As long as stolen data is in demand, there will always be criminals ready to supply and satisfy that demand. At Flashpoint we’ve seen how this demand has hatched a myriad of fraud schemes on online illicit communities and chat services, how many illegal goods are traded there, and how many fraudsters take advantage of the anonymization possibilities.

With all this taking place on illicit communities, organizations without visibility into these closed-access regions of the internet face heightened risk. Flashpoint provides relevant context to business units not traditionally afforded the benefits of intelligence derived from online illicit communities. Whether users are experts or new to intelligence, Flashpoint’s platform and services deliver trusted intelligence that empowers them to make more informed decisions and to mitigate risk.

Below are examples of the types of challenges Flashpoint helps companies address:


Of all the forms of social engineering intended to dupe someone, phishing remains one of the most popular. Its simplicity and effectiveness at slipping past security protocols makes it a go-to tool for every level of threat actor, from entry-level cyber criminals scamming credit card numbers to state run cyber espionage campaigns. While the tactic of a phishing attack is consistent--user clicks, malware drops, foothold into enterprise gained--the method of delivery can vary from a personalized email to a link on a web page to a fake window popping open on a user’s desktop. When a new technique is developed or proves especially effective, threat actors talk about it within illicit communities.

In one instance, Flashpoint analysts monitoring Locky ransomware uncovered a spam campaign during the holiday season. Locky, which was distributed via phishing emails disguised as payment invoices, was previously linked to infections causing massive economic and reputation damage at numerous organizations. In response, Flashpoint immediately notified retailers of the ongoing campaign and provided relevant indicators of compromise (IOCs), including samples of the text of a phishing email, offering companies the understanding they needed to appropriately bolster security measures, implement appropriate user-access controls, and educate employees on phishing awareness.


Health Savings Account (HSA) fraud in and of itself is nothing new, but in the wake of 2016’s healthcare breaches, the threat has evolved in credibility and complexity. Since 2016, the cybercrime market has been flooded with Medical "fullz" (full packages of personally identifiable information), decreasing the value of individual fullz but making it possible for threat actors to buy these in bulk and to work creatively with that bulk data to invent new methods of attack.

For instance, Flashpoint identified cybercriminals leveraging credit reporting sites to obtain credit reports of the most valuable accounts in order to target HSA. In order to identify higher-value HSA accounts, victim’s fullz were being cross referenced with various free credit reporting and financial management platforms to access victims’ credit scores and gauge their financial status. Flashpoint contacted companies and recommended they monitor HSA accounts by setting up alerts and restrictions for any suspicious activity. Moreover, Flashpoint also suggested that if companies set up security freezes with the credit bureau agencies related to the patients from the affected institutions they might prevent a credit reporting company or third parties from releasing credit reports without consent.


Fraudulent gift cards have always been popular within illicit communities. As a crime, it's relatively low risk to perpetrators, and the cards are both easily crackable and easily sold on illicit marketplaces. Since 2015, though, cybercriminals have created and started using bots to automate the process of breaking into and draining online gift card accounts. One particular bot, called GiftGhostBot, generates lists and lists of account numbers, and requests the balance for each number. Whenever this brute-force attack returns an actual balance, rather than an error or zero, the account number is automatically logged, and the cybercriminals resell these confirmed account numbers or use them to purchase goods. Flashpoint tracks methods like these and the threat actors who use them.

For instance, Flashpoint published a report on a threat actor selling fraudulent gift cards, claiming he was able to obtain them without carding and instead that he simply exploited gift card "vulnerabilities." Following a months-long investigation, Flashpoint analysts, in conjunction with an industry partner, uncovered the actor’s technique for obtaining gift card information. According to Flashpoint sources, many gift cards are numbered sequentially. This characteristic not only eliminates the need for any guesswork, it makes it relatively easy for cybercriminals to ascertain the numbering convention used for many gift cards. Flashpoint provided relevant customers with this information and offered mitigation strategies to assist with fraud prevention, like more complex numbering systems and secondary levels of authentication.

Did this answer your question?