that gift card on. So as I'm saying, right now, the full kill chain of an attack cycle has maybe four dependent bits and pieces. Every one of them, providing fraud as a service, to the next, bit in that, in that chain. And, that's it. From the verify. Back to you. Yes. Thank you. Sorry for speaking over you there for a moment. All of, what Gabi just described is to say that threat actors are frequently not just looking to turn and burn an account that they've broken into or a fake account that they've spun up. These aren't commoditized anymore. They're using these as just one piece of the entire puzzle and finding ways to make any individual account work in three, four, five different ways for them, which in turn impacts the price on the dark web of that account if it's already linked to all of these other opportunities for downstream threat actors to take advantage of. But it also reflects the danger of any one hacked account is that it can be used in so many different ways, so it's not something that can be taken lightly. And just to drive home again, the dark web prices, I personally find them to be really interesting and sexy data points, but they are crucial to understanding how threat actors are perceiving your platform. If the price goes up, you're doing something right. If the price goes down, it means that threat actors are finding a way to get behind the walls that you've put up and start to get at these incredibly useful accounts. So going from that part of the conversation, I don't want to paint the entire picture as being dire. So we do have some suggestions on how defenders can take advantage of this knowledge and start to build better walls and drive those prices further up. And here is a short checklist of what may be useful as a defender to make these things harder to get at. And a lot of these are going to seem very intuitive, and that's not an accident that a lot of the steps to take to prevent threat actors from getting at these accounts, they are intuitive. They just need to be reiterated time and time again to make sure that folks know this is what you have to do, and this is what the effect will be when you do it. Reinforcing your authentication protocols to prevent ATO, if that's incorporating two factor authentication, although, as Gabi described with full access accounts, even that isn't always going to be enough. So it's just one layer here. Talk about defense in-depth. You want sophisticated automation detection to help prevent, as you can see in item number six oh, I took the numbers off. I used to have numbers on this. I apologize. Now I've got icons. The one that used to be number six, flagging fake accounts in real time. Being able to spot automation and stop something from being done at scale can make a huge difference in preventing the depth of attack from being successful that you need to worry about. Monitoring checkout flows and collecting telemetry about the process that customers are using for checkout. More information is going to be better than less because it helps you find out exactly how they're doing, how a threat actor might be doing something if they are successful, reverse engineer that, pick that apart, work with a team like Satori to figure out, okay, what's happening here and how do we put protections in place to prevent this from happening again in the future. Looking for scraping patterns, that is one potential early warning signal that, okay, there is interest in this particular product line that we have on our website. That is something we need to be careful about because we know that if there is such a level of interest, threat actors are going to do whatever it takes to get at this thing so that they can monetize future attacks. I'll continue to harp on it, proselytizing the importance of dark web prices as lagging indicators. One thing that I find is an interesting option here is to map attacks on your property to ROI or ROA, return on attack for a threat actor. What can they gain if this were to be successful? It's kind of a I won't say it's a painful exercise to imagine that threat actors are going to be successful and then figure out, alright, what would they do if they were? But it is one that requires you to kind of flip the problem on its head and think about if everything went poorly for you, what would be the outcome and then start to build the defenses to prevent those specific outcomes. And then finally, to stay informed about new attacker TTPs, staying up to speed on what attackers are doing to ensure that if they were to turn their sights on you, you are protected. That is a very important step. So coming up to our takeaway section here, what are the things that I hope everybody leaves this conversation with? And once again, I apologize that I'm feeling a little bit repetitive here, but these dark web prices of properties and accounts we're protecting, they are the most important lagging indicator of your security posture's efficacy. Think of them as like a stock price. Up is good, down is bad. Monitor them frequently. Reiterating something I said just a few minutes ago that hacked accounts have a lot more utility than you may think they do. It's not turn and burn them. It's not drain the account and then be done with it. Threat actors are intensely creative about how they're going to prolong the return on the attack that they've conducted. And this year's quadrillion report, 2025 cyber threat benchmarks, have uncovered that threat actors will readily change their targets and tactics. So what might have appeared in our 2024 report as being a relatively low priority for threat actors, that can change quickly. If one attacker develops a new tactic that proves to be incredibly effective against industry excuse me, against businesses in a particular industry or that is incredibly effective at generating fake accounts at scale. As soon as there is one thing that works, that gets out to everybody and it helps develop a whole new ecosystem for these threat actors. So from here, I wanna open it up to q and a. I'll give folks a moment to put anything into either the chat or q and a panel here on the webinar. But I've got a couple of questions that we've been asked over the course of the last couple of months since the quadrillion report debuted in late April that I think might be interesting to just inspire some future questions and some conversations. And the first one of those is to look at scraped data, not just the accounts. We've spoken at length about what the value of an account is on the dark web, but pivoting instead to scraped data. How is that useful on the dark web, and how much is it worth? Gabi, I think you've got some thoughts on that. Yeah. That's a really good question because a lot of people are like, why would they want my information? Right? Like, it's only one data point. Well, they don't want your information. They want the information of everybody in New York or everybody in Washington or all of the doctors, on the West Coast, for example. Maybe for competitive intelligence, we've seen cases where, for example, we've been seeing talk, let's say, trade professionals, names, numbers, organizations being scraped en masse and being sold in tasks of around the few few $100, that anybody can ingest and they can, kick start their business. If you work, let's say, in the health care industry and, you want to, like, build a business, you can go and and purchase the number for all of the doctors in The US for, like, $500, and it's just like that. You've got everybody right there, and, hey. You want to join our, business instead of working with whatever pharmaceutical company you're working in the past or whatever. You can get my drift. Let's say you're a a a a geek, company and you want to enroll as many restaurants as you want, again, you can go and you can purchase the dataset from other competitors from the dark web, and then you can start sending out, marketing emails, unmasked to all of them. Hey. If you wanna join our platform, it's gonna be way cheaper than the previous platform that you are using. So there's, there's a lot to go, and we didn't even touch more controversial subjects such as, like, political influence and so on. Right now, data is digital gold. Like, everybody wants data. Everybody wants as much data, as cheap data as they can get to train model and to, give their businesses an edge. Excellent. Thank you, Gabi. And another question that I think you'd be very well positioned to speak to is to talk about, I guess, the shelf life of an account. So if I'm visualizing a hacked account as a product that a threat actor has to sell, if I went and I purchased access to that hacked account, even a full access account like you described earlier, and I was using it to access a streaming platform. How long should I expect that access to last before either the platform or the account owner is able to kick me out and so I kinda seize control again? Usually, with full access accounts where you've got complete access, attackers will advertise a one year warranty. For, more sensitive, like, for platform protected by more advanced voice detection systems, they'll offer less. They'll offer, like, months, but they won't even offer anything, in some cases. You buy it. It's our responsibility to make sure that everything goes well. Maybe some of them would also sell a tutorial, that will allow you to you handle the account safely. But from what we've noticed is between, like, a few months to a year, in some rare examples. And that's enough time to do some serious damage, especially if your platform has that sort of direct messaging system like you described earlier and the ability to then spread malware from the platform. It becomes fraud as a service, really, if you've got that sort of a capability built in. Yeah. Remember, it's not only, like, smash and burn. You get in, you swiveter in, you start slowly training the, accounts by doing buy for you. And then after you're done with it, you start scanning. So you can use that for a multitude of attack vectors right now. And one other question that we've got here is that, and this is something that I've spoken about. If dark web prices are a key lagging indicator, what might be a good leading indicator for defenders to be monitoring? And my initial instinct here is to be looking for anomalous traffic, That if you see something that looks fishy and smells fishy, it's probably fishy. And that might seem like an intuitive or like a an answer that provokes a duh response, but it it does have some work to it to know that things are often more or less as they seem. And if something seems weird, it's probably weird. Gabi, what would you add on to that? That's something you found earlier than anomalous traffic because anomalous traffic needs to have, like, a starting point. Right? And it's not done for the sake of, hey, guys. Let's just talk retailer x, this week for the rules. No. They will look for an event. Like, you as a company need to be aware that, attackers know about your events. Attackers know about your deals. They will prepare for them. Because, for example, we've been seeing for example, before Super Bowl last year, we saw all of the account shops getting completely drained completely drained. You couldn't buy an account even if you wanted to. If you wanted to, like, place multiple bets or, snag some paraphernalia that was seen with a specific, like, for the Super Bowl and so on and so forth. So, number one would be knowing your platform, knowing what expects you, and knowing what what hackers can do. That's why it's very important to have, like, a threat intelligence team or somebody to take care of that and to anticipate, the all of these, like, hey. What if what if everything goes south this weekend where we're having that promotion? Number two is to monitor and for leaks. Are there any leaks from your industry? Are there any leaks from a tangential industry? For example, you're doing retail and, somebody from e like, some other company, random ecommerce company, got, got hacked and all of the accounts got leaked, well, a lot of people reuse, the their username and passwords across multiple accounts. So you might be seeing a surge in those attack again. So always be mindful of the attacks, that other that your competitors happened or your industry, got, struck with, and always be mindful of the events that you will have because the hackers will know about them as well. And to your point about major events, and you use the Super Bowl as a great example, my understanding is the two biggest sales seasons in the retail industry are coming up in the next few months that I'm I'm sure that it's, it's probably good that there are no kids around in this room to hear me say, but back to school shopping is going to start a lot sooner than they would like it to. But as soon as that does, that is, if I recall reading, the second biggest retail event of the year, and the biggest is only a couple of months after that, Black Friday going into the holiday season. So that industry needs to be especially aware that it's common. And and let's not remember that we've been seeing, an attack that we discovered, fish and chips, last year, like, growing hard during all of the holiday seasons. But everybody wants, hey. I'm going to the seaside. I need this, like, quirky towel with this fancy print that I can only find on this website, and, of course, it's fake. So, again, be careful of what looks fishy because it probably is. Alright. We are coming right up on time here. I wanna offer a quick last bit of housekeeping that if you've got any further questions, please feel free to reach out to us. I know that there's been a little ticker on the screen on and off. Thank you to, our facilitator, Lucius, for helping to make sure that we kept on pace and we kept everything going on this particular webinar presentation. Thank you also to my co presenter here, Gabi, for participating and sharing some outstanding insights into dark web prices. And if you have any questions, feel free to reach out to us at HUMAN Security dot com. Otherwise, we'll see you on the next presentation sometime soon. Queue.